[PECL-DEV] Bug #77692 [Asn->Csd]: Found crash when mb_convert_encoding() after creating Zookeeper instance

timandes Mon, 11 Mar 2019 18:40:14 -0700

Edit report at https://bugs.php.net/bug.php?id=77692&edit=1


 ID:                 77692
 Updated by:         timan...@php.net
 Reported by:        timan...@php.net
 Summary:            Found crash when mb_convert_encoding() after
                     creating Zookeeper instance
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            PECL
 Operating System:   CentOS Linux release 7.6.1810 (C
 PHP Version:        master-Git-2019-03-05 (Git)
 Assigned To:        timandes
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2019-03-07 00:54:25] timan...@php.net

So it means I must allocate for the wrapper struct(like php_zk_t) of 
zend_object, but I should not free it manually?

It's interesting. : )

But it works fine, thanks a lot.

------------------------------------------------------------------------
[2019-03-06 08:18:22] ni...@php.net

Actually, I think it's just this line being wrong: 
https://github.com/php-zookeeper/php-zookeeper/blob/master/php_zookeeper.c#L832

The free_obj handler should release the object contents, but *not* deallocate 
the object itself. The engine will do that itself. This results in a double 
free.

You should be able to fix this issue simply by dropping that efree().

------------------------------------------------------------------------
[2019-03-06 08:15:39] ni...@php.net

==133== Invalid read of size 4
==133==    at 0x94A219: zend_gc_delref (zend_types.h:996)
==133==    by 0x94A942: zend_objects_store_del (zend_objects_API.c:185)
==133==    by 0x8F6BF9: zend_object_destroy_wrapper (zend_variables.c:95)
==133==    by 0x8F6A6E: rc_dtor_func (zend_variables.c:65)
==133==    by 0x9BCAAA: ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER 
(zend_vm_execute.h:47269)
==133==    by 0x9CA0E5: execute_ex (zend_vm_execute.h:60362)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)
==133==    by 0x9CD268: do_cli (php_cli.c:997)
==133==    by 0x9CE1D4: main (php_cli.c:1389)
==133==  Address 0x7bc0b78 is 72 bytes inside a block of size 112 free'd
==133==    at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==133==    by 0x8C4B2C: _efree (zend_alloc.c:2508)
==133==    by 0x6F46C34: php_zk_destroy (php_zookeeper.c:832)
==133==    by 0x6F46C6E: php_zk_free_storage (php_zookeeper.c:841)
==133==    by 0x94A936: zend_objects_store_del (zend_objects_API.c:184)
==133==    by 0x8F6BF9: zend_object_destroy_wrapper (zend_variables.c:95)
==133==    by 0x8F6A6E: rc_dtor_func (zend_variables.c:65)
==133==    by 0x9BCAAA: ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER 
(zend_vm_execute.h:47269)
==133==    by 0x9CA0E5: execute_ex (zend_vm_execute.h:60362)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)
==133==  Block was alloc'd at
==133==    at 0x4C29BC3: malloc (vg_replace_malloc.c:299)
==133==    by 0x8C57AD: __zend_malloc (zend_alloc.c:2904)
==133==    by 0x8C4A85: _emalloc (zend_alloc.c:2494)
==133==    by 0x8C4EDB: _ecalloc (zend_alloc.c:2579)
==133==    by 0x6F46D04: php_zk_new (php_zookeeper.c:856)
==133==    by 0x900408: object_and_properties_init (zend_API.c:1335)
==133==    by 0x900449: object_init_ex (zend_API.c:1343)
==133==    by 0x96D5C0: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER 
(zend_vm_execute.h:8818)
==133==    by 0x9C5EEA: execute_ex (zend_vm_execute.h:56256)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)

Very likely some kind of refcounting bug in php-zookeeper (an addref missing 
somewhere?)

------------------------------------------------------------------------
[2019-03-06 00:58:23] timan...@php.net

The following patch has been added/updated:

Patch Name: valgrind-log-full-20190306
Revision:   1551833903
URL:        
https://bugs.php.net/patch-display.php?bug=77692&patch=valgrind-log-full-20190306&revision=1551833903

------------------------------------------------------------------------
[2019-03-06 00:44:53] timan...@php.net

The following patch has been added/updated:

Patch Name: valgrind-log-20190306
Revision:   1551833093
URL:        
https://bugs.php.net/patch-display.php?bug=77692&patch=valgrind-log-20190306&revision=1551833093

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=77692


--
Edit this bug report at https://bugs.php.net/bug.php?id=77692&edit=1

-- 
PECL development discussion Mailing List (http://pecl.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PECL-DEV] Bug #77692 [Asn->Csd]: Found crash when mb_convert_encoding() after creating Zookeeper instance

Reply via email to