PHP :: Bug #53012 :: On shared module unload: Unloading DLL containing an active critical section.

Bug #53012

On shared module unload: Unloading DLL containing an active critical section.

Submitted:

2010-10-07 16:06 UTC

Modified:

2021-07-21 16:25 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	2 (100.0%)

From:

cataphract@php.net

Assigned:

Status:

Suspended

Package:

Scripting Engine problem

PHP Version:

trunk-SVN-2010-10-07 (SVN)

OS:

Vista amd64

Private report:

CVE-ID:

None

View Developer Edit

[2010-10-07 16:06 UTC] cataphract@php.net

Description:
------------
When running PHP with App verifier, there's an exception on module unload.

Test script:
---------------
This happens with an empty script

Expected result:
----------------
No exception.

Actual result:
--------------
CommandLine: C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\php.exe
Symbol search path is: SRV*C:\Users\Cataphract\AppData\Local\SYMBOLS*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00000000`00400000 00000000`00421000   php.exe 
ModLoad: 00000000`77950000 00000000`77ad6000   ntdll.dll
ModLoad: 00000000`77b10000 00000000`77c70000   ntdll32.dll
ModLoad: 00000000`75260000 00000000`752a5000   C:\Windows\system32\wow64.dll
ModLoad: 00000000`75210000 00000000`7525e000   C:\Windows\system32\wow64win.dll
ModLoad: 00000000`753e0000 00000000`753e9000   C:\Windows\system32\wow64cpu.dll
(2e40.3150): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00000000`77996060 cc              int     3
0:000> g
ModLoad: 00000000`77320000 00000000`7744d000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76a40000 00000000`76b50000   WOW64_IMAGE_SECTION
ModLoad: 00000000`77320000 00000000`7744d000   NOT_AN_IMAGE
ModLoad: 00000000`77250000 00000000`7731d000   NOT_AN_IMAGE
ModLoad: 00000000`71ab0000 00000000`71ae1000   C:\Windows\syswow64\verifier.dll
Page heap: pid 0x2E40: page heap enabled with flags 0x3.
AVRF: php.exe: pid 0x2E40: flags 0x80C43027: application verifier enabled
ModLoad: 00000000`72130000 00000000`72159000   C:\Windows\SysWOW64\vrfcore.dll
ModLoad: 00000000`71900000 00000000`71951000   C:\Windows\SysWOW64\vfbasics.dll
ModLoad: 00000000`76a40000 00000000`76b50000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`10000000 00000000`106b9000   C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\php5ts_debug.dll
ModLoad: 00000000`76f20000 00000000`77065000   C:\Windows\syswow64\ole32.dll
ModLoad: 00000000`77140000 00000000`771ea000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`76b50000 00000000`76be0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`75630000 00000000`75700000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`77070000 00000000`77136000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`76e00000 00000000`76ef0000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`755a0000 00000000`75600000   C:\Windows\syswow64\Secur32.dll
ModLoad: 00000000`76ef0000 00000000`76f1d000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 00000000`77ae0000 00000000`77ae6000   C:\Windows\syswow64\NSI.dll
ModLoad: 00000000`74ce0000 00000000`74d0c000   C:\Windows\SysWOW64\DNSAPI.dll
ModLoad: 00000000`71980000 00000000`71aa4000   C:\Windows\WinSxS\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_2a4cbfc25558bcd3\MSVCR90D.dll
(2e40.3150): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!DbgBreakPoint:
77b20004 cc              int     3
0:000:x86> g
ModLoad: 771f0000 77250000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 75ba0000 75c68000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 76df0000 76df9000   C:\Windows\syswow64\LPK.DLL
ModLoad: 75eb0000 75f2d000   C:\Windows\syswow64\USP10.dll
ModLoad: 751d0000 7520b000   C:\Windows\SysWOW64\rsaenh.dll
ModLoad: 74d70000 74d8e000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 01d30000 01d96000   C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\php_intl.dll
ModLoad: 4a800000 4a925000   C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\icuuc42.dll
ModLoad: 4ad00000 4bc48000   C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\icudt42.dll
ModLoad: 71350000 713f3000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4974_none_50940634bcb759cb\MSVCR90.dll
ModLoad: 712c0000 7134e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4974_none_50940634bcb759cb\MSVCP90.dll
ModLoad: 06c10000 06d69000   C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\icuin42.dll


=======================================
VERIFIER STOP 00000201: pid 0x2E40: Unloading DLL containing an active critical section. 

	4A91D150 : Critical section address.
	00C418C0 : Critical section initialization stack trace.
	04F56FE8 : DLL name address.
	4A800000 : DLL base address.


=======================================
This verifier stop is continuable.
After debugging it use `go' to continue.

=======================================

(2e40.3150): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
vrfcore!VerifierStopMessageEx+0x4ca:
72133b61 cc              int     3
0:000:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\icuuc42.dll - 
APPLICATION_VERIFIER_LOCKS_LOCK_IN_UNLOADED_DLL (201)
Unloading DLL containing an active critical section.
This stop is generated if a DLL has a global variable containing a critical section
and the DLL is unloaded but the critical section has not been deleted. To debug
this stop use the following debugger commands:
$ du parameter3 - to dump the name of the culprit DLL.
$ .reload dllname or .reload dllname = parameter4 - to reload the symbols for that DLL.
$ !cs -s parameter1 - dump information about this critical section.
$ ln parameter1 - to show symbols near the address of the critical section.
This should help identify the leaked critical section.
$ dps parameter2 - to dump the stack trace for this critical section initialization. 
Arguments:
Arg1: 04f56fe800c418c0, Critical section address. 
Arg2: 000000004a800000, Critical section initialization stack trace. 
Arg3: 0000000000000000, DLL name address. 
Arg4: 0000000000000000, DLL base address. 

FAULTING_IP: 
vrfcore!VerifierStopMessageEx+4ca [d:\avrf\source\base\avrf\avrf30\vrfcore\sdk.cpp @ 549]
72133b61 cc              int     3

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000072133b61 (vrfcore!VerifierStopMessageEx+0x00000000000004ca)
   ExceptionCode: 4000001f (WOW64 breakpoint)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 0000000000000000

FAULTING_THREAD:  0000000000003150

PROCESS_NAME:  php.exe

ERROR_CODE: (NTSTATUS) 0x4000001f - Exception status code used by Win32 x86 emulation subsystem.

EXCEPTION_CODE: (Win32) 0x4000001f (1073741855) - <Unable to get error code text>

EXCEPTION_PARAMETER1:  0000000000000000

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

CRITICAL_SECTION:  04f56fe800c418c0 -- (!cs -s 04f56fe800c418c0)

DEFAULT_BUCKET_ID:  VERIFIER_STOP_00000201

PRIMARY_PROBLEM_CLASS:  VERIFIER_STOP_00000201

BUGCHECK_STR:  APPLICATION_FAULT_VERIFIER_STOP_00000201_VERIFIER_STOP_00000201

LAST_CONTROL_TRANSFER:  from 000000007190cb39 to 0000000072133b61

STACK_TEXT:  
00c2f468 7190cb39 7191b0c8 00000201 4a91d150 vrfcore!VerifierStopMessageEx+0x4ca [d:\avrf\source\base\avrf\avrf30\vrfcore\sdk.cpp @ 549]
00c2f49c 71906f60 00000002 4a800000 00125000 vfbasics!AVrfpFreeMemLockChecks+0xd0 [d:\avrf\source\base\avrf\vrfcommon\critsect.c @ 1086]
00c2f4c0 7190fb9e 00000002 4a800000 00125000 vfbasics!AVrfpFreeMemNotify+0x2b [d:\avrf\source\base\avrf\vrfcommon\support.c @ 1489]
00c2f4ec 77b86a68 04f56fe8 4a800000 00125000 vfbasics!AVrfpDllUnloadCallback+0x1a [d:\avrf\source\base\avrf\vrfcommon\dlls.c @ 514]
00c2f510 77b64f3e 05b04f98 4a3b9f11 01d30000 ntdll32!AVrfDllUnloadNotification+0x7c
00c2f5b4 77b42deb 01d30000 00c2f5d8 4a3b9f5d ntdll32!LdrpUnloadDll+0x225
00c2f5f8 7190fb79 01d30000 00c2f700 00c2f628 ntdll32!LdrUnloadDll+0x46
00c2f60c 76a523c1 04f6bfe0 7efde000 00c2f700 vfbasics!AVrfpLdrUnloadDll+0x5d [d:\avrf\source\base\avrf\vrfcommon\dlls.c @ 1374]
00c2f61c 101f21e4 01d30000 00c2f7f4 00c2f70c kernel32!FreeLibrary+0x76
00c2f700 1030205c 06bc6fa0 00c2f8e0 00c2f8ec php5ts_debug!module_destructor+0xf4 [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\zend\zend_api.c @ 2247]
00c2f7f4 10302224 10686040 06bc4fd0 00c2f9b8 php5ts_debug!zend_hash_apply_deleter+0x12c [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\zend\zend_hash.c @ 634]
00c2f8e0 101efe1c 10686040 00c2fa8c 00c2fa98 php5ts_debug!zend_hash_graceful_reverse_destroy+0x54 [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\zend\zend_hash.c @ 671]
00c2f9b8 101e4a49 00c2fb70 00c2fa98 7efde000 php5ts_debug!zend_destroy_modules+0x5c [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\zend\zend_api.c @ 1782]
00c2fa8c 10376cc6 0566afe8 00c2fb78 00c2fb7c php5ts_debug!zend_shutdown+0x49 [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\zend\zend.c @ 783]
00c2fb70 00413d4a 0566afe8 00000000 00000000 php5ts_debug!php_module_shutdown+0x66 [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\main\main.c @ 2202]
00c2ff30 00416258 00000001 05662fa0 055e8f10 php!main+0x1e7a [c:\users\cataphract\documents\sdk\php54dev\vc9\x86\php54-trunk\sapi\cli\php_cli.c @ 1452]
00c2ff80 0041609f 00c2ff94 76aceccb 7efde000 php!__tmainCRTStartup+0x1a8 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
00c2ff88 76aceccb 7efde000 00c2ffd4 77b8d24d php!mainCRTStartup+0xf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
00c2ff94 77b8d24d 7efde000 4a3b9571 00000000 kernel32!BaseThreadInitThunk+0xe
00c2ffd4 77b8d45f 0041123f 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x23
00c2ffec 00000000 0041123f 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b


FOLLOWUP_IP: 
ntdll32!AVrfDllUnloadNotification+7c
77b86a68 3bf3            cmp     esi,ebx

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  ntdll32!AVrfDllUnloadNotification+7c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntdll32

IMAGE_NAME:  ntdll32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  49e03824

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  VERIFIER_STOP_00000201_4000001f_ntdll32.dll!AVrfDllUnloadNotification

BUCKET_ID:  X64_APPLICATION_FAULT_VERIFIER_STOP_00000201_VERIFIER_STOP_00000201_ntdll32!AVrfDllUnloadNotification+7c

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/php_exe/5_3_99_0/4cadd28a/vrfcore_dll/4_0_917_0/4a3653db/4000001f/00003b61.htm?Retriage=1

Followup: MachineOwner
---------

0:000:x86> !cs -s 04f56fe800c418c0
Cannot read DebugInfo adddress at 0x04f56fe800c418c0. Possible causes:
	- The critical section is not initialized, deleted or corrupted
	- The critical section was a global variable in a DLL that was unloaded
	- The memory is paged out
Cannot read structure field value at 0x04f56fe800c418c4, error 0
Cannot determine if the critical section is locked or not.
-----------------------------------------
Critical section   = 0x04f56fe800c418c0 (+0x4F56FE800C418C0)
DebugInfo          = 0x0000000000c418c0
No stack trace found.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-02-26 17:21 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2021-02-26 17:21 UTC] cmb@php.net

I cannot reproduce this wrt. intl (may have been fixed in the
meantime), but for sodium and enchant.  I checked sodium more
closely, and found that the message is triggered due to a missing
DeleteCriticalSection() call in libsodium.  So this would be an
upstream issue.  However, not calling DeleteCriticalSection() is
not really an issue per se, so it may be hard to convince upstream
maintainers to cater to that.

Enchant doesn't directly deal with CRITICAL_SECTIONs, so this
would be a glib issue.  I haven't investigated closer on that,
though.

Anyhow, not having this fixed would make it hard to actually run
the PHP test suite or doing development/debugging with AppVerifier
enabled, if these extensions are loaded, although it might make
sense to do so.

[2021-05-11 15:16 UTC] cmb@php.net

I just submitted a PR against libsodium:
<https://github.com/jedisct1/libsodium/pull/1055>

[2021-05-25 13:48 UTC] cmb@php.net

<https://github.com/jedisct1/libsodium/pull/1058> has been merged,
so there's now only the enchant issue.

[2021-05-25 15:26 UTC] cmb@php.net

The enchant issue is actually a glib issue.  After applying


 glib/gthread-win32.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/glib/gthread-win32.c b/glib/gthread-win32.c
index 938ed5f..9c3dc6a 100644
--- a/glib/gthread-win32.c
+++ b/glib/gthread-win32.c
@@ -1103,6 +1103,7 @@ g_thread_win32_process_detach (void)
       SetThreadName_VEH_handle = NULL;
     }
 #endif
+  DeleteCriticalSection (&g_private_lock);
 }
 
 /* vim:set foldmethod=marker: */


the critical section issue is gone, but instead


VERIFIER STOP 0000000000000350: pid 0x421C: Unloading DLL that allocated TLS index that was not freed. 

	000000000016ABBA : TLS index
	000001D55627BE4C : Address of the code that allocated this TLS index.
	000001D555504FE0 : DLL name address. Use du to dump it.
	000001D5561E0000 : DLL base address.


is reported for glib-2.dll.  I'll dig deeper.

[2021-06-02 14:42 UTC] cmb@php.net

To fix the TLS issue as well, we'd need to apply something like
the following on top of glib 2.53.3:


 glib/gthread-win32.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/glib/gthread-win32.c b/glib/gthread-win32.c
index 938ed5f..2b9381b 100644
--- a/glib/gthread-win32.c
+++ b/glib/gthread-win32.c
@@ -1096,6 +1096,7 @@ g_thread_win32_thread_detach (void)
 void
 g_thread_win32_process_detach (void)
 {
+  GPrivateDestructor *dtor;
 #ifndef _MSC_VER
   if (SetThreadName_VEH_handle != NULL)
     {
@@ -1103,6 +1104,11 @@ g_thread_win32_process_detach (void)
       SetThreadName_VEH_handle = NULL;
     }
 #endif
+  DeleteCriticalSection (&g_private_lock);
+  for (dtor = g_private_destructors; dtor; dtor = dtor->next)
+    {
+      TlsFree (dtor->index);
+    }
 }
 
 /* vim:set foldmethod=marker: */


I'm not sure though, whether this is still relevant for latest
glib (2.68.2); would need to build that to check.

[2021-07-21 16:25 UTC] cmb@php.net

-Status: Verified +Status: Suspended -Assigned To: cmb +Assigned To:

[2021-07-21 16:25 UTC] cmb@php.net

> […]; would need to build that to check.

But failed to.  They switched to meson some while ago, and
apparently that doesn't work well with our glib dependencies.

Since we have to wait for a new libsodium release anyway, I
suspend this ticket for the time being.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 08 10:01:33 2025 UTC