php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42401 php5ts crash on double free
Submitted: 2007-08-23 19:23 UTC Modified: 2007-08-31 01:00 UTC
Votes:12
Avg. Score:4.0 ± 1.0
Reproduced:11 of 12 (91.7%)
Same Version:2 (18.2%)
Same OS:8 (72.7%)
From: reprovol at microsoft dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.3 OS: Windows Vista/LH Server
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: reprovol at microsoft dot com
New email:
PHP Version: OS:

 

 [2007-08-23 19:23 UTC] reprovol at microsoft dot com
Description:
------------
Crash Bucket: 421917130  
  
szAppName w3wp.exe 
szAppVer 7.0.6001.16510 
szModName StackHash_80ba 
szModVer 6.0.6001.16510 
Offset 000a773f 
Exception Code c0000374 
Application Stamp 462598ef 
Module Stamp 4625a0ae 
0:014> !heap
**************************************************************
*                                                            *
*                  HEAP ERROR DETECTED                       *
*                                                            *
**************************************************************

Details:

Error address: 02ebc1d8
Heap handle: 00850000
Error type heap_failure_block_not_busy (8)
Stack trace:
                77ad01f8: ntdll!RtlFreeHeap+0x00000060
                75f22a89: kernel32!HeapFree+0x00000014
                76659fbb: msvcrt!free+0x000000cd
                025a9cfe: php5ts+0x00099cfe
                77ac631c: ntdll!zzz_AsmCodeRange_End
                77ab42bd: ntdll!LdrpUnloadDll+0x000003d4
                77aafeff: ntdll!LdrUnloadDll+0x00000046
                75eb2563: kernel32!FreeLibrary+0x00000076
                748ecaa0: isapi!ISAPI_DLL::Unload+0x00000038
<snip>

0:014> lmvmphp5ts 
start    end        module name
02510000 029e7000   php5ts   T (no symbols)           
    Loaded symbol image file: php5ts.dll
    Image path: php5ts.dll
    Image name: php5ts.dll
    Timestamp:        Thu May 31 06:37:03 2007 (465ECF7F)
    CheckSum:         00000000
    ImageSize:        004D7000
    File version:     5.2.3.3
    Product version:  5.2.3.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0

Sorry 
0:014> u 025a9cfe 
php5ts+0x99cfe:
025a9cfe ??              ???

Actual result:
--------------
                77ad01f8: ntdll!RtlFreeHeap+0x00000060
                75f22a89: kernel32!HeapFree+0x00000014
                76659fbb: msvcrt!free+0x000000cd
                025a9cfe: php5ts+0x00099cfe
                77ac631c: ntdll!zzz_AsmCodeRange_End
                77ab42bd: ntdll!LdrpUnloadDll+0x000003d4
                77aafeff: ntdll!LdrUnloadDll+0x00000046
                75eb2563: kernel32!FreeLibrary+0x00000076
                748ecaa0: isapi!ISAPI_DLL::Unload+0x00000038

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-08-23 19:29 UTC] derick@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2007-08-31 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-01-10 14:01 UTC] ambition at ambitiondesign dot com dot au
To reproduce, run any PHP code using the IIS ISAPI extension, then stop and start the IIS app pool. An error message dialog will appear, and information will be added to the Microsoft Windows Application Event Log.
 [2008-02-02 16:36 UTC] matthew dot horner at redprairie dot com
I am able to reproduce this issue as others have seen.  If you simply run the following script, the error should reproduce itself.

<?php

phpinfo();

?>

The crash results in the following:
---------------------------------------------------
In w3wp__PID__4852__Date__02_02_2008__Time_09_57_40AM__660__First chance exception 0XC0000374.dmp the assembly instruction at ntdll!RtlReportCriticalFailure+5b in C:\Windows\System32\ntdll.dll from Microsoft Corporation has caused an unknown exception (0xc0000374) on thread 11

I have done several different tests using IIS7 and have concluded that there are no issues with PHP4 but 5.1.6 and 5.2.5 both cause the crash.  I am using Vista Businesss and confirmed with several other developers in our organization the same issues with IIS7 on Vista.  Those reporting this issue to our group reported that the problem was also seen but not limited to 5.2.3.

From the DebugDiag tool, I have gathered a stack trace which identifies that faulting dll, php5ts.dll.
--------------------------------------------------------------
Function     Arg 1     Arg 2     Arg 3   Source 
ntdll!RtlReportCriticalFailure+5b     c0000374     77d1cf50     01c1f838    
ntdll!RtlpReportHeapFailure+21     00000002     01c1a15c     00000000    
ntdll!RtlpLogHeapFailure+a1     00000008     00110000     037d7148    
ntdll!RtlFreeHeap+60     00110000     00000000     037d7150    
kernel32!HeapFree+14     00110000     00000000     037d7150    
msvcrt!free+cd     037d7150     0143aa70     0313978a    
php5ts!zend_hash_graceful_reverse_destroy+2e     10000000     00000000     00000000    
ntdll!LdrpCallInitRoutine+14     1000263d     10000000     00000000    
ntdll!LdrpUnloadDll+3ba     10000000     01c1fa28     01c1a32c    
ntdll!LdrUnloadDll+46     10000000     027fffe4     01c1fa7c    
kernel32!FreeLibrary+15     10000000     00000000     009b07c8    
isapi!ISAPI_DLL::Unload+38     009b07c8     696aa82d     009b07c8    
isapi!ISAPI_DLL::~ISAPI_DLL+10     009b07c8     01c1fa94     696aa93f    
isapi!ISAPI_DLL::`scalar deleting destructor'+d     00000001     027fffc4     00f56578    
isapi!ISAPI_DLL::DereferenceIsapiDll+37     01c1fac0     732a6bdc     009b07c8    
isapi!ISAPI_DLL_HASH::AddRefRecord+23     009b07c8     ffffffff     00f56590    
iisutil!CLKRLinearHashTable::_Clear+6f     00000000     00000003     00f56578    
iisutil!CLKRLinearHashTable::~CLKRLinearHashTable+19     0011d898     01c1fae8     732a6e75    
iisutil!CLKRLinearHashTable::`scalar deleting destructor'+d     00000001     01c1fb04     732a6fe4    
iisutil!CLKRHashTable::_FreeSubTable+13     00f56578     01413938     0011d898    
iisutil!CLKRHashTable::~CLKRHashTable+18     014052b0     01c1fb28     696aaee6    
isapi!W3_RESTRICTION_LIST::`scalar deleting destructor'+e     00000001     696ab318     01437a90    
isapi!TerminateIsapiModule+16     01437a90     72798822     01437a90    
isapi!CIISModuleFactory::Terminate+14     01437a90     727988a6     01437a90    
iiscore!VIRTUAL_MODULE::~VIRTUAL_MODULE+3e     01437a90     01c1fb70     72797755    
iiscore!VIRTUAL_MODULE::`vector deleting destructor'+d     00000001     0000000e     727988e0    
iiscore!VIRTUAL_MODULE::DereferenceVirtualModule+20     00000000     732a6cb0     01413758    
iiscore!MODULE_LIST::FreeModules+21     01413bdc     01413758     7279a798    
iiscore!W3_SERVER::TerminateGlobalModules+49     013f01fc     013f021c     013f01fc    
iiscore!W3_SERVER::Terminate+120     01385578     727945c8     01c1fb90    
iiscore!IISCORE_PROTOCOL_MANAGER::StopListenerChannel+58     01385584     01385578     00000000    
w3wphost!LISTENER_CHANNEL::HandleStopListenerChannel+65     00000000     03778b48     73e83e43    
w3wphost!LISTENER_CHANNEL_STOP_WORKITEM::ExecuteWorkItem+10     013eedd8     01c1fbd8     73ea2567    
w3wphost!W3WP_HOST::ExecuteWorkItem+13     00000000     00000000     03778b58    
w3tp!THREAD_POOL_DATA::ThreadPoolThread+73     00000000     01385680     73ea0000    
w3tp!THREAD_POOL_DATA::ThreadPoolThread+24     013eedd8     00000000     00000000    
w3tp!THREAD_MANAGER::ThreadManagerThread+39     01385680     01c1fc50     77c8a9bd    
kernel32!BaseThreadInitThunk+e     01385680     01c1a534     00000000    
ntdll!_RtlUserThreadStart+23     73ea1e3c     01385680     00000000    


Additionally, the section of this log shows a lock being held.
--------------------------------------------------------------
Locked critical section report
Critical Section    ntdll!LdrpLoaderLock  
Lock State   Locked 
Lock Count   1 
Recursion Count   1 
Entry Count   0 
Contention Count   6 
Spin Count   0 
Owner Thread   11 
Owner Thread System ID   3192 

I have slightly altered my configuration of IIS to accelerate the crash.  Using the IIS Manager, I clicked Application Pools, selected DefaultAppPool and clicked Advanced Settings.  In settings configuration screen, I changed the Idle Timeout (minutes) under Process Model to 1.  Do an iisreset, execute the example script above in the brower and wait.  Within one minute you should see a message stating the 'IIS Worker Process has stopped working.'

I downloaded the DebugDiag tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&DisplayLang=en

If you would like the complete log of the crash as reported by DebugDiag tool, I would more than happy to pass it along.  If any assistance is required, please feel free to contact me and I will do everything I can.

Thanks,
Matt
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Nov 27 07:03:50 2022 UTC