Crash in zend_error

[rosmo]

This only seems to happen in Apache (at least a simple test from command line triggering "Array to string conversion" did not crash):

#0  0x0000000000000005 in ?? ()
#1  0x00007fffecbfad7c in zend_error (type=8, format=0x7fffed0e382c "Array to string conversion") at /usr/src/debug/php-5.4.28/Zend/zend.c:1116
#2  0x00007fffecbfbcab in zend_make_printable_zval (expr=0x7ffff8d0ec98, expr_copy=0x7fffffffa770, use_copy=0x7fffffffa78c) at /usr/src/debug/php-5.4.28/Zend/zend.c:249
#3  0x00007fffecc5aa80 in ZEND_CAST_SPEC_VAR_HANDLER (execute_data=0x7ffff7ee6908) at /usr/src/debug/php-5.4.28/Zend/zend_vm_execute.h:11364
#4  0x00007fffecc64400 in execute (op_array=0x7fffd68e1a38) at /usr/src/debug/php-5.4.28/Zend/zend_vm_execute.h:410
#5  0x00007fffecbef449 in zend_call_function (fci=0x7fffffffa970, fci_cache=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_execute_API.c:956
#6  0x00007fffecaf7467 in zif_call_user_func_array (ht=<value optimized out>, return_value=0x7ffff8bda0f8, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /usr/src/debug/php-5.4.28/ext/standard/basic_functions.c:4754
#7  0x00007fffecc76adc in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_vm_execute.h:643
#8  0x00007fffecc64400 in execute (op_array=0x7ffff8ac2da8) at /usr/src/debug/php-5.4.28/Zend/zend_vm_execute.h:410
#9  0x00007fffecbef449 in zend_call_function (fci=0x7fffffffac90, fci_cache=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_execute_API.c:956
#10 0x00007fffecbf0230 in call_user_function_ex (function_table=<value optimized out>, object_pp=<value optimized out>, function_name=<value optimized out>, retval_ptr_ptr=<value optimized out>,
    param_count=<value optimized out>, params=<value optimized out>, no_separation=1, symbol_table=0x0) at /usr/src/debug/php-5.4.28/Zend/zend_execute_API.c:748
#11 0x00007fffecc1c014 in zim_Closure___invoke (ht=1, return_value=0x7ffff8bce9f8, return_value_ptr=0x7fffffffb0a8, this_ptr=0x7ffff8ac1310, return_value_used=<value optimized out>)
    at /usr/src/debug/php-5.4.28/Zend/zend_closures.c:59
#12 0x00007fffecbef4fd in zend_call_function (fci=0x7fffffffaff0, fci_cache=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_execute_API.c:978
#13 0x00007fffdc5685ac in php_v8js_call_php_func (value=0x7ffff8ac1310, ce=<value optimized out>, method_ptr=<value optimized out>, isolate=0x7ffff8b1f5a0, info=...)
    at /builddir/build/BUILD/v8js-0.1.6/v8js_convert.cc:176
#14 0x00007fffdbd87c44 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) () from /usr/lib64/libv8.so
#15 0x00007fffdbda63cc in ?? () from /usr/lib64/libv8.so

This started happening consistently right after the unwind patch.

[rosmo]

I think it the issue is probably that the fatal error handler should only be triggered when E_ERROR, E_CORE_ERROR or E_USER_ERROR is set. Otherwise just jump back to old error handler.

[rosmo]

Would this be an approriate fix? Seems to work for me: https://github.com/rosmo/v8js/commit/cbda704d7e72a8e208d184c3a678752f24cbff53

[stesie]

Hi @rosmo,

good catch, I should have tested warning/notice behaviour initially... sorry for that.

Anyways, thanks for your patch! I just merged it with two minor tweaks:

• the old error handler must be restored only, if the outermost frame is left. This is, if you recursively call from JS to PHP, the inner calls must leave the handler alone. Since you've put old_error_handler in V8JSG it's now shared between invocations and hence the old_error_handler != NULL test always evaluates to true.
• V8JSG(old_error_handler) must be initialized to NULL manually on ZTS

cheers ~stesie

[rosmo]

Awesome, thanks!