php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71536 Access Violation crashes php-cgi.exe
Submitted: 2016-02-05 15:37 UTC Modified: 2016-02-24 20:09 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rieger at racecore dot de Assigned: ab
Status: Closed Package: XML Writer
PHP Version: 7.0.3 OS: Windows 7 Prof SP1 [6.1.7]
Private report: No CVE-ID:
 [2016-02-05 15:37 UTC] rieger at racecore dot de
Description:
------------
Just migraded our PHP 5.6 application to PHP 7.0.3.
We have a script that generated XML files for our clients that now crashes the php-cgi.exe when the script is executed.

The wired part is that i can't reproduce the crash in a single php file. When i copy the XMLWriter part to a single file, it works flawless, but still crashing our application source code.

Test script:
---------------
// die() here and the cgi won't crash

$xml = new \XMLWriter();
$xml->openUri('php://memory'); // crash occurs here
$xml->setIndent(false);
$xml->startDocument('1.0', 'UTF-8');
$xml->startElement('response');

Actual result:
--------------
Loading control script C:\Program Files\DebugDiag\scripts\CrashRule_Process_php-cgi.exe.vbs
DumpPath set to C:\dumps\php-debug
[05.02.2016 16:06:17]
  Process created. BaseModule - C:\nginx\php\php-cgi.exe. BaseThread - System ID: 716
  C:\Windows\SYSTEM32\ntdll.dll loaded at 0x77b80000
  C:\Windows\system32\kernel32.dll loaded at 0x77960000
  C:\Windows\system32\KERNELBASE.dll loaded at 0xfd9d0000
  C:\Program Files\Bitdefender\Endpoint\Signatures\AVC\AVC3_00528_054\avcuf64.dll loaded at 0x72190000
  C:\nginx\php\php7.dll loaded at 0xcb080000
  C:\Windows\system32\ADVAPI32.dll loaded at 0xfdce0000
  C:\Windows\system32\msvcrt.dll loaded at 0xfdf60000
  C:\Windows\SYSTEM32\sechost.dll loaded at 0xff4e0000
  C:\Windows\system32\RPCRT4.dll loaded at 0xffd60000
  C:\Windows\system32\WS2_32.dll loaded at 0xff8c0000
  C:\Windows\system32\NSI.dll loaded at 0xff6e0000
  C:\Windows\system32\ole32.dll loaded at 0xfe000000
  C:\Windows\system32\GDI32.dll loaded at 0xff770000
  C:\Windows\system32\USER32.dll loaded at 0x77a80000
  C:\Windows\system32\LPK.dll loaded at 0xffba0000
  C:\Windows\system32\USP10.dll loaded at 0xfddc0000
  C:\Windows\system32\DNSAPI.dll loaded at 0xfcf30000
  C:\Windows\system32\PSAPI.DLL loaded at 0x77d50000
  C:\Windows\system32\VCRUNTIME140.dll loaded at 0xf6df0000
  C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll loaded at 0xfb5a0000
  C:\Windows\system32\ucrtbase.DLL loaded at 0xd7680000
  C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll loaded at 0xfaf30000
  C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll loaded at 0xfacd0000
  C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll loaded at 0xfacb0000
  C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll loaded at 0xf6de0000
  C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll loaded at 0xf6dd0000
  C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll loaded at 0xf6dc0000
  C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll loaded at 0xf6ca0000
  C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll loaded at 0xf6bd0000
  C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll loaded at 0xf6b60000
  C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll loaded at 0xf6b50000
  C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll loaded at 0xf6b40000
  C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll loaded at 0xf6040000
  C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll loaded at 0xf5f30000
  C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll loaded at 0xf4eb0000
  C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll loaded at 0xf4ea0000
  C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll loaded at 0xf4e90000
  C:\Windows\system32\IMM32.DLL loaded at 0xfde90000
  C:\Windows\system32\MSCTF.dll loaded at 0xffc50000
  C:\nginx\php\ext\php_curl.dll loaded at 0xd7b40000
  C:\nginx\php\libssh2.dll loaded at 0x80000000
  C:\nginx\php\LIBEAY32.dll loaded at 0xd7390000
  C:\Windows\system32\CRYPT32.dll loaded at 0xfda60000
  C:\Windows\system32\MSASN1.dll loaded at 0xfd920000
  C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll loaded at 0xe7b30000
  C:\nginx\php\SSLEAY32.dll loaded at 0xd7dd0000
  C:\Windows\system32\WLDAP32.dll loaded at 0xffaa0000
  C:\Windows\system32\Normaliz.dll loaded at 0x77d40000
  C:\nginx\php\ext\php_fileinfo.dll loaded at 0xcbd90000
  C:\nginx\php\ext\php_gd2.dll loaded at 0xd71b0000
  C:\nginx\php\ext\php_gettext.dll loaded at 0xe7b10000
  C:\nginx\php\ext\php_gmp.dll loaded at 0xe1440000
  C:\nginx\php\ext\php_intl.dll loaded at 0xd7600000
  C:\nginx\php\icuuc56.dll loaded at 0x62110000
  C:\nginx\php\icudt56.dll loaded at 0x59d10000
  C:\nginx\php\icuin56.dll loaded at 0x59b00000
  C:\nginx\php\icuio56.dll loaded at 0x59ae0000
  C:\Windows\system32\MSVCP140.dll loaded at 0xcbcf0000
  C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll loaded at 0xe7b00000
  C:\nginx\php\ext\php_mbstring.dll loaded at 0xcbb80000
  C:\nginx\php\ext\php_mysqli.dll loaded at 0xe34a0000
  C:\nginx\php\ext\php_openssl.dll loaded at 0xe3480000
  C:\nginx\php\ext\php_pdo_mysql.dll loaded at 0xe2530000
  C:\nginx\php\ext\php_imagick.dll loaded at 0xde1d0000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_wand_.dll loaded at 0xcbab0000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_magick_.dll loaded at 0xcb8f0000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_bzlib_.dll loaded at 0xe1540000
  C:\Windows\system32\MSVCR120.dll loaded at 0xcaf90000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_lcms_.dll loaded at 0xcb890000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_lqr_.dll loaded at 0xe1520000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_glib_.dll loaded at 0xcad20000
  C:\Windows\system32\SHELL32.dll loaded at 0xfe480000
  C:\Windows\system32\SHLWAPI.dll loaded at 0xff6f0000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_zlib_.dll loaded at 0xdff70000
  C:\Windows\system32\IPHLPAPI.DLL loaded at 0xfb4a0000
  C:\Windows\system32\WINNSI.DLL loaded at 0xfb490000
  C:\Windows\system32\WINMM.dll loaded at 0xfb910000
  C:\Program Files\ImageMagick-6.9.2-Q16\CORE_RL_ttf_.dll loaded at 0xcac80000
  C:\Windows\system32\VCOMP120.DLL loaded at 0xddde0000
  C:\nginx\php\ext\php_ftp.dll loaded at 0xe02b0000
  C:\nginx\php\ext\php_soap.dll loaded at 0xcac30000
  C:\nginx\php\ext\php_sockets.dll loaded at 0xdeb60000
  C:\Windows\system32\secur32.dll loaded at 0xfd560000
  C:\Windows\system32\SSPICLI.DLL loaded at 0xfd730000
  C:\Windows\system32\mswsock.dll loaded at 0xfd0e0000
  C:\Windows\System32\wshtcpip.dll loaded at 0xfcc20000
  Thread created. New thread - System ID: 7384
  Initializing control script
  Clearing any existing breakpoints
  
  Current Breakpoint List(BL)
[05.02.2016 16:06:18]
  Thread exited. Exiting thread - System ID: 7384. Exit code - 0x00000000
Skipping exception event during detach/reload
Request to reload script recieved. Loading control script C:\Program Files\DebugDiag\scripts\CrashRule_Process_php-cgi.exe.vbs
Loading control script C:\Program Files\DebugDiag\scripts\CrashRule_Process_php-cgi.exe.vbs
DumpPath set to C:\dumps\php-debug
[05.02.2016 16:07:14]
  Initializing control script
  Clearing any existing breakpoints
  
  Current Breakpoint List(BL)
[05.02.2016 16:07:28]
  Thread created. New thread - System ID: 8176
  Thread exited. Exiting thread - System ID: 8176. Exit code - 0x00000000
  Thread created. New thread - System ID: 7376
  C:\Windows\System32\wship6.dll loaded at 0xfd150000
  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL loaded at 0xf8e30000
  C:\Windows\system32\rasadhlp.dll loaded at 0xf7fb0000
  C:\Windows\System32\fwpuclnt.dll loaded at 0xfb2e0000
  Thread created. New thread - System ID: 8212
[05.02.2016 16:07:29]
  Exception 0XC0000005 on thread 716. DetailID = 1
[05.02.2016 16:07:36]
  Second chance exception - 0XC0000005 caused by thread with System ID: 716 DetailID = 2
  Thread exited. Exiting thread - System ID: 7376. Exit code - 0xffffffff
  Thread exited. Exiting thread - System ID: 8212. Exit code - 0xffffffff
  Process exited. Exit code - 0xffffffff

***********************
*  EXCEPTION DETAILS  *
***********************

DetailID = 1
	Count:    1
	Exception #:  0XC0000005
	Stack:        
		0x101df000
		php7!_php_stream_write+0xa1 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\main\streams\streams.c @ 1231]
		php7!xmlOutputBufferFlush+0x76
		php7!xmlOutputBufferClose+0x32
		php7!xmlFreeTextWriter+0x1e
		php7!xmlwriter_object_free_storage+0x29 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\ext\xmlwriter\php_xmlwriter.c @ 131]
		php7!zend_objects_store_free_object_storage+0x356af3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\zend\zend_objects_api.c @ 104]
		php7!shutdown_executor+0x278 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\zend\zend_execute_api.c @ 359]
		php7!zend_deactivate+0x69 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\zend\zend.c @ 969]
		php7!php_request_shutdown+0x248 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\main\main.c @ 1826]
		php_cgi!main+0x11a3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\sapi\cgi\cgi_main.c @ 2499]
		php_cgi!__scrt_common_main_seh+0x124 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
		kernel32!BaseThreadInitThunk+0xd
		ntdll!RtlUserThreadStart+0x21


DetailID = 2
	Count:    1
	Exception #:  0XC0000005
	Stack:        
		0x101df000
		php7!_php_stream_write+0xa1 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\main\streams\streams.c @ 1231]
		php7!xmlOutputBufferFlush+0x76
		php7!xmlOutputBufferClose+0x32
		php7!xmlFreeTextWriter+0x1e
		php7!xmlwriter_free_resource_ptr+0xd [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\ext\xmlwriter\php_xmlwriter.c @ 97]
		php7!xmlwriter_object_free_storage+0x29 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\ext\xmlwriter\php_xmlwriter.c @ 131]
		php7!zend_objects_store_free_object_storage+0x356af3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\zend\zend_objects_api.c @ 104]
		php7!shutdown_executor+0x278 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\zend\zend_execute_api.c @ 359]
		php7!zend_deactivate+0x69 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\zend\zend.c @ 969]
		php7!php_request_shutdown+0x248 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\main\main.c @ 1826]
		php_cgi!main+0x11a3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.3\sapi\cgi\cgi_main.c @ 2499]
		php_cgi!invoke_main+0x22 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
		php_cgi!__scrt_common_main_seh+0x124 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
		kernel32!BaseThreadInitThunk+0xd
		ntdll!RtlUserThreadStart+0x21





***********************
*  EXCEPTION SUMMARY  *
***********************

	|--------------------|
	| Count | Exception  |
	|--------------------|
	| 2     | 0XC0000005 |
	|--------------------|

Debugging Overhead Cost:
	Total Elapsed Ticks = 79201 (100%)
	Total Ticks Spent in Debugger Engine = 7878 (10%)
	Total Ticks Spent in Crash Rule Script = 156 (0%)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-24 14:06 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-02-24 14:06 UTC] ab@php.net
Thanks for the report with a good backtrace. From the backtrace is to see, that the issue is related to the memory stream wrapper on request shutdown. As you say, the snippet alone doesn't reproduce the issue. Could you maybe play with the preceding part of the script to extract some reproduce case? I was playing around the BT to construct a reproduce case, but so far no repro.

Thanks.
 [2016-02-24 14:19 UTC] rieger at racecore dot de
I will give it a second try to isolate this bug in a single test file. Thanks for the reply.
 [2016-02-24 14:35 UTC] rieger at racecore dot de
Success. Could reproduce the issue with this test script \o/


<?php

class Test {
    public static function init()
    {
        $xml = new \XMLWriter();
        $xml->openUri('php://memory');
        $xml->setIndent(false);
        $xml->startDocument('1.0', 'UTF-8');
        $xml->startElement('response');
    }
}

Test::init();
 [2016-02-24 14:39 UTC] Rieger at racecore dot de
Funny - only with the die function this script crashes?!


<?php

class Test {
    public static function init()
    {
        // foo
        $xml = new \XMLWriter();
        $xml->openUri('php://memory');
        $xml->setIndent(false);
        $xml->startDocument('1.0', 'UTF-8');
        $xml->startElement('response');
        die();                             // crashes with die()
    }
}

Test::init();
 [2016-02-24 20:09 UTC] ab@php.net
-Status: Feedback +Status: Verified
 [2016-02-24 20:09 UTC] ab@php.net
Excellent! Thanks for the good repro case, working towards the fix.

Thanks.
 [2016-02-24 20:09 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2016-02-28 10:08 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=93592a9c08c37184ebcb5c1274f240d257e3e3e1
Log: Fix bug #71536 Access Violation crashes php-cgi.exe
 [2016-02-28 10:08 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=93592a9c08c37184ebcb5c1274f240d257e3e3e1
Log: Fix bug #71536 Access Violation crashes php-cgi.exe
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 08:01:41 2017 UTC