ID: 12270
Updated by: zeev
Old Status: Open
Status: Analyzed
Bug Type: Reproducible crash
Operating System: Win32
PHP Version: 4.0.6
New Comment:

The fix is not valid - p->pLast cannot be NULLif everything works right - i.e., the 
bug is elsewhere.

Do you have a script that reproduces this problem (preferably with the CGI version of 

Previous Comments:

[2001-07-20 03:02:45] [EMAIL PROTECTED]

The crash may be only reproducible in release builds with activated bcmath. (In debug 
the Zend efree() function returns prior actual freeing something, if the thread which 
calls efree()
isn't the thread which original allocated the resource).

The "call stack" of this issue is:
php_module_shutdown_wrapper()     // pi3web_sapi.c
php_module_shutdown()     // main.c
zend_shutdown()    // zend.c
zend_hash_destroy(&module_registry)     // zend_hash.c
pefree(ht->arBuckets, ht->persistent)     // zend_hash.c
PHP_MSHUTDOWN_FUNCTION(bcmath)     // bcmath.c
bc_free_num (num)     // init.c, the global bcnum value is _two_
efree ((*num)->n_ptr);     // zend_alloc.c

In efree() the code in macro  REMOVE_POINTER_FROM_LIST() crashes

#define REMOVE_POINTER_FROM_LIST(p)             \
        if (!p->persistent && p==AG(head)) {            \
                AG(head) = p->pNext;            \
        } else if (p->persistent && p==AG(phead)) {     \
                AG(phead) = p->pNext;           \
        } else {                                        \
                p->pLast->pNext = p->pNext;             \
        }                                       \
        if (p->pNext) {                         \
                p->pNext->pLast = p->pLast;             \

The reason of the crash is 

        } else {                                        \
                p->pLast->pNext = p->pNext;             \

if the pointer pLast == NULL. This is true for the last allocated persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.

A probable fix is:

        } else if (p->pLast) {                          \
                p->pLast->pNext = p->pNext;             \

Holger Zimmermann


Edit this bug report at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to