php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64452 oo Zip PHPTs crash intermittently
Submitted: 2013-03-19 04:49 UTC Modified: 2013-03-19 12:30 UTC
From: mattficken@php.net Assigned:
Status: Closed Package: Zip Related
PHP Version: 5.5Git-2013-03-19 (snap) OS: Windows
Private report: No CVE-ID: None
 [2013-03-19 04:49 UTC] mattficken@php.net
Description:
------------
Running this PHPT on Apache with PHP 5.5-03-19 intermittently crashes:
ext/zip/tests/oo_addemptydir.phpt

I tested some other ext/zip/tests/oo_* including oo_addfile and oo_open and oo_streams, with this revision and they do not crash.

Expected result:
----------------
Test pass

Actual result:
--------------
eax=054cf6e4 ebx=00000000 ecx=7fffffff edx=00000000 esi=00360000 edi=7577cad4
eip=7797dcbb esp=054cf6d4 ebp=054cf74c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlpNtEnumerateSubKey+0x1b26:
7797dcbb eb12            jmp     ntdll!RtlpNtEnumerateSubKey+0x1b3a (7797dccf)

054cf74c 7797ebc1 ntdll!RtlpNtEnumerateSubKey+0x1b26
054cf75c 7797eca1 ntdll!RtlpNtEnumerateSubKey+0x2a2c
054cf790 7792de10 ntdll!RtlpNtEnumerateSubKey+0x2b0c
054cf7c0 757714d1 ntdll!RtlUlonglongByteSwap+0xb70
054cf7d4 6d29dcc2 kernel32!HeapFree+0x14
054cf7e8 6b47e76f MSVCR110!free+0x1a
054cf7f8 6b47e3b3 php5ts!_zip_dirent_finalize+0xf [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\ext\zip\lib\zip_dirent.c @ 162]
054cf884 6b47c345 php5ts!zip_close+0x6d3 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\ext\zip\lib\zip_close.c @ 307]
054cf88c 6b227942 php5ts!php_zip_object_free_storage+0x15 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\ext\zip\php_zip.c @ 1054]
054cf944 6b2276c8 php5ts!zend_objects_store_del_ref_by_handle_ex+0x1a2 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_objects_api.c @ 221]
054cf95c 6b50283e php5ts!zend_objects_store_del_ref+0x18 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_objects_api.c @ 173]
054cf974 6b1eb459 php5ts!_zval_dtor_func+0x316e5e [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_variables.c @ 54]
054cf98c 6b1f985e php5ts!_zval_ptr_dtor+0x59 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_execute_api.c @ 428]
054cf9a4 6b2906f1 php5ts!zend_hash_reverse_apply+0xbe [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_hash.c @ 804]
054cfa10 6b2572a9 php5ts!shutdown_destructors+0x71 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_execute_api.c @ 218]
054cfa68 6b256c78 php5ts!zend_call_destructors+0x49 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend.c @ 924]
054cfd74 6f9a1566 php5ts!php_request_shutdown+0x108 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\main\main.c @ 1743]
054cfea8 6d2341d5 php5apache2_4!php_handler+0x486 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\sapi\apache2handler\sapi_apache2.c @ 680]
054cfec0 6d23356d libhttpd!ap_run_handler+0x25 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\config.c @ 169]
054cfed8 6d242424 libhttpd!ap_invoke_handler+0xdd [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\config.c @ 432]
054cfef8 6d2424b1 libhttpd!ap_process_async_request+0x184 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\modules\http\http_request.c @ 317]
054cff0c 6d23d8a1 libhttpd!ap_process_request+0x11 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\modules\http\http_request.c @ 363]
054cff28 6d236545 libhttpd!ap_process_http_sync_connection+0x61 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\modules\http\http_core.c @ 190]
054cff40 6d25ae62 libhttpd!ap_run_process_connection+0x25 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\connection.c @ 41]
054cff68 75773677 libhttpd!worker_main+0x112 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\mpm\winnt\child.c @ 840]
054cff74 778e9d72 kernel32!BaseThreadInitThunk+0x12
054cffb4 778e9d45 ntdll!RtlInitializeExceptionChain+0x63
054cffcc 00000000 ntdll!RtlInitializeExceptionChain+0x36

Patches

64452.patch (last revision 2013-03-19 18:15 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-19 12:30 UTC] ab@php.net
Reproduced the same on linux, here's what valgrind says

==17169== Invalid free() / delete / delete[]
==17169==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==17169==    by 0x4C48831: _zip_dirent_finalize (zip_dirent.c:162)
==17169==    by 0x4C4693B: zip_close (zip_close.c:306)
==17169==    by 0x4C3E9A4: c_ziparchive_close (php_zip.c:1555)
==17169==    by 0x4DD0D81: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:542)
==17169==    by 0x4DD16A2: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(zend_vm_execute.h:674)
==17169==    by 0x4DD029A: execute_ex (zend_vm_execute.h:356)
==17169==    by 0x4DD0364: zend_execute (zend_vm_execute.h:381)
==17169==    by 0x4D919F5: zend_execute_scripts (zend.c:1316)
==17169==    by 0x4CEBF47: php_execute_script (main.c:2479)
==17169==    by 0x4E4526A: php_handler (sapi_apache2.c:667)
==17169==    by 0x809072E: ap_run_handler (config.c:169)

==17169== Invalid free() / delete / delete[]
==17169==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==17169==    by 0x4C48849: _zip_dirent_finalize (zip_dirent.c:164)
==17169==    by 0x4C4693B: zip_close (zip_close.c:306)
==17169==    by 0x4C3E9A4: c_ziparchive_close (php_zip.c:1555)
==17169==    by 0x4DD0D81: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:542)
==17169==    by 0x4DD16A2: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(zend_vm_execute.h:674)
==17169==    by 0x4DD029A: execute_ex (zend_vm_execute.h:356)
==17169==    by 0x4DD0364: zend_execute (zend_vm_execute.h:381)
==17169==    by 0x4D919F5: zend_execute_scripts (zend.c:1316)
==17169==    by 0x4CEBF47: php_execute_script (main.c:2479)
==17169==    by 0x4E4526A: php_handler (sapi_apache2.c:667)
==17169==    by 0x809072E: ap_run_handler (config.c:169)

==17169== 
==17169== Invalid free() / delete / delete[]
==17169==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==17169==    by 0x4C48819: _zip_dirent_finalize (zip_dirent.c:160)
==17169==    by 0x4C4693B: zip_close (zip_close.c:306)
==17169==    by 0x4C3D1BB: php_zip_object_free_storage (php_zip.c:1054)
==17169==    by 0x4DC8D41: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:221)
==17169==    by 0x4DC89CD: zend_objects_store_del_ref (zend_objects_API.c:173)
==17169==    by 0x4D8CBD6: _zval_dtor_func (zend_variables.c:54)
==17169==    by 0x4D79F34: _zval_dtor (zend_variables.h:35)
==17169==    by 0x4D7A03E: i_zval_ptr_dtor (zend_execute.h:81)
==17169==    by 0x4D7BCD3: _zval_ptr_dtor (zend_execute_API.c:428)
==17169==    by 0x4D8D034: _zval_ptr_dtor_wrapper (zend_variables.c:182)
==17169==    by 0x4DA2A48: zend_hash_apply_deleter (zend_hash.c:650)

It's always _zip_dirent_finalize on various lines, that function does actually 
only free() 
calls.
 [2013-03-19 15:12 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: 64452.patch
Revision:   1363705975
URL:        https://bugs.php.net/patch-display.php?bug=64452&patch=64452.patch&revision=1363705975
 [2013-03-19 18:03 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: 64452.patch
Revision:   1363716237
URL:        https://bugs.php.net/patch-display.php?bug=64452&patch=64452.patch&revision=1363716237
 [2013-03-19 18:15 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: 64452.patch
Revision:   1363716932
URL:        https://bugs.php.net/patch-display.php?bug=64452&patch=64452.patch&revision=1363716932
 [2013-03-20 08:16 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bb935ff8dc65c52efea6aae6697a806dc86c8580
Log: Fixed bug #64452 Zip PHPTs crash intermittently
 [2013-03-20 08:16 UTC] ab@php.net
-Status: Open +Status: Closed
 [2013-03-20 08:43 UTC] ab@php.net
Automatic comment from SVN on behalf of ab
Revision: http://svn.php.net/viewvc/?view=revision&revision=329838
Log: Fixed bug #64452 Zip PHPTs crash intermittently
 [2013-03-23 20:34 UTC] ab@php.net
Automatic comment from SVN on behalf of ab
Revision: http://svn.php.net/viewvc/?view=revision&revision=329897
Log: Reworked the changes for #64452
 [2014-10-07 23:19 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=bb935ff8dc65c52efea6aae6697a806dc86c8580
Log: Fixed bug #64452 Zip PHPTs crash intermittently
 [2014-10-07 23:30 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=bb935ff8dc65c52efea6aae6697a806dc86c8580
Log: Fixed bug #64452 Zip PHPTs crash intermittently
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC