php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62432 ReflectionMethod random corrupt memory on high concurrent
Submitted: 2012-06-27 17:36 UTC Modified: 2012-06-28 03:42 UTC
From: xuefer at gmail dot com Assigned: johannes
Status: Closed Package: Reflection related
PHP Version: 5.3.14 OS: Windows
Private report: No CVE-ID:
 [2012-06-27 17:36 UTC] xuefer at gmail dot com
Description:
------------
ReflectionMethod crash zend memory manager randomly on high concurrent


Configuration File (php.ini) Path	C:\Windows
Loaded Configuration File	(none)
Scan this dir for additional .ini files	(none)
Additional .ini files parsed	(none)
Zend Extension Build	API220090626,TS,VC9
PHP Extension Build	API20090626,TS,VC9
Debug Build	no
Thread Safety	enabled
Zend Memory Manager	enabled

Configuration

apache2handler

Apache Version	Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t PHP/5.3.14

apache is loaded with module alias_module authz_host_module and php, nothing 
else

Test script:
---------------
<?php

class C
{
    function method()
    {
    }
}

new ReflectionMethod("C::method");
?>

ab.exe -n 30000 -c 60 http://localhost/test.php
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Total of 983 requests completed
apr_poll: The timeout specified has expired (70007)


Expected result:
----------------
no crash

Actual result:
--------------
The thread 'Win32 Thread' (0x1e98) has exited with code 0 (0x0).
Unhandled exception at 0x69e2c7d7 (php5ts.dll) in httpd.exe: 0xC0000005: Access 
violation reading location 0x29bffacc.

>	php5ts.dll!_zend_mm_free_int(_zend_mm_heap * heap=0x0edf8a20, void * 
p=0x00000000)  Line 2028	C
 	php5ts.dll!_efree(void * ptr=0x023dd588)  Line 2361 + 0xa bytes	C
 	php5ts.dll!_zval_dtor_func(_zval_struct * zvalue=0x023fe918)  Line 36 + 
0xc bytes	C
 	php5ts.dll!_zval_ptr_dtor(_zval_struct * * zval_ptr=0x10f00dbc)  Line 
447 + 0xc bytes	C
 	php5ts.dll!_zend_hash_add_or_update(_hashtable * ht=0x10f00d80, const 
char * arKey=0x6a1b4d00, unsigned int nKeyLength=0x00000006, void * 
pData=0x0995fab8, unsigned int nDataSize=0x00000004, void * * pDest=0x00000000, 
int flag=0x00000001)  Line 237 + 0x6 bytes	C
 	php5ts.dll!zim_reflection_method___construct(int ht=0x00000001, 
_zval_struct * return_value=0x10f02778, _zval_struct * * 
return_value_ptr=0x00000000, _zval_struct * this_ptr=0x10f00d60, int 
return_value_used=0x00000000, void * * * tsrm_ls=0x0efbb728)  Line 2532	C
 	php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * 
execute_data=0x10f30080, void * * * tsrm_ls=0x0efbb701)  Line 320 + 0x41 bytes	
C
 	php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * 
execute_data=0x00000005, void * * * tsrm_ls=0x0f0c4868)  Line 426	C
 	php5ts.dll!execute(_zend_op_array * op_array=0x10f00880, void * * * 
tsrm_ls=0x0efbb700)  Line 107 + 0xa bytes	C
 	php5ts.dll!zend_execute_scripts(int type=0x00000008, void * * * 
tsrm_ls=0x0efbb728, _zval_struct * * retval=0x00000000, int 
file_count=0x00000003, ...)  Line 1237	C
 	php5ts.dll!php_execute_script(_zend_file_handle * 
primary_file=0x0995fe34, void * * * tsrm_ls=0x0efbb728)  Line 2308 + 0x12 bytes	
C
 	php5apache2_2.dll!php_handler(request_rec * r=0x0bc82100)  Line 669 + 
0xe bytes	C
 	libhttpd.dll!6ff02435() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for 
libhttpd.dll]	
 	libhttpd.dll!6ff027c0() 	
 	libhttpd.dll!6ff0f01e() 	
 	libhttpd.dll!6ff0adbc() 	
 	libhttpd.dll!6ff050a5() 	
 	libhttpd.dll!6ff05363() 	
 	libhttpd.dll!6ff1df6c() 	
 	msvcrt.dll!74921287() 	
 	msvcrt.dll!74921328() 	
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0x12 bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x27 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes	


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-27 21:36 UTC] johannes@php.net
Automatic comment on behalf of johannes
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b025b9d0cf9921d26fc4dad43cf26390d0a8c5dd
Log: Fix #62432 ReflectionMethod random corrupt memory on high concurrent
 [2012-06-27 21:40 UTC] johannes@php.net
This was fixed. Not only in reflection but also in date, fileinfo, pdo, pdo, reflection, soap, spl, sqlite, sqlite3, tidy, xmlreader, xmlwriter, xsl and zip.

This was a 5.3-only issue, not in 5.4/master.
 [2012-06-27 21:40 UTC] johannes@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: johannes
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 05:03:19 2014 UTC