php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53837 Gettext extension crashes PHP/Apache
Submitted: 2011-01-25 18:49 UTC Modified: 2011-07-18 12:34 UTC
From: elacunza at binovo dot es Assigned: pajoye
Status: Closed Package: Gettext related
PHP Version: 5.3.5 OS: Windows
Private report: No CVE-ID:
 [2011-01-25 18:49 UTC] elacunza at binovo dot es
Description:
------------
We have an application working just fine on windows 2008 + apache 2.2.17 + php 5.2.17 .

We updated to 5.3.5 and found repeatable PHP crashes, from within Apache and also from command line.

It is repeatable, but not always (it crashes about 9 of 10 runs). Server is virtualized as guest in a KVM host (debian lenny).


Test script:
---------------
<?php
$a = _('Albaran');
?>


Expected result:
----------------
I expected a clean end of php, with no output.

Actual result:
--------------
php__PID__4900__Date__01_25_2011__Time_06_33_38PM__118__Second_Chance_Exception_C0000005.dmp
Type of Analysis Performed   Crash Analysis 
Machine Name   WIN2008 
Operating System   Windows Vista Service Pack 2 
Number Of Processors   2 
Process ID   4900 
Process Image   c:\php535\php.exe 
System Up-Time   1 day(s) 06:38:51 
Process Up-Time   00:00:01 


Thread 0 - System ID 380
Entry point   php!mainCRTStartup 
Create time   25/01/2011 18:33:37 
Time spent in user mode   0 Days 0:0:0.140 
Time spent in kernel mode   0 Days 0:0:0.328 






Function     Arg 1     Arg 2     Arg 3   Source 
ntdll!RtlpCoalesceFreeBlocks+35     00090000     00178490     00c0f958    
ntdll!RtlpFreeHeap+1e2     00178490     00178498     00178498    
ntdll!RtlFreeHeap+14e     00090000     00000000     00178490    
kernel32!HeapFree+14     00090000     00000000     00178498    
msvcrt!free+cd     00178498     455f7365     6f6d4053    
php_gettext!libintl_dcigettext+2df     00177674     0290f0d0     00000000    
php_gettext!libintl_dcgettext+1a     00000000     0290f0d0     000006c1    
php_gettext!libintl_gettext+11     0290f0d0     00092640     030e9dc0    
php_gettext!zif_gettext+65     0290f0d0     030e06b0     00000000    
php5ts!zend_do_fcall_common_helper_SPEC+94e     00000000     02940550     00092640    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+130     00c0fbd4     00092640     00c0fe70    
php5ts!execute+2fe     02940550     00092600     00000000    
php5ts!zend_execute_scripts+f6     00000008     00092640     00000000    
php5ts!php_execute_script+245     00c0fe70     00092640     00000000    
php!main+bf1     00000002     000925c8     000915a8    
php!mainCRTStartup+e3     7ffdb000     00c0ffd4     776219bb    
kernel32!BaseThreadInitThunk+e     7ffdb000     7139d704     00000000    
ntdll!__RtlUserThreadStart+23     00402d78     7ffdb000     ffffffff    
ntdll!_RtlUserThreadStart+1b     00402d78     7ffdb000     00000000    




NTDLL!RTLPCOALESCEFREEBLOCKS+35 




Detailed Info For Corrupt Heap
Heap 1 - 0x00180000 
Heap Name   Default process heap 
Heap Description   This heap is created by default and shared by all modules in the process 
Reserved memory   5.244.720,03 TBytes 
Committed memory   2.097.264,00 TBytes (39,99% of reserved)  
Uncommitted memory   3.147.456,03 TBytes (60,01% of reserved)  
Number of heap segments   1 segments 
Number of uncommitted ranges   996432412722 range(s) 
Size of largest uncommitted range   29.440,41 TBytes 
Calculated heap fragmentation   99,06% 





Segment Information
Base Address Reserved Size Committed Size Uncommitted Size Number of uncommitted ranges Largest uncommitted block Calculated heap fragmentation 
0x1f92dd0d 105.908.016,03 TBytes 52.428.912,00 TBytes 53.479.104,03 TBytes 996432412722 29.440,41 TBytes 99,94% 




Back to Top 







In php__PID__4900__Date__01_25_2011__Time_06_33_38PM__118__Second_Chance_Exception_C0000005.dmp the assembly instruction at ntdll!RtlpCoalesceFreeBlocks+35 in C:\Windows\System32\ntdll.dll from Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x0010ff3a on thread 0



Heap corruption was detected in heap 0x00180000, however pageheap was not enabled in this dump. Please follow the instructions in the recommendation section for troubleshooting heap corruption issues.



Current NTGlobalFlags value: 0x0 Module Information 
Image Name: C:\Windows\System32\ntdll.dll   Symbol Type:  PDB 
Base address: 0x775e0000   Time Stamp:  Sat Apr 11 08:26:41 2009  
Checksum: 0x0012c163   Comments:   
COM DLL: False   Company Name:  Microsoft Corporation 
ISAPIExtension: False   File Description:  NT Layer DLL 
ISAPIFilter: False   File Version:  6.0.6002.18005 (lh_sp2rtm.090410-1830) 
Managed DLL: False   Internal Name:  ntdll.dll 
VB DLL: False   Legal Copyright:  © Microsoft Corporation. All rights reserved. 
Loaded Image Name:  ntdll.dll   Legal Trademarks:   
Mapped Image Name:     Original filename:  ntdll.dll 
Module name:  ntdll   Private Build:   
Single Threaded:  False   Product Name:  Microsoft® Windows® Operating System 
Module Size:  1,15 MBytes   Product Version:  6.0.6002.18005 
Symbol File Name:  c:\symcache\ntdll.pdb\2A581B1A8A244C51992668A826BF4FBB2\ntdll.pdb   Special Build:  & 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-25 19:22 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-01-25 19:22 UTC] pajoye@php.net
Which version/build do you use? VC9 or VC6? If VC6 please try using VC9. It should 
work in the CLI too. Btw, does it happen in CLI too?
 [2011-01-26 12:27 UTC] elacunza at binovo dot es
-Status: Feedback +Status: Open
 [2011-01-26 12:27 UTC] elacunza at binovo dot es
VC6 thread safe version version due to Apache. The backtrace has been generated from CLI using VC6 ts.

I just tested the script with VC9 on the cli ts and it also crashes. Backtrace for VC9:


Report for php__PID__1636__Date__01_25_2011__Time_06_32_55PM__913__Second_Chance_Exception_C0000005.dmp

Type of Analysis Performed   Crash Analysis 

Machine Name   WIN2008 

Operating System   Windows Vista Service Pack 2 

Number Of Processors   2 

Process ID   1636 

Process Image   c:\php535\php.exe 

System Up-Time   1 day(s) 06:38:08 

Process Up-Time   00:00:01 





Thread 0 - System ID 4124

Entry point   php!mainCRTStartup 

Create time   25/01/2011 18:32:55 

Time spent in user mode   0 Days 0:0:0.93 

Time spent in kernel mode   0 Days 0:0:0.406 













Function     Arg 1     Arg 2     Arg 3   Source 

ntdll!RtlpCoalesceFreeBlocks+35     00320000     002c8490     00c0f958    

ntdll!RtlpFreeHeap+1e2     002c8490     002c8498     002c8498    

ntdll!RtlFreeHeap+14e     00320000     00000000     002c8490    

kernel32!HeapFree+14     00320000     00000000     002c8498    

msvcrt!free+cd     002c8498     455f7365     6f6d4053    

php_gettext!libintl_dcigettext+2df     002c7674     02a0f400     00000000    

php_gettext!libintl_dcgettext+1a     00000000     02a0f400     000006c1    

php_gettext!libintl_gettext+11     02a0f400     00322640     031ea0b0    

php_gettext!zif_gettext+65     02a0f400     031e09a0     00000000    

php5ts!zend_do_fcall_common_helper_SPEC+94e     00000000     02a405e8     00322640    

php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+130     00c0fbd4     00322640     00c0fe70    

php5ts!execute+2fe     02a405e8     00322600     00000000    

php5ts!zend_execute_scripts+f6     00000008     00322640     00000000    

php5ts!php_execute_script+245     00c0fe70     00322640     00000000    

php!main+bf1     00000002     003225c8     003215a8    

php!mainCRTStartup+e3     7ffd5000     00c0ffd4     776219bb    

kernel32!BaseThreadInitThunk+e     7ffd5000     71387a67     00000000    

ntdll!__RtlUserThreadStart+23     00402d78     7ffd5000     ffffffff    

ntdll!_RtlUserThreadStart+1b     00402d78     7ffd5000     00000000    









NTDLL!RTLPCOALESCEFREEBLOCKS+35 









Detailed Info For Corrupt Heap

Heap 1 - 0x000f0000 

Heap Name   Default process heap 

Heap Description   This heap is created by default and shared by all modules in the process 

Reserved memory   1.050.192,03 TBytes 

Committed memory   623.439,40 TBytes (59,36% of reserved)  

Uncommitted memory   426.752,63 TBytes (40,64% of reserved)  

Number of heap segments   1 segments 

Number of uncommitted ranges   2,67403375434139E+16 range(s) 

Size of largest uncommitted range   29.184,39 TBytes 

Calculated heap fragmentation   93,16% 











Segment Information

Base Address Reserved Size Committed Size Uncommitted Size Number of uncommitted ranges Largest uncommitted block Calculated heap fragmentation 

0x0bc83dc4 101.713.488,03 TBytes -2.249.817.298.122.890.000.000 Bytes 2.147.910.400,63 TBytes 2,67403375434139E+16 29.184,39 TBytes 100,00% 









Back to Top 















In php__PID__1636__Date__01_25_2011__Time_06_32_55PM__913__Second_Chance_Exception_C0000005.dmp the assembly instruction at ntdll!RtlpCoalesceFreeBlocks+35 in C:\Windows\System32\ntdll.dll from Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x0029df42 on thread 0







Heap corruption was detected in heap 0x000f0000, however pageheap was not enabled in this dump. Please follow the instructions in the recommendation section for troubleshooting heap corruption issues.







Current NTGlobalFlags value: 0x0 Module Information 

Image Name: C:\Windows\System32\ntdll.dll   Symbol Type:  PDB 

Base address: 0x775e0000   Time Stamp:  Sat Apr 11 08:26:41 2009  

Checksum: 0x0012c163   Comments:   

COM DLL: False   Company Name:  Microsoft Corporation 

ISAPIExtension: False   File Description:  NT Layer DLL 

ISAPIFilter: False   File Version:  6.0.6002.18005 (lh_sp2rtm.090410-1830) 

Managed DLL: False   Internal Name:  ntdll.dll 

VB DLL: False   Legal Copyright:  © Microsoft Corporation. All rights reserved. 

Loaded Image Name:  ntdll.dll   Legal Trademarks:   

Mapped Image Name:     Original filename:  ntdll.dll 

Module name:  ntdll   Private Build:   

Single Threaded:  False   Product Name:  Microsoft® Windows® Operating System 

Module Size:  1,15 MBytes   Product Version:  6.0.6002.18005 

Symbol File Name:  c:\symcache\ntdll.pdb\2A581B1A8A244C51992668A826BF4FBB2\ntdll.pdb   Special Build:  &
 [2011-01-26 12:35 UTC] pajoye@php.net
No idea what's wrong on your config but gettext works just fine here.

Does it crash when no translation data are used? (no po) Or only when it 
actually does the translation? If the former, pls send me the translation data 
so I can try to reproduce your problem.

Also the backtrace for VC9 looks wrong, it should not use msvcrt at all but the 
VC9 versions. It looks to me that there is a DLL mess on your box. Such DLLs 
mess causes free/heapfree crashes as different crt are use to alloc and freed a 
given resource.
 [2011-01-26 12:36 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-01-26 12:41 UTC] elacunza at binovo dot es
-Status: Feedback +Status: Open
 [2011-01-26 12:41 UTC] elacunza at binovo dot es
Sorry, I copied the wrong backtrace (it is a yesterday backtrace). 
There is no translation for the string.

Backtrace for VC9:
Report for php__PID__3208__Date__01_26_2011__Time_12_16_00PM__355__Second_Chance_Exception_C0000005.dmp

Type of Analysis Performed   Crash Analysis 

Machine Name   WIN2008 

Operating System   Windows Vista Service Pack 2 

Number Of Processors   2 

Process ID   3208 

Process Image   c:\php535vc9\php.exe 

System Up-Time   2 day(s) 00:20:11 

Process Up-Time   00:00:20 





Thread 0 - System ID 4316

Entry point   php+2fa2 

Create time   26/01/2011 12:15:40 

Time spent in user mode   0 Days 0:0:0.125 

Time spent in kernel mode   0 Days 0:0:0.140 













Function     Arg 1     Arg 2     Arg 3   Source 

ntdll!RtlpCoalesceFreeBlocks+35     021b0000     000ba750     00c0f968    

ntdll!RtlpFreeHeap+1e2     000ba750     000ba758     000ba758    

ntdll!RtlFreeHeap+14e     021b0000     00000000     000ba750    

kernel32!HeapFree+14     021b0000     00000000     000ba758    

msvcr90!free+cd     000ba758     455f7365     6f6d4053    

php_gettext!get_module+49a0     000b8904     0280fab0     00000000    

php_gettext!get_module+6417     0280fab0     0280e2b8     00000007    

php_gettext!get_module+1ba     00000001     0280cb58     00000000    

php5ts!execute+1110     02840080     021b1300     021b1378    

php5ts!execute+583a     021b1378     00c0fbe4     00000000    

php5ts!execute+2e8     00000000     00000000     00000000    









NTDLL!RTLPCOALESCEFREEBLOCKS+35 









Detailed Info For Corrupt Heap

Heap 1 - 0x00100000 

Heap Name   Default process heap 

Heap Description   This heap is created by default and shared by all modules in the process 

Reserved memory   5.244.720,03 TBytes 

Committed memory   2.097.264,00 TBytes (39,99% of reserved)  

Uncommitted memory   3.147.456,03 TBytes (60,01% of reserved)  

Number of heap segments   1 segments 

Number of uncommitted ranges   996432412722 range(s) 

Size of largest uncommitted range   29.440,41 TBytes 

Calculated heap fragmentation   99,06% 











Segment Information

Base Address Reserved Size Committed Size Uncommitted Size Number of uncommitted ranges Largest uncommitted block Calculated heap fragmentation 

0x601c8127 105.908.016,03 TBytes 52.428.912,00 TBytes 53.479.104,03 TBytes 996432412722 29.440,41 TBytes 99,94% 









Back to Top 















In php__PID__3208__Date__01_26_2011__Time_12_16_00PM__355__Second_Chance_Exception_C0000005.dmp the assembly instruction at ntdll!RtlpCoalesceFreeBlocks+35 in C:\Windows\System32\ntdll.dll from Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x0003dbca on thread 0







Heap corruption was detected in heap 0x00100000, however pageheap was not enabled in this dump. Please follow the instructions in the recommendation section for troubleshooting heap corruption issues.







Current NTGlobalFlags value: 0x0 Module Information 

Image Name: C:\Windows\System32\ntdll.dll   Symbol Type:  PDB 

Base address: 0x775e0000   Time Stamp:  Sat Apr 11 08:26:41 2009  

Checksum: 0x0012c163   Comments:   

COM DLL: False   Company Name:  Microsoft Corporation 

ISAPIExtension: False   File Description:  NT Layer DLL 

ISAPIFilter: False   File Version:  6.0.6002.18005 (lh_sp2rtm.090410-1830) 

Managed DLL: False   Internal Name:  ntdll.dll 

VB DLL: False   Legal Copyright:  © Microsoft Corporation. All rights reserved. 

Loaded Image Name:  ntdll.dll   Legal Trademarks:   

Mapped Image Name:     Original filename:  ntdll.dll 

Module name:  ntdll   Private Build:   

Single Threaded:  False   Product Name:  Microsoft® Windows® Operating System 

Module Size:  1,15 MBytes   Product Version:  6.0.6002.18005 

Symbol File Name:  c:\symcache\ntdll.pdb\2A581B1A8A244C51992668A826BF4FBB2\ntdll.pdb   Special Build:  & 











 Report for php__PID__1636__Date__01_25_2011__Time_06_32_55PM__913__Second_Chance_Exception_C0000005.dmp
 [2011-01-26 12:47 UTC] elacunza at binovo dot es
Ok, I checked the LANG environment variable, and it is unset.

If I do set it (set LANG=esp), then test script doesn't crash. If I unset it again (set LANG=) then it crashes again.

I think that in out application we could be trying to translate some string before gettext environment is set up, so this could be the reason to our application crashing.

Anyway, seems PHP should not crash if no LANG is set? :-)
 [2011-01-26 12:49 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2011-01-26 12:49 UTC] pajoye@php.net
Let me check and fix if necessary, but that's in libintl not in php :)

Thanks for the feedback!
 [2011-01-26 12:53 UTC] elacunza at binovo dot es
Thanks to you for your fast replies! :)
 [2011-01-26 13:42 UTC] pajoye@php.net
-Status: Assigned +Status: Feedback
 [2011-01-26 14:27 UTC] pajoye@php.net
I uploaded the wrong one, pls re fetch them (if you already got them).
 [2011-01-26 14:37 UTC] elacunza at binovo dot es
-Status: Feedback +Status: Assigned
 [2011-01-26 14:37 UTC] elacunza at binovo dot es
It works perfectly now from the command line, so I'd say you found the bug and killed it ;)

I fixed also our app not to try to translate string before setting up environment, and it seems to work ok now with 5.3.5.

Thanks a lot!
 [2011-01-26 16:04 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2011-01-26 19:38 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=307766
Log: - #53837
 [2011-07-18 11:24 UTC] vorapoap at yahoo dot com
I still have this problem with 

php5.3.6 64bit for Windows
http://www.anindya.com/php-5-3-6-x64-64-bit-for-windows/

SET LANG=... and SET LANGUAGE=.... doesn't help anythings
gettext fails to run completely....
a quick fix is appreciate;
 [2011-07-18 12:34 UTC] pajoye@php.net
We have nothing to do with these binaries. Please try with our versions only.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 01:02:05 2014 UTC