Bug #49893 [Bgs->Asn]: Apache 2.2 Child crash while creating an instance of Zend_Mail_Storage_Pop3

[dmitry]

Edit report at http://bugs.php.net/bug.php?id=49893&edit=1

 ID:               49893
 Updated by:       dmi...@php.net
 Reported by:      greubel at nkey dot de
 Summary:          Apache 2.2 Child crash while creating an instance of
                   Zend_Mail_Storage_Pop3
-Status:           Bogus
+Status:           Assigned
 Type:             Bug
 Package:          Reproducible crash
-Operating System: Windows Vista
+Operating System: *
 PHP Version:      5.3.0
-Assigned To:      
+Assigned To:      dmitry

 New Comment:

The bug occurs when exception is caught in destructor during another
exception processing



Reproduce code:

---------------

<?php

class A {

        function __destruct() {

                try {

                        throw new Exception("2");

                } catch (Exception $e) {

                        echo $e->getMessage() . "\n";

                }

        }

}

class B {

        function __construct() {

                $this->a = new A();

                throw new Exception("1");

        }

}

try {

        $b = new B();

} catch(Exception $e) {

        echo $e->getMessage() . "\n";;

}

?>



Expected result:

----------------

2

1



Actual result:

--------------

2



valgrind

--------



==26823== Invalid read of size 4

==26823==    at 0x856480A: ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (zend.h:385)

==26823==    by 0x84D7B98: execute (zend_vm_execute.h:104)

==26823==    by 0x84ACA44: zend_execute_scripts (zend.c:1194)

==26823==    by 0x844186E: php_execute_script (main.c:2260)

==26823==    by 0x8572CDE: main (php_cli.c:1192)

==26823==  Address 0x51f1428 is 8 bytes inside a block of size 20
free'd

==26823==    at 0x4B8C90A: free (vg_replace_malloc.c:323)

==26823==    by 0x848B079: _efree (zend_alloc.c:2348)

==26823==    by 0x849C3E3: _zval_ptr_dtor (zend_execute_API.c:444)

==26823==    by 0x84D8156: zend_leave_helper_SPEC
(zend_vm_execute.h:226)

==26823==    by 0x84DA521: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
(zend_vm_execute.h:680)

==26823==    by 0x84D7B98: execute (zend_vm_execute.h:104)

==26823==    by 0x84ACA44: zend_execute_scripts (zend.c:1194)

==26823==    by 0x844186E: php_execute_script (main.c:2260)

==26823==    by 0x8572CDE: main (php_cli.c:1192)


Previous Comments:
------------------------------------------------------------------------
[2009-10-20 20:57:38] paj...@php.net

not a bug > bogus.

------------------------------------------------------------------------
[2009-10-20 20:13:15] greubel at nkey dot de

Not reproducable

------------------------------------------------------------------------
[2009-10-20 20:11:41] greubel at nkey dot de

Please close. I'm not able to reproduce the problem with a small script.
I tried to strip down the code from ZF to provide the same functionality
but provoke the bug. This seems to be not possible on this
circumstances.



This code works well:



<?php

class foo

{

        private $sock;

        private $errno;

        private $error;

        

        public function __construct()

        {

                $this->sock = fsockopen('pop.gmx.net', 110, $this->errno,
$this->error);

    $r = fgets($this->sock);

    echo "$r<br/>";

                

                fputs($this->sock, "USER mike.greu...@gmx.de\r\n");

                $r = fgets($this->sock);

                echo "$r<br/>";

                

    fputs($this->sock, "PASS \r\n");

    $r = fgets($this->sock);

    echo "$r<br/>";



    fputs($this->sock, "QUIT\r\n");

    $r = fgets($this->sock);

    echo "$r<br/>";

        }

        

        public function close()

        {

                fclose($this->sock);

                $this->sock = null;

        }

}



$bar = new foo();

$bar->close();

?>



So please close.

------------------------------------------------------------------------
[2009-10-20 19:53:24] paj...@php.net

We *still* need a way to reproduce your problem. that means a small
script as described already in one of my comments.

------------------------------------------------------------------------
[2009-10-20 18:54:33] greubel at nkey dot de

The access violation has now moved to another place:



php5ts!gc_zobj_possible_root+57     038ffbc0     0273b270     038fe608  
 

php5ts!gc_zval_possible_root+74     038ffbc0     0273b270     00000000  
 

php5ts!ZEND_ASSIGN_SPEC_CV_VAR_HANDLER+69     0094fbc0     0273b270    
0094fe3c    

php5ts!execute+2fb     039310b0     0273b200     00000000    

php5ts!zend_execute_scripts+f6     00000008     0273b270     00000000   


php5ts!php_execute_script+233     0094fe3c     0273b270     00000004   


php5apache2_2!php_handler+5d0     0275ead8     00a24208     0275ead8   


libhttpd!ap_run_handler+21     0275ead8     0275ead8     0275ead8    

libhttpd!ap_invoke_handler+ae     00000000     02847fc0     0094ff00   


libhttpd!ap_die+29e     0275ead8     00000000     021b51c0    

libhttpd!ap_get_request_note+1ccc     02847fc0     02847fc0     02847fc0
   

libhttpd!ap_run_process_connection+21     02847fc0     00974f20    
0094ff48    

libhttpd!ap_process_connection+33     02847fc0     021c81a8     00000000
   

libhttpd!ap_regkey_value_remove+c7c     02847fb8     a899cc42    
00000000    

msvcrt!_endthreadex+44     0094ff94     76bdd0e9     02746848    

msvcrt!_endthreadex+ce     02746848     0094ffd4     775919bb    

kernel32!BaseThreadInitThunk+e     02746848     7383fe36     00000000   


ntdll!__RtlUserThreadStart+23     76b02670     02746848     00000000   


ntdll!_RtlUserThreadStart+1b     76b02670     02746848     00000000

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=49893


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=49893&edit=1