[PHP-DEV] Bug #12270 Updated: php4ts.dll crashes due to null-pointer assignment on shutdown

Sun, 03 Feb 2002 17:02:46 -0800 

 ID:               12270
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Analyzed
+Status:           Feedback
 Bug Type:         Reproducible crash
 Operating System: Win32
 PHP Version:      4.0.6
 New Comment:

Could you try 4.1.1?



Previous Comments:
------------------------------------------------------------------------

[2001-07-22 15:30:06] [EMAIL PROTECTED]

The fix is not valid - p->pLast cannot be NULLif everything works right
- i.e., the bug is elsewhere.

Do you have a script that reproduces this problem (preferably with the
CGI version of PHP)?

------------------------------------------------------------------------

[2001-07-20 03:02:45] [EMAIL PROTECTED]

The crash may be only reproducible in release builds with activated
bcmath. (In debug builds
the Zend efree() function returns prior actual freeing something, if
the thread which calls efree()
isn't the thread which original allocated the resource).

The "call stack" of this issue is:
php_module_shutdown_wrapper()     // pi3web_sapi.c
php_module_shutdown()     // main.c
zend_shutdown()    // zend.c
zend_hash_destroy(&module_registry)     // zend_hash.c
pefree(ht->arBuckets, ht->persistent)     // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath)     // bcmath.c
bc_free_num (num)     // init.c, the global bcnum value is _two_
efree ((*num)->n_ptr);     // zend_alloc.c

In efree() the code in macro  REMOVE_POINTER_FROM_LIST() crashes

#define REMOVE_POINTER_FROM_LIST(p)             \
        if (!p->persistent && p==AG(head)) {            \
                AG(head) = p->pNext;            \
        } else if (p->persistent && p==AG(phead)) {     \
                AG(phead) = p->pNext;           \
        } else {                                        \
                p->pLast->pNext = p->pNext;             \
        }                                       \
        if (p->pNext) {                         \
                p->pNext->pLast = p->pLast;             \
        }

The reason of the crash is 

        } else {                                        \
                p->pLast->pNext = p->pNext;             \

if the pointer pLast == NULL. This is true for the last allocated
persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.

A probable fix is:

        } else if (p->pLast) {                          \
                p->pLast->pNext = p->pNext;             \

---
regards,
Holger Zimmermann


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=12270&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to