[PHP-DEV] Bug #12270 Updated: php4ts.dll crashes due to null-pointer assignment on shutdown

zeev Sun, 22 Jul 2001 12:08:20 -0700
ID: 12270
Updated by: zeev
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Analyzed
Bug Type: Reproducible crash
Operating System: Win32
PHP Version: 4.0.6
New Comment:

The fix is not valid - p->pLast cannot be NULLif everything works right - i.e., the 
bug is elsewhere.

Do you have a script that reproduces this problem (preferably with the CGI version of 
PHP)?

Previous Comments:
------------------------------------------------------------------------

[2001-07-20 03:02:45] [EMAIL PROTECTED]

The crash may be only reproducible in release builds with activated bcmath. (In debug 
builds
the Zend efree() function returns prior actual freeing something, if the thread which 
calls efree()
isn't the thread which original allocated the resource).

The "call stack" of this issue is:
php_module_shutdown_wrapper()     // pi3web_sapi.c
php_module_shutdown()     // main.c
zend_shutdown()    // zend.c
zend_hash_destroy(&module_registry)     // zend_hash.c
pefree(ht->arBuckets, ht->persistent)     // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath)     // bcmath.c
bc_free_num (num)     // init.c, the global bcnum value is _two_
efree ((*num)->n_ptr);     // zend_alloc.c

In efree() the code in macro  REMOVE_POINTER_FROM_LIST() crashes

#define REMOVE_POINTER_FROM_LIST(p)             \
        if (!p->persistent && p==AG(head)) {            \
                AG(head) = p->pNext;            \
        } else if (p->persistent && p==AG(phead)) {     \
                AG(phead) = p->pNext;           \
        } else {                                        \
                p->pLast->pNext = p->pNext;             \
        }                                       \
        if (p->pNext) {                         \
                p->pNext->pLast = p->pLast;             \
        }

The reason of the crash is 

        } else {                                        \
                p->pLast->pNext = p->pNext;             \

if the pointer pLast == NULL. This is true for the last allocated persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.

A probable fix is:

        } else if (p->pLast) {                          \
                p->pLast->pNext = p->pNext;             \

---
regards,
Holger Zimmermann


------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=12270&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #12270 Updated: php4ts.dll crashes due to null-pointer assignment on shutdown

Reply via email to
