[PHP-DEV] Bug #12270 Updated: php4ts.dll crashes due to null-pointer assignment on shutdown
ID: 12270
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Analyzed
+Status: Feedback
Bug Type: Reproducible crash
Operating System: Win32
PHP Version: 4.0.6
New Comment:
Could you try 4.1.1?
Previous Comments:
[2001-07-22 15:30:06] [EMAIL PROTECTED]
The fix is not valid - p-pLast cannot be NULLif everything works right
- i.e., the bug is elsewhere.
Do you have a script that reproduces this problem (preferably with the
CGI version of PHP)?
[2001-07-20 03:02:45] [EMAIL PROTECTED]
The crash may be only reproducible in release builds with activated
bcmath. (In debug builds
the Zend efree() function returns prior actual freeing something, if
the thread which calls efree()
isn't the thread which original allocated the resource).
The call stack of this issue is:
php_module_shutdown_wrapper() // pi3web_sapi.c
php_module_shutdown() // main.c
zend_shutdown()// zend.c
zend_hash_destroy(module_registry) // zend_hash.c
pefree(ht-arBuckets, ht-persistent) // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath) // bcmath.c
bc_free_num (num) // init.c, the global bcnum value is _two_
efree ((*num)-n_ptr); // zend_alloc.c
In efree() the code in macro REMOVE_POINTER_FROM_LIST() crashes
#define REMOVE_POINTER_FROM_LIST(p) \
if (!p-persistent p==AG(head)) {\
AG(head) = p-pNext;\
} else if (p-persistent p==AG(phead)) { \
AG(phead) = p-pNext; \
} else {\
p-pLast-pNext = p-pNext; \
} \
if (p-pNext) { \
p-pNext-pLast = p-pLast; \
}
The reason of the crash is
} else {\
p-pLast-pNext = p-pNext; \
if the pointer pLast == NULL. This is true for the last allocated
persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.
A probable fix is:
} else if (p-pLast) { \
p-pLast-pNext = p-pNext; \
---
regards,
Holger Zimmermann
--
Edit this bug report at http://bugs.php.net/?id=12270edit=1
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Bug #12270 Updated: php4ts.dll crashes due to null-pointer assignment on shutdown
ID: 12270
Updated by: zeev
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Analyzed
Bug Type: Reproducible crash
Operating System: Win32
PHP Version: 4.0.6
New Comment:
The fix is not valid - p-pLast cannot be NULLif everything works right - i.e., the
bug is elsewhere.
Do you have a script that reproduces this problem (preferably with the CGI version of
PHP)?
Previous Comments:
[2001-07-20 03:02:45] [EMAIL PROTECTED]
The crash may be only reproducible in release builds with activated bcmath. (In debug
builds
the Zend efree() function returns prior actual freeing something, if the thread which
calls efree()
isn't the thread which original allocated the resource).
The call stack of this issue is:
php_module_shutdown_wrapper() // pi3web_sapi.c
php_module_shutdown() // main.c
zend_shutdown()// zend.c
zend_hash_destroy(module_registry) // zend_hash.c
pefree(ht-arBuckets, ht-persistent) // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath) // bcmath.c
bc_free_num (num) // init.c, the global bcnum value is _two_
efree ((*num)-n_ptr); // zend_alloc.c
In efree() the code in macro REMOVE_POINTER_FROM_LIST() crashes
#define REMOVE_POINTER_FROM_LIST(p) \
if (!p-persistent p==AG(head)) {\
AG(head) = p-pNext;\
} else if (p-persistent p==AG(phead)) { \
AG(phead) = p-pNext; \
} else {\
p-pLast-pNext = p-pNext; \
} \
if (p-pNext) { \
p-pNext-pLast = p-pLast; \
}
The reason of the crash is
} else {\
p-pLast-pNext = p-pNext; \
if the pointer pLast == NULL. This is true for the last allocated persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.
A probable fix is:
} else if (p-pLast) { \
p-pLast-pNext = p-pNext; \
---
regards,
Holger Zimmermann
Edit this bug report at http://bugs.php.net/?id=12270edit=1
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
