php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58837 Crash when empty object is destroyed
Submitted: 2009-08-27 16:57 UTC Modified: 2009-09-30 14:54 UTC
From: mkoppanen@php.net Assigned:
Status: Closed Package: xslcache (PECL)
PHP Version: 5.2.10 OS: Linux
Private report: No CVE-ID: None
 [2009-08-27 16:57 UTC] mkoppanen@php.net
Description:
------------
# gdb --args php -r 'dl("xslcache.so"); $c = new XSLTCache();'
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
run
(gdb) run
Starting program: /usr/local/bin/php -r dl\(\"xslcache.so\"\)\;\ \$c\ =\ new\ XSLTCache\(\)\;
[Thread debugging using libthread_db enabled]
[New Thread 0xb79f36b0 (LWP 22321)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb79f36b0 (LWP 22321)]
0xb79ef18f in xslcache_objects_free_storage (object=0x90ce218) at /tmp/xslcache/php_xsl.c:186
186             if (!intern->xslp->keep_cached) {
(gdb) bt full
#0  0xb79ef18f in xslcache_objects_free_storage (object=0x90ce218) at /tmp/xslcache/php_xsl.c:186
No locals.
#1  0x082f6118 in zend_objects_store_del_ref_by_handle (handle=1) at /root/php-5.2.10/Zend/zend_objects_API.c:211
        __orig_bailout = (jmp_buf *) 0xbff597b4
        __bailout = {{__jmpbuf = {151836972, 140106608, 151836816, -1074424008, -13836159, 1254084590}, __mask_was_saved = 0, __saved_mask = {__val = {151839392, 151839352, 150757800, 40, 3220543256, 
        137101794, 3071046252, 3080659296, 151839616, 151839568, 150757800, 48, 3220543288, 137101794, 151839392, 3080659296, 4160, 5, 37, 134622048, 3086333544, 0, 151839616, 3086331892, 4160, 5, 
        3220543328, 3086276699, 152057408, 0, 5863176, 8}}}}
        obj = (struct _store_object *) 0x90c61b8
        failure = 0
#2  0x082f6138 in zend_objects_store_del_ref (zobject=0x90cd92c) at /root/php-5.2.10/Zend/zend_objects_API.c:169
        handle = 0
#3  0x082cc780 in _zval_ptr_dtor (zval_ptr=0x90ce364) at /root/php-5.2.10/Zend/zend_variables.h:35
No locals.
#4  0x082e2c92 in zend_hash_apply_deleter (ht=0x859db70, p=0x90ce358) at /root/php-5.2.10/Zend/zend_hash.c:611
        retval = <value optimized out>
#5  0x082e2da0 in zend_hash_reverse_apply (ht=0x859db70, apply_func=0x82cbef0 <zval_call_destructor>) at /root/php-5.2.10/Zend/zend_hash.c:760
        result = 1
        p = (Bucket *) 0x90cd890
#6  0x082cf196 in shutdown_destructors () at /root/php-5.2.10/Zend/zend_execute_API.c:211
        symbols = 17
        __orig_bailout = (jmp_buf *) 0xbff5986c
        __bailout = {{__jmpbuf = {-1074418061, -1074418061, 6, -1074423720, -13680511, 1306711022}, __mask_was_saved = 0, __saved_mask = {__val = {16, 3220543776, 1, 3080660864, 16, 151843268, 11, 0, 
        151838592, 3220543776, 3220543512, 151838848, 151838820, 3220543776, 3220543576, 137351139, 16, 0, 3220543576, 151838788, 151838748, 151838788, 3220543576, 137592919, 3220543560, 4, 
        3220543648, 137327039, 151843488, 9, 151836972, 3220543776}}}}
#7  0x082d95c0 in zend_call_destructors () at /root/php-5.2.10/Zend/zend.c:845
        __orig_bailout = (jmp_buf *) 0xbff59938
        __bailout = {{__jmpbuf = {-1074418061, -1074418061, 6, -1074423544, -13582207, 1328246766}, __mask_was_saved = 0, __saved_mask = {__val = {151843228, 151838356, 150757800, 4872, 3220543720, 
        137101794, 3220543652, 151836948, 3220543488, 137121145, 4864, 152061328, 18, 3082076148, 3082080608, 152056848, 3220543692, 151836972, 3082080608, 152056848, 152056840, 140105412, 
        3220549235, 6, 3220543736, 137166114, 140105412, 3220549235, 3220543752, 136996370, 140105412, 3220543820}}}}
#8  0x08297d95 in php_request_shutdown (dummy=0x0) at /root/php-5.2.10/main/main.c:1453
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {-1074418061, -1074418061, 6, -1074423336, -13492095, 1190574062}, __mask_was_saved = 0, __saved_mask = {__val = {151838072, 151838212, 0, 151838072, 0, 3220543928, 
        137153242, 151838020, 139941522, 7, 0, 0, 0, 0, 2, 151836940, 1, 151838020, 40, 151774032, 6, 151836948, 3220549235, 3220549235, 6, 3220543960, 137153439, 3220549235, 0, 139941522, 
        3220544716, 3220549235}}}}
        report_memleaks = 1 '\001'
#9  0x08344cf1 in main (argc=3, argv=0xbff59cc4) at /root/php-5.2.10/sapi/cli/php_cli.c:1343
        exit_status = 0
        c = <value optimized out>
        file_handle = {type = 2 '\002', filename = 0x834663d "-", opened_path = 0x0, handle = {fd = -1212890048, fp = 0xb7b4c440, stream = {handle = 0xb7b4c440, reader = 0xbff59be8, closer = 0, 
      fteller = 0, interactive = -1074422836}}, free_filename = 0 '\0'}
        behavior = 6
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0xbff5ae73 "dl(\"xslcache.so\"); $c = new XSLTCache();"
        arg_excp = (char **) 0xbff5ae73
        script_file = 0x0
        interactive = 0
        module_started = 1
        request_started = 1
---Type <return> to continue, or q <return> to quit---

Reproduce code:
---------------
Index: php_xsl.c
===================================================================
--- php_xsl.c   (revision 287819)
+++ php_xsl.c   (working copy)
@@ -183,7 +183,7 @@
                intern->doc = NULL;
        }
 
-       if (!intern->xslp->keep_cached) {
+       if (intern->xslp && !intern->xslp->keep_cached) {
                /* delete the cached object, destructor called when object is removed */
                i = zend_hash_del(&EG(persistent_list), intern->xslp->persist_key, strlen(intern->xslp->persist_key));
        }


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-30 14:54 UTC] indeyets at gmail dot com
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Nov 27 06:01:23 2020 UTC