php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12270 php4ts.dll crashes due to null-pointer assignment on shutdown
Submitted: 2001-07-20 03:02 UTC Modified: 2002-08-25 01:00 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: zimpel at t-online dot de Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 4.2.2 OS: Win32
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: zimpel at t-online dot de
New email:
PHP Version: OS:

 

 [2001-07-20 03:02 UTC] zimpel at t-online dot de
The crash may be only reproducible in release builds with activated bcmath. (In debug builds
the Zend efree() function returns prior actual freeing something, if the thread which calls efree()
isn't the thread which original allocated the resource).

The "call stack" of this issue is:
php_module_shutdown_wrapper()     // pi3web_sapi.c
php_module_shutdown()     // main.c
zend_shutdown()    // zend.c
zend_hash_destroy(&module_registry)     // zend_hash.c
pefree(ht->arBuckets, ht->persistent)     // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath)     // bcmath.c
bc_free_num (num)     // init.c, the global bcnum value is _two_
efree ((*num)->n_ptr);     // zend_alloc.c

In efree() the code in macro  REMOVE_POINTER_FROM_LIST() crashes

#define REMOVE_POINTER_FROM_LIST(p)		\
	if (!p->persistent && p==AG(head)) {		\
		AG(head) = p->pNext;		\
	} else if (p->persistent && p==AG(phead)) {	\
		AG(phead) = p->pNext;		\
	} else {					\
		p->pLast->pNext = p->pNext;		\
	}					\
	if (p->pNext) {				\
		p->pNext->pLast = p->pLast;		\
	}

The reason of the crash is 

	} else {					\
		p->pLast->pNext = p->pNext;		\

if the pointer pLast == NULL. This is true for the last allocated persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.

A probable fix is:

	} else if (p->pLast) {				\
		p->pLast->pNext = p->pNext;		\

---
regards,
Holger Zimmermann

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-22 15:30 UTC] zeev@php.net
The fix is not valid - p->pLast cannot be NULLif everything works right - i.e., the bug is elsewhere.

Do you have a script that reproduces this problem (preferably with the CGI version of PHP)?
 [2002-02-03 20:19 UTC] yohgaki@php.net
Could you try 4.1.1?

 [2002-03-04 00:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2002-07-24 14:42 UTC] zimpel at t-online dot de
This issue still persists in PHP4.2.2 as I recently checked.
I can't  provide a script to reproduce the problem, because
only the startup and immediate shutdown of the sapi module
is sufficient as a trigger.
I tried to debug the PHP.exe based on php4ts.dll, but the
crash isn't reproducible then. I made a small addition to
cgi_main.c in order to invoke the shutdown-code:
   cgi_sapi_module.shutdown(&cgi_sapi_module);

I used the 4.2.2 source distribution and build it on NT4/SP6
with MSVC6. The error is still as described below, except it
also happens in debug builds now (probably changed
preprocessor directives). I only wonder, if the p->pLast is
NULL but the rest of the structure is still intact.

If I can provide further support (e.g. logs), don't hestitate
to ask.
--
cu,
Holger
 [2002-07-24 20:08 UTC] sniper@php.net
This _might_ be fixed already, as the module shutdown order
happens now in reverse as they were loaded (might be related). Please try this snapshot:

http://snaps.php.net/win32/php4-win32-latest.zip
 [2002-08-25 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC