php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73241 php-cgi.exe is crashing while the script execution is being finalized
Submitted: 2016-10-04 13:55 UTC Modified: 2017-01-10 00:45 UTC
From: petr dot maly at remotehost dot cz Assigned:
Status: Suspended Package: COM related
PHP Version: 7.0.11 OS: Windows 10
Private report: No CVE-ID: None
View Developer Edit
 [2016-10-04 13:55 UTC] petr dot maly at remotehost dot cz 
Description:
------------
When the script uses COM object several times and all the statements are executed, php-cgi.exe crashes while it is shutting down. This causes that Apache returns error 5xx, the script code is executed correctly.

The crashing happens randomly. I was inspecting the code of php_com_dotnet extension and I found that the php crashes while it is trying to call destructor on function object:

com_handlers.c(237:246):

static void function_dtor(zval *zv)
{
	zend_internal_function *f = (zend_internal_function*)Z_PTR_P(zv);


        zend_string_release(f->function_name);
	if (f->arg_info) {
		efree(f->arg_info);
	}
	efree(f);
}
 
The destructor crashes because f->function_name is NULL (sometimes), therefore 
zend_string_release is unable to access member variables. 

Suggested fix:

static void function_dtor(zval *zv)
{
	zend_internal_function *f = (zend_internal_function*)Z_PTR_P(zv);

        if (f->function_name != NULL) {
                zend_string_release(f->function_name);
        }
	if (f->arg_info) {
		efree(f->arg_info);
	}
	efree(f);
}

Best Regards,
Petr Maly

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-04 15:34 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-10-04 15:34 UTC] ab@php.net 
Thanks for the report. Could you please check the latest snapshots from windows.php.net? If the issue is still there, please share a reproducer - some solution with a test class and php code. Or at least a process dump (you'll need the debug symbols).

Thanks.
 [2016-10-04 23:47 UTC] petr dot maly at remotehost dot cz
-Status: Feedback +Status: Open
 [2016-10-04 23:47 UTC] petr dot maly at remotehost dot cz 
Thanks for your response. It is really difficult for me to check the latest snapshot, because the environment I use to reproduce this problem, uses many plugins (windows versions) which are not ported to PHP 7.1 yet. However I can check the latest 7.0 snapshot.

I am going to provide you memory dump, so be patient, please.

Petr Maly
 [2017-01-08 20:50 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-01-08 20:50 UTC] ab@php.net 
Hi. Any news from the front? Maybe you could come up with a reproducer?

Thanks.
 [2017-01-09 09:38 UTC] petr dot maly at remotehost dot cz
-Status: Feedback +Status: Open
 [2017-01-09 09:38 UTC] petr dot maly at remotehost dot cz 
Hi. 

I am sorry to inform you, that I was unable to create dump in such form which would be useful for you (there were also any other problems). 

We have decided to reduce usage of this plugin to absolute minimum and to use workaround I have suggested in first message. Problems disappeared, however our plans are to remove usage of this plugin from our system. So, from our sight the issue is no more important and the bug could be closed.

Best Regards,
Petr Maly
 [2017-01-10 00:45 UTC] ab@php.net
-Status: Open +Status: Suspended
 [2017-01-10 00:45 UTC] ab@php.net 
Thanks for the feedback. From the code flow, the function_name member should under no circumstance be NULL. It were simple to apply your suggestion, but given there was no confirmation or similar reports, the actual crash might hide an issue at some other place in the extension, so we would be just removing the symptom. It is sad, that no reproducer can be found. I've also tried to construct a suitable case, but couldn't produce a crash like that. Unfortunately you were not able to check the latest snapshots, where the issue might have been already fixed. It is sad for the community of course, as the actual issue might still persist. anyway, I'm now suspending the ticket, so it might be reopened once a reproduce case were found.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 16:01:31 2024 UTC