PHP :: Bug #42809 :: zend_mm

Bug #42809

zend_mm_heap corrupted

Submitted:

2007-10-01 04:46 UTC

Modified:

2007-10-09 01:00 UTC

Votes:	9
Avg. Score:	4.6 ± 0.8
Reproduced:	8 of 8 (100.0%)
Same Version:	2 (25.0%)
Same OS:	4 (50.0%)

From:

apolinux at hotmail dot com

Assigned:

Status:

No Feedback

Package:

WDDX related

PHP Version:

5.2.4

OS:

Windows XP

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2007-10-01 04:46 UTC] apolinux at hotmail dot com

Description:
------------
I'm working with WDDX extension, used to make RPC between two computers, using classes to make wrapper. I have 3 basic scripts, one is the client, other is the server and other contains the classes that contains the scripts that interact with WDDX.
When I try to simulate the client and the server over the same machine, I get the error zend_mm_heap corrupted in apache. When I ran the scripts  in separate machines, it works OK.
I have PHP 5.2.4,  I had tried to run with PHP 5.2.3 but I got the same error. I have 
Apache/2.2.4 (Win32) mod_autoindex_color PHP/5.2.4. I try to run a debug with php, but I got it only with apache process.
the error in apache log is
[Sun Sep 30 11:20:52 2007] [notice] Child 3156: Starting thread to listen on port 80.
zend_mm_heap corrupted
Error in my_thread_global_end(): 51 threads didn't exit
[Sun Sep 30 19:08:19 2007] [notice] Parent: child process exited with status 1 -- Restarting.
[Sun Sep 30 19:08:38 2007] [notice] Apache/2.2.4 (Win32) mod_autoindex_color PHP/5.2.4 configured -- resuming normal operations

Reproduce code:
---------------
	function creaPaquete($datos)
		{
		$packet_id  = wddx_packet_start("Llamada Remota WDDX");
		if (is_array($datos)) { //verVar($datos);
			foreach($datos as $key => $data){
				  //create a var whith the name of the content of $key
				  $$key = $data;
				  wddx_add_vars($packet_id,$key);
				}
			}
		else {
			wddx_add_vars($packet_id, "datos");
			}
		
		$paquete = wddx_packet_end($packet_id);// verVar($paquete);
		$paquete = urlencode($paquete);
		return $paquete;
		}

Expected result:
----------------
this function packs the data to send over the network using CURL. The code is too large to include here, and I'm not have a web site permanently connected.


Actual result:
--------------
Thread 50 - System ID 1844
Entry point   msvcr71!_endthreadex+31 
Create time   30/09/2007 11:18:18 a.m. 
Time spent in user mode   0 Days 0:0:0.281 
Time spent in kernel mode   0 Days 0:0:0.93 






Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!zend_mm_shutdown+116f     01b35228     000000d8     00825c3b    
php5ts!efree+39     03793678     03798138     00829e17    
php5ts!zval_ptr_dtor+4b     03798114     037981f8     03797fa0    
php5ts!zend_hash_destroy+27     03797fb8     03798204     00825c13    
php5ts!zval_dtor_func+59     03797fa0     00000000     00829e17    
php5ts!zval_ptr_dtor+23     03798204     03798228     03797f30    
php5ts!zend_hash_destroy+27     00000000     00000000     00000000    




PHP5TS!ZEND_MM_SHUTDOWN+116FWARNING - DebugDiag was not able to locate debug symbols for php5ts.dll, so the information below may be incomplete.



In apache__PID__2872__Date__09_30_2007__Time_11_20_47AM__453__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!zend_mm_shutdown+116f in C:\xampp\apache\bin\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000000 on thread 50

Module Information 
Image Name: C:\xampp\apache\bin\php5ts.dll   Symbol Type:  Export 
Base address: 0x00790000   Time Stamp:  Thu Aug 30 06:06:12 2007  
Checksum: 0x00000000   Comments:   
COM DLL: False   Company Name:  The PHP Group 
ISAPIExtension: False   File Description:  PHP Script Interpreter 
ISAPIFilter: False   File Version:  5.2.4.4 
Managed DLL: False   Internal Name:  php5ts.dll 
VB DLL: False   Legal Copyright:  Copyright ? 1997-2007 The PHP Group 
Loaded Image Name:  php5ts.dll   Legal Trademarks:  PHP 
Mapped Image Name:  C:\xampp\apache\bin\php5ts.dll   Original filename:  php5ts.dll 
Module name:  php5ts   Private Build:   
Single Threaded:  False   Product Name:  PHP Script Interpreter 
Module Size:  4,86 MBytes   Product Version:  5.2.4 
Symbol File Name:  php5ts.dll   Special Build:  & 





 Report for apache__PID__2584__Date__09_30_2007__Time_10_51_08AM__93__Second_Chance_Exception_C0000005.dmp

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-01 09:24 UTC] jani@php.net

Please provide a short but complete example script that can be used to reproduce this.

[2007-10-01 12:31 UTC] apolinux at hotmail dot com

<? 
if (file_exists("../config/config.php") ){
	include "../config/config.php";
	}
else {
	include "./config/config.php";
	}
ini_set('include_path', ini_get('include_path').";".$CONFIG_BASE['ruta_paginas']."/PEAR/");
require_once "PEAR.php";
require_once "DB.php";
require_once "operativolib.php";
require_once "granlavasecolib.php";
require_once "agenciaslib.php";

/*
CREACION DE LA CLASE SINCRONIZACION
contiene los metodos necesarios para comunicarse remotamente cliente a servidor
usa el protocolo de conexion WDDX

*/


class Sincronizacion extends Operativo {
	var $urlServidor = ''; 
	var $datos;
	var $peticion ;
	var $tabla;
	var $arrObj;
	function __construct($conex=NULL,$idAgenciaDest=NULL,$datos=NULL)
		{
		parent::__construct($conex);
		$agencia = new Agencias($conex);
		if ($this->idAgencia == $idAgenciaDest) {//no me conecto a la misma agencia
			die('No se puede conectar a la misma agencia.');
			}
		if (empty($idAgenciaDest) && $datos['equipo'] != EQUIPO_SERVIDOR) {
			$this->lanzarErr('El URL de la Agencia esta vacio.<br />');
			return false;
			}
		$this->urlServidor = $agencia->datos($idAgenciaDest)->URL.'/servidorWDDX.php'; 
		if (!empty($datos)) {
			$this->asignaDatos($datos);
			}
		return true;
		}
	function asignaDatos($datos){
		$this->datos = $datos;
		$this->peticion = $this->datos['peticion'];
		$this->tabla = $this->datos['tabla'];
		}
	/* 
	funcion creaPaquete
	Empaqueta los datos en el formato WDDX
	listo para enviar 
	*/
	function creaPaquete($datos)
		{
		$packet_id  = wddx_packet_start("Llamada Remota WDDX");
		if (is_array($datos)) { //verVar($datos);
			foreach($datos as $key => $data){
				  //create a var whith the name of the content of $key
				  $$key = $data;
				  wddx_add_vars($packet_id,$key);
				}
			}
		else {
			wddx_add_vars($packet_id, "datos");
			}
		
		$paquete = wddx_packet_end($packet_id);// verVar($paquete);
		$paquete = urlencode($paquete);
		return $paquete;
		}
	
	function enviaPaquete($paqueteSerializado)
		{
		$ch = curl_init(); 
		curl_setopt ($ch, CURLOPT_URL, "$this->urlServidor"); 
		curl_setopt ($ch, CURLOPT_HEADER, 0);
		curl_setopt ($ch, CURLOPT_POSTFIELDS, $paqueteSerializado);
		curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
		if (! $resul = curl_exec ($ch)){
			$this->lanzarErr("Error al comunicarse con '$this->urlServidor'");
			return false;
			}// verlog($resul);
		curl_close ($ch);		
		return $resul;
		}
	
	function analizaPaquete($paquete)
		{
		if (empty($paquete)) {
			return '';
			}
		$paquete= urldecode($paquete); //verlog($paquete);
		//preg_match("/(<\/wddxPacket>)/s", $paquete, $m);
		//$paquete=$m[0]; //error_log(print_r($m,TRUE),0);//verVar($m);verVar($paquete);
		$parsed_packet = wddx_deserialize($paquete);// verlog($parsed_packet);
		return $parsed_packet;
		}
	
	public static function recibePaquete()
		{
		$fp = fopen("php://input", "r");
		$paqueteRecibido = '';
		while(!feof( $fp ))$paqueteRecibido.=fgets( $fp );
		fclose($fp);
		
		return $paqueteRecibido;
		}
	/*
	funcion enviarDatosRemoto
	envia los datos en formato wddx al servidor
	,recibe una respuesta y la devuelve
	*/
	public function enviarDatosRemoto()//$arrVariables)
		{
		//verificar si se envian o se reciben datos
		if (empty($this->datos) ){
			die('No hay datos para enviar.');
			}
		if ($this->datos['peticion'] == ENVIAR_DATOS) { //realiza la consulta
			$this->error = false;
			$this->datos['arrObj'] = $this->consultaBD();// verVar($this->datos['arrObj']);
			if ($this->error){
				return false;
				} //verVar($this->datos['arrObj']);
			} //verlog($this->datos);	
		//crear paquete
		$paquete = $this->creaPaquete($this->datos); 
		//enviar paquete remotamente
		$respuesta = $this->enviaPaquete($paquete); //echo "resp=$respuesta,"; print_r($this->analizapaquete($respuesta)); echo ", error: '$this->error'";echo "<br />"; 	
		if ($this->error) { 		
			return $this->msg;
			}
		//analizar paquete
		$paqueteRecibido = $this->analizaPaquete($respuesta); //print_r($paqueteRecibido);
		if (empty($paqueteRecibido)) {
			$this->lanzarErr("La respuesta del servidor '$this->urlServidor' es vacia. Por favor verifique su configuracion");
			return false;
			}
		if ($paqueteRecibido['error'] == 1){
			$this->lanzarErr($paqueteRecibido['respuesta'],$paqueteRecibido['codError']);
			return false;
			}
		return $paqueteRecibido['respuesta'];//en crea paquete se define datos
		}
	public function recibeDatosRemoto()
		{
		$paquete = $this->recibePaquete(); //verlog($paquete);
		$consulta = $this->analizaPaquete($paquete); //verLog($consulta);
		if (empty($consulta) ){
			$arrResp = array('respuesta' => 'consulta vacia.','error' => 1);
			}
		else {
			$peticion = $consulta['peticion'];
			$this->tabla = $consulta['tabla'];
			if ($peticion == SOLICITAR_DATOS) {
				$datos = $this->consultaBD();
				}
			else { //enviar DATOS
				$datos = $this->insertaBD($consulta['arrObj']);
				}
			if (!$datos) {
				$datos = $this->msg;
				}
			$arrResp = array('respuesta' => $datos , 'error' => $this->error,'codError' => $this->codError);
			}
		$respuesta = $this->creaPaquete($arrResp); //verLog(print_r($arrResp));
		return $respuesta;
		} 
	function consultaBD()
		{//verVar($this) ; exit;
		switch ($this->tabla){
			case T_ORDENES: 
			$sql = "SELECT * FROM ordenes"; 	break;
			case T_PRENDAS:
			$sql = "SELECT * FROM prendas"; 	break;
			case T_CLIENTES:
			$sql = "SELECT * FROM clientes"; 	break;
			case T_OPERARIOS:
			$sql = "SELECT * FROM operarios"; 	break;
			case T_AGENCIAS:
			$sql = "SELECT * FROM agencias";	break;
			}//verlog("$this->tabla,$sql");
		$datos =& $this->conex->getAssoc($sql,false, array(), DB_FETCHMODE_OBJECT); //verlog(print_r($datos,1));
		if (PEAR::isError($datos)){
			$this->lanzarErr($datos->getUserInfo());
			//return $datos->getUserInfo();
			return false;
			}
		//verlog($datos);	
		return $datos;
		}
	/*
	funcion
	realiza la consulta de agregacion
	*/
	function insertaBD($datos)
		{//verlog($datos);
		if (empty($datos)) {
			$this->lanzarErr('Los datos para insercion son vacios.');
			return false;
			}
		switch($this->tabla){
			case T_ORDENES: 	$tabla = 'ordenes'; 	break;
			case T_PRENDAS: 	$tabla = 'prendas'; 	break;
			case T_CLIENTES: 	$tabla = 'clientes'; 	break;
			case T_OPERARIOS: 	$tabla = 'operarios';	break;
			case T_AGENCIAS: 	$tabla = 'agencias'; 	break;
			default: 			$this->lanzarErr('La tabla no existe');
				return false;;
			}
		$contExt = 0;
		$sql = 0;
		foreach ($datos as $reg) { //recorre un array de objetos
			$cont = 0;
			$cadValores = '';
			$cadCampos = '';
			foreach($reg as $nombre => $valor) { //ciclo a traves de la clase
				if ($cont == 0){
					$coma = '';
					$cont = 1;
					}
				else {
					$coma = ',';
					}
				$cadCampos .= "$coma $nombre";
				$cadValores .= "$coma '$valor'";
				}
			if ($contExt == 0 ){
				$sql = "INSERT INTO $tabla ($cadCampos)\nVALUES ($cadValores)\n"; 
				$contExt = 1;
				}
			else $sql .= ",($cadValores)\n";
			}
		$db = $this->conex;
		$res = $db->query($sql);
		if (PEAR::isError($res)){
			if ($res->getCode() == -5 ) { //registros duplicados
				$this->lanzarErr("Existen registros duplicados en $tabla.",-5); //verlog("tabla=$this->msg ");
				return false;
				}
			else {
				//die($res->getUserInfo());
				return $res->getUserInfo();
				}
			}
		$numModif = $db->affectedRows();
		$this->msg = "Se insertaron $numModif registros en $tabla";
		return $this->msg;
		}
	function sincronizarTodo(){
		$arrTablas1 = array(
				'ordenes'=>T_ORDENES, 
				'prendas'	=> T_PRENDAS, 
				'clientes'	=> T_CLIENTES,
				'operarios' => T_OPERARIOS, 
				'agencias'	=> T_AGENCIAS);
		$arrTablas2 = array(
			'operarios'	=> T_OPERARIOS,
			'agencias' => T_AGENCIAS);
		if (strtolower($this->idAgencia) == EQUIPO_PRINCIPAL){ //esta agencia=principal, recibe arrtablas1,envia arrtablas2
			$arrTablasPeticion = $arrTablas1;
			$arrTablasEnvio = $arrTablas2;
			}
		else {
			$arrTablasPeticion = $arrTablas2;
			$arrTablasEnvio = $arrTablas1;			
			}
		foreach($arrTablasPeticion as $nombre => $codTabla) {
			$datos = array('peticion'=>SOLICITAR_DATOS,'tabla'=> $codTabla ,'arrObj'=>'');
			$this->asignaDatos($datos);
			$cad .= nl2br("Solicitando la informacion de $nombre...\n");
			$this->error = false;
			$resul = $this->enviarDatosRemoto(); //echo "aqui: $nombre, $codTabla.<br />"; //verVar($resul);//$datos);
			if ($this->error  ){
				$cad .= "<br />$this->msg";
				break;
				}
			$cad .= nl2br("Agregando la informacion de $nombre en mi BD...\n"); //verVar($resul); exit;
			$this->error = false;
			$resul2 = $this->insertaBD($resul); //verlog($resul); 
			$cad .= "$this->msg";
			if ($this->error  and $this->codError != ERR_REGISTROS_DUPLICADOS){
				break;
				}
			$cad .= "$resul2<br />";
			} 
		$cad .= "<br />";
		if (!$this->error or ($this->error and $this->codError == ERR_REGISTROS_DUPLICADOS) and 1 ) {
			foreach($arrTablasEnvio as $nombre => $codTabla) { 
				$datos = array('peticion' => ENVIAR_DATOS, 'tabla' => $codTabla);
				$this->asignaDatos($datos);
				$cad .=  "Enviar datos de tabla $nombre ...<br />";
				$this->error = false; //echo "tabla=$codTabla ";
				$resul = $this->enviarDatosRemoto(); 
				$cad .= $this->msg; //verVar($this);
				if ($this->error == TRUE and $this->codError != ERR_REGISTROS_DUPLICADOS){
					//$cad .= "<br />$this->msg";						
					break;
					}					
				$cad .= "$resul<br />"; //break; 
				}
			}
//			}
		$this->msg = $cad; //$this->msg."<br />$cad";
		if ($this->error){
			return false;
			}
		
		return true;
		}
	}
?>
/* i'm calling first to sincronizarTodo() */

[2007-10-01 15:42 UTC] jani@php.net

Can you please try and cut it down a few dozen lines? Short script is around 10-20 lines long..

[2007-10-01 16:22 UTC] apolinux at hotmail dot com

sorry, but I can't cut part of this code, because It doesn't works properly. May be the problem is when I try to make the call with WDDX locally, remotely instead.

[2007-10-01 20:31 UTC] jani@php.net

We can't really help with this as long as you can't provide a short script that we can actually run. The one you have posted here is a) too long b) is not self-contained (it includes several other files..)

So, if you want this bug to get fixed you need to do some hard work and cut down the code to whatever makes the bug appear. Hint: start by cutting all irrelevant parts out, like comments, classes, include/require lines, error checks, etc.

[2007-10-09 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Sun Jun 04 04:05:52 2023 UTC