View Issue Details

IDProjectCategoryView StatusLast Update
0000717XdebugUncategorizedpublic2012-02-29 13:16
Reporterigalic Assigned Toderick  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionunable to reproduce 
Summary0000717: fileupload with a notice crashes xdebug
DescriptionWhen trying to upload a file, xdebug will (sometimes?) crash.
Additional Information
Core was generated by `/usr/sbin/apache2 -D DEFAULT_VHOST -D ERRORDOCS -D INFO -D LANGUAGE -D SSL -D S'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000038de95727a5 in ?? () from /lib64/libc.so.6
(gdb) where
#0  0x0000038de95727a5 in ?? () from /lib64/libc.so.6
#1  0x0000038de2f17d3e in ?? () from /usr/lib64/apache2/modules/mod_backtrace.so
0000002  0x0000000ac11fbc98 in ap_run_fatal_exception (ei=0x38dc80cf760) at mpm_common.c:68
0000003  0x0000000ac11fc096 in run_fatal_exception_hook (sig=11) at mpm_common.c:1200
0000004  sig_coredump (sig=11) at mpm_common.c:1211
0000005  <signal handler called>
0000006  0x0000038dde173902 in xdebug_hash_extended_find (h=0xb1ca323230349993, str_key=0xac8474df0 "Notice", str_key_len=6, num_key=0, p=0x38dc80cfcd8) at /var/tmp/portage/dev-php/xdebug-2.1.0-r1/work/php5.3/xdebug_hash.c:207
0000007  0x0000038dde177c18 in xdebug_error_cb (type=8, error_filename=0x38de2a10f23 "Unknown", error_lineno=0, format=0x38de29fd37c "No file uploaded", args=0x38dc80cfe60)
    at /var/tmp/portage/dev-php/xdebug-2.1.0-r1/work/php5.3/xdebug_stack.c:565
0000008  0x0000038de24c5279 in zend_error (type=8, format=0x38de29fd37c "No file uploaded") at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/Zend/zend.c:1118
0000009  0x0000038de242707a in rfc1867_post_handler (content_type_dup=0xac6178528 "multipart/form-data; boundary=", '-' <repeats 27 times>, "7db1f334010a", arg=0xac617a8c0, tsrm_ls=0xac6d5abd0)
    at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/rfc1867.c:1039
0000010 0x0000038de241fb3e in sapi_handle_post (arg=0xac617a8c0, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/SAPI.c:124
0000011 0x0000038de242b15a in php_default_treat_data (arg=0, str=0x0, destArray=0x0, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/php_variables.c:334
0000012 0x0000038de221308b in mbstr_treat_data (arg=0, str=0x0, destArray=0x0, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/ext/mbstring/mb_gpc.c:68
0000013 0x0000038de242cba2 in php_hash_environment (tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/php_variables.c:684
0000014 0x0000038de2410d6b in php_request_startup (tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/main.c:1450
0000015 0x0000038de25e61c9 in php_apache_request_ctor (r=0xac82dd898, ctx=0xac82df6e8, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:508
0000016 0x0000038de25e6a60 in php_handler (r=0xac82dd898) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:624
0000017 0x0000000ac11f25ee in ap_run_handler (r=0xac82dd898) at config.c:158
0000018 0x0000000ac11f60f3 in ap_invoke_handler (r=0xac82dd898) at config.c:376
0000019 0x0000000ac12021d2 in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at http_request.c:554
0000020 0x0000038de3f66f3d in handler_redirect (r=0xac89c8a10) at mod_rewrite.c:4863
0000021 0x0000000ac11f25ee in ap_run_handler (r=0xac89c8a10) at config.c:158
0000022 0x0000000ac11f60f3 in ap_invoke_handler (r=0xac89c8a10) at config.c:376
0000023 0x0000000ac120238e in ap_process_request (r=0xac89c8a10) at http_request.c:282
0000024 0x0000000ac11ff083 in ap_process_http_connection (c=0xac6af7e78) at http_core.c:190
0000025 0x0000000ac11fa83b in ap_run_process_connection (c=0xac6af7e78) at connection.c:43
0000026 0x0000000ac1208655 in process_socket (thd=<value optimized out>, dummy=<value optimized out>) at worker.c:544
0000027 worker_thread (thd=<value optimized out>, dummy=<value optimized out>) at worker.c:894
0000028 0x0000038de9a51c0a in start_thread () from /lib64/libpthread.so.0
0000029 0x0000038de95b1bed in clone () from /lib64/libc.so.6
(gdb) bt full
#0  0x0000038de95727a5 in ?? () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000038de2f17d3e in ?? () from /usr/lib64/apache2/modules/mod_backtrace.so
No symbol table info available.
0000002  0x0000000ac11fbc98 in ap_run_fatal_exception (ei=0x38dc80cf760) at mpm_common.c:68
        pHook = 0xac1716b18
        n = <value optimized out>
        rv = <value optimized out>
0000003  0x0000000ac11fc096 in run_fatal_exception_hook (sig=11) at mpm_common.c:1200
        ei = {sig = 11, pid = 18918}
0000004  sig_coredump (sig=11) at mpm_common.c:1211
No locals.
0000005  <signal handler called>
No symbol table info available.
0000006  0x0000038dde173902 in xdebug_hash_extended_find (h=0xb1ca323230349993, str_key=0xac8474df0 "Notice", str_key_len=6, num_key=0, p=0x38dc80cfcd8) at /var/tmp/portage/dev-php/xdebug-2.1.0-r1/work/php5.3/xdebug_hash.c:207
        l = 0xc8e5a0fcf1ac2eab
        le = 0x0
        tmp = {value = {str = {val = 0x38dc80cfe60 "\020", len = 3802205987}, num = 3907481566816}, type = 8}
        slot = 0
0000007  0x0000038dde177c18 in xdebug_error_cb (type=8, error_filename=0x38de2a10f23 "Unknown", error_lineno=0, format=0x38de29fd37c "No file uploaded", args=0x38dc80cfe60)
    at /var/tmp/portage/dev-php/xdebug-2.1.0-r1/work/php5.3/xdebug_stack.c:565
        buffer = 0xac6182b48 "No file uploaded"
        error_type_str = 0xac8474df0 "Notice"
        buffer_len = 16
        extra_brk_info = 0x0
        error_handling = EH_NORMAL
        exception_class = 0x5a5a5a5a5a5a5a5a
        tsrm_ls = 0xac6d5abd0
0000008  0x0000038de24c5279 in zend_error (type=8, format=0x38de29fd37c "No file uploaded") at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/Zend/zend.c:1118
        args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x38dc80cff50, reg_save_area = 0x38dc80cfe80}}
        usr_copy = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x23ee2424f35, reg_save_area = 0xe29fd0f8}}
        params = 0x38dc80cfee0
        retval = 0xc8e5a0fcf1ac2eab
        z_error_type = 0x38dc80cfe80
        z_error_message = 0x1f1ac2eab
        z_error_filename = 0x0
        z_error_lineno = 0x1f1ac2eab
        z_context = 0xc6d5abd0
        error_filename = 0x38de2a10f23 "Unknown"
        error_lineno = 0
        orig_user_error_handler = 0xac617c6d0
        in_compilation = 0 '\000'
        saved_class_entry = 0x38de2407a55
        bp_stack = {top = -971520319, max = 10, elements = 0x0}
        function_call_stack = {top = -971520192, max = 10, elements = 0xac61626a0}
        switch_cond_stack = {top = -492842760, max = 909, elements = 0x1f1ac2eab}
        foreach_copy_stack = {top = 0, max = 0, elements = 0x38c00000002}
        object_stack = {top = -971529947, max = 10, elements = 0xc617a129}
        declare_stack = {top = 9, max = 0, elements = 0xac61626a0}
        list_stack = {top = -938672592, max = 909, elements = 0x38de24fdbe0}
        labels_stack = {top = -971504032, max = 574, elements = 0xc8e5a0fcf1ac2eab}
        tsrm_ls = 0xac6d5abd0
0000009  0x0000038de242707a in rfc1867_post_handler (content_type_dup=0xac6178528 "multipart/form-data; boundary=", '-' <repeats 27 times>, "7db1f334010a", arg=0xac617a8c0, tsrm_ls=0xac6d5abd0)
    at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/rfc1867.c:1039
        pair = 0xac617c74b "Z\264\372\357\335\066\336\270e\373\070\202\324\036L\002\353\n"
        end = 0
---Type <return> to continue, or q <return> to quit---
        param = 0xac61827d8 "files[upload]"
        tmp = 0xac61827e5 ""
        wlen = 0
        buff = "\"\271\211\303\n\000\000\000\253.\254\361\374\240\345\310\000\000\000\000\000\000\000\000\253.\254\361\374\240\345\310\000\000\000\000\000\000\000\000\253.\254\361\374\240\345\310", '\000' <repeats 16 times>, " \006\r?\003\000\000\244M2\311\n\000\000\000\244M2\311\n", '\000' <repeats 20 times>, "V\352\352\215\003\000\000\000\000\000\000\215\003\000\000\002\000\000\000\215\003\000\000\220\004\r?\003\000\000\224\004\r?\003\000\000P\004\r?\003\000\000 \006\r?\003\000\000\000\000\000\000\000\000\000\000$\000\000\000\215\003\000\000\000\000\000\000\000\000\000\000\243M2\311\n\000\000\000\263\a6\310\n\000\000\000\000\000\000\000\n\000\000\000.\000\000\000\001\000\000\000\000\000\000\000\376\377\377\377\243M2\311\n\000\000\000\000\000\000\000\n\000\000\000\377\377\377\377\000\000\000\000\376\377\377\377\000\000\000\000\000\000\000\000\377\377\377\377\000\000\000\000\000\000\000\000_\000\000\000\215\003", '\000' <repeats 26 times>...
        cd = 0xac617c7f4 ""
        filename = 0xac617a098 ""
        blen = 0
        offset = 0
        boundary = 0xac6178546 '-' <repeats 27 times>, "7db1f334010a"
        s = 0x0
        boundary_end = 0x0
        start_arr = 0x0
        array_index = 0x0
        temp_filename = 0x0
        lbuf = 0x0
        abuf = 0x0
        boundary_len = 39
        total_bytes = 0
        cancel_upload = 0
        is_arr_upload = 0
        array_len = 0
        max_file_size = 0
        skip_upload = 0
        anonindex = 0
        is_anonymous = 0
        http_post_files = 0xac617c350
        uploaded_files = 0xac617c1c8
        str_len = 0
        num_vars = 0
        num_vars_max = 20
        len_list = 0x0
        val_list = 0x0
        mbuff = 0xac6165228
        array_ptr = 0xac617a8c0
        fd = -1
        header = {head = 0xac617c610, tail = 0xac61806d0, count = 2, size = 16, dtor = 0x38de2425086 <php_free_hdr_entry>, persistent = 0 '\000', traverse_ptr = 0x38dc80d0610}
        event_extra_data = 0x0
        llen = 0
        upload_cnt = 20
0000010 0x0000038de241fb3e in sapi_handle_post (arg=0xac617a8c0, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/SAPI.c:124
No locals.
0000011 0x0000038de242b15a in php_default_treat_data (arg=0, str=0x0, destArray=0x0, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/php_variables.c:334
        res = 0x0
        var = 0xac6d5abd0 "\020\263!\306\n"
        val = 0x1b00000000 <Address 0x1b00000000 out of bounds>
        separator = 0x0
        c_var = 0x38dc80d16b0 "`\027\r?\003"
        array_ptr = 0xac617a8c0
        free_buffer = 0
        strtok_buf = 0x0
0000012 0x0000038de221308b in mbstr_treat_data (arg=0, str=0x0, destArray=0x0, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/ext/mbstring/mb_gpc.c:68
        res = 0x0
---Type <return> to continue, or q <return> to quit---
        separator = 0x0
        c_var = 0x0
        array_ptr = 0x0
        free_buffer = 0
        detected = -971614928
        info = {data_type = 242689, separator = 0x0, force_register_globals = 1, report_errors = 1, to_language = 909, to_encoding = 2048, from_language = 6144, num_from_encodings = -971536912, from_encodings = 0x1800}
0000013 0x0000038de242cba2 in php_hash_environment (tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/php_variables.c:684
        p = 0xac373dfd1 "PCS"
        _gpc_flags = "\000\000\001\000"
        jit_initialization = 1 '\001'
        auto_global_records = {{name = 0x38de29fda04 "_POST", name_len = 6, long_name = 0x38de29fda19 "HTTP_POST_VARS", long_name_len = 15, jit_initialization = 0 '\000'}, {name = 0x38de29fd9ff "_GET", name_len = 5, 
            long_name = 0x38de29fda28 "HTTP_GET_VARS", long_name_len = 14, jit_initialization = 0 '\000'}, {name = 0x38de29fda0a "_COOKIE", name_len = 8, long_name = 0x38de29fda36 "HTTP_COOKIE_VARS", long_name_len = 17, 
            jit_initialization = 0 '\000'}, {name = 0x38de29fd909 "_SERVER", name_len = 8, long_name = 0x38de29fd9e0 "HTTP_SERVER_VARS", long_name_len = 17, jit_initialization = 1 '\001'}, {name = 0x38de29fd904 "_ENV", name_len = 5, 
            long_name = 0x38de29fd9f1 "HTTP_ENV_VARS", long_name_len = 14, jit_initialization = 1 '\001'}, {name = 0x38de29fda12 "_FILES", name_len = 7, long_name = 0x38de29fda47 "HTTP_POST_FILES", long_name_len = 16, 
            jit_initialization = 0 '\000'}}
        num_track_vars = 6
        i = 6
0000014 0x0000038de2410d6b in php_request_startup (tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/main/main.c:1450
        __orig_bailout = 0x38dc80d1b30
        __bailout = {{__jmpbuf = {46308120728, -5719197928186676403, 46195104680, 0, -4294967295, 344, -5719197928213939379, -5719282007032300723}, __mask_was_saved = 0, __saved_mask = {__val = {14476153585499123371, 3907927483048, 
                46283011056, 46283011608, 14476153585499123371, 46308123656, 0, 5, 18446744073709551615, 46285564880, 0, 3907481573904, 14476153585499123371, 18446744072770886160, 14476153585499123371, 46308120728}}}}
        retval = 0
0000015 0x0000038de25e61c9 in php_apache_request_ctor (r=0xac82dd898, ctx=0xac82df6e8, tsrm_ls=0xac6d5abd0) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:508
        content_length = 0xac89ca340 "2894"
        auth = 0x0
0000016 0x0000038de25e6a60 in php_handler (r=0xac82dd898) at /var/tmp/portage/dev-lang/php-5.3.8/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:624
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {46273497616, -5719197928073430195, 46195104680, 0, -4294967295, 344, -5719197928134247603, -5719281874931778739}, __mask_was_saved = 0, __saved_mask = {__val = {46189764925, 0, 3907973238816, 
                46308120728, 46308121376, 0, 14476153585499123371, 344, 5, 46308120728, 46195106264, 0, 14476153585499123371, 344, 14476153585499123371, 46308120728}}}}
        ctx = 0xac82df6e8
        conf = 0xac89eaea0
        brigade = 0xac6aeb7d8
        bucket = 0x1f1ac2eab
        rv = 909
        parent_req = 0x0
        tsrm_ls = 0xac6d5abd0
0000017 0x0000000ac11f25ee in ap_run_handler (r=0xac82dd898) at config.c:158
        pHook = 0xac1715ba8
        n = <value optimized out>
        rv = <value optimized out>
0000018 0x0000000ac11f60f3 in ap_invoke_handler (r=0xac82dd898) at config.c:376
        handler = 0xac1715ba8 "\346(>\346\215\003"
        p = 0x652a87e1f9f <Address 0x652a87e1f9f out of bounds>
        result = -1049535576
        old_handler = 0xac177e948 "application/x-httpd-php"
        ignore = <value optimized out>
0000019 0x0000000ac12021d2 in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at http_request.c:554
        new = 0xac82dd898
        access_status = -1468129377
0000020 0x0000038de3f66f3d in handler_redirect (r=0xac89c8a10) at mod_rewrite.c:4863
No locals.
0000021 0x0000000ac11f25ee in ap_run_handler (r=0xac89c8a10) at config.c:158
        pHook = 0xac1715ba8
        n = <value optimized out>
        rv = <value optimized out>
0000022 0x0000000ac11f60f3 in ap_invoke_handler (r=0xac89c8a10) at config.c:376
---Type <return> to continue, or q <return> to quit---
        handler = 0x0
        p = 0x652a87e1f9f <Address 0x652a87e1f9f out of bounds>
        result = 0
        old_handler = 0x38de3f6b182 "redirect-handler"
        ignore = <value optimized out>
0000023 0x0000000ac120238e in ap_process_request (r=0xac89c8a10) at http_request.c:282
        access_status = -1468129377
0000024 0x0000000ac11ff083 in ap_process_http_connection (c=0xac6af7e78) at http_core.c:190
        r = 0xac89c8a10
        csd = 0x0
0000025 0x0000000ac11fa83b in ap_run_process_connection (c=0xac6af7e78) at connection.c:43
        pHook = 0xac1716470
        n = <value optimized out>
        rv = <value optimized out>
0000026 0x0000000ac1208655 in process_socket (thd=<value optimized out>, dummy=<value optimized out>) at worker.c:544
        current_conn = 0x652a87e1f9f
        conn_id = <value optimized out>
        csd = 280
        sbh = 0xac6af7e70
0000027 worker_thread (thd=<value optimized out>, dummy=<value optimized out>) at worker.c:894
        process_slot = 2
        thread_slot = 43
        csd = 0xac6af7c60
        bucket_alloc = <value optimized out>
        last_ptrans = <value optimized out>
        ptrans = 0xac6af7bd8
        rv = <value optimized out>
        is_idle = <value optimized out>
0000028 0x0000038de9a51c0a in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
0000029 0x0000038de95b1bed in clone () from /lib64/libc.so.6
No symbol table info available.
TagsNo tags attached.
Operating System
PHP Version5.3.8

Activities

derick

2011-09-25 21:09

administrator   ~0001806

Hi,

I've tried to reproduce this, but did not succeed. As far as I can see, you need the following for this to trigger:

- PHP needs to be compiled in debug mode
- the filename send in the form needs to be empty (ie: Content-Disposition: form-data; name="uploaded"; filename="" in the POSTed data)
- Xdebug needs to have debugging enabled
- A debug connection needs to be active

even with this, I do not get it to crash, as in order for that to happen, the hash table that contains exception breakpoints needs to be empty. And it isn't as it's initialised when a debug connection starts (ie, always, otherwise it wasn't enabled which is a pre-requisite).

So, I would need some more information from you that can pin point the cause a bit more:

- how often does this crash?
- can you do this when it crashes:
    frame 6 (the one that has xdebug_hash_extended_find)
    print *h
    print *l
- Can you run apache (in single process mode) under Valgrind and put the output somewhere when it crashes:
    valgrind /path/to/sbin/apache2 -X
    - and then make requests until it crashes.

derick

2012-02-29 13:16

administrator   ~0001939

Can't reproduce, and no feedback provided.

Issue History

Date Modified Username Field Change
2011-09-08 13:50 igalic New Issue
2011-09-25 21:09 derick Note Added: 0001806
2011-09-25 21:09 derick Assigned To => derick
2011-09-25 21:09 derick Status new => feedback
2012-02-29 13:16 derick Note Added: 0001939
2012-02-29 13:16 derick Status feedback => resolved
2012-02-29 13:16 derick Resolution open => unable to reproduce
2016-07-31 12:36 derick Category Usage problems => Usage problems (Crashes)
2016-07-31 12:38 derick Category Usage problems (Crashes) => Usage problems (Wrong Results)
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized