From: [EMAIL PROTECTED] Operating system: Win32 PHP version: 4.0.6 PHP Bug Type: Reproducible crash Bug description: php4ts.dll crashes due to null-pointer assignment on shutdown The crash may be only reproducible in release builds with activated bcmath. (In debug builds the Zend efree() function returns prior actual freeing something, if the thread which calls efree() isn't the thread which original allocated the resource). The "call stack" of this issue is: php_module_shutdown_wrapper() // pi3web_sapi.c php_module_shutdown() // main.c zend_shutdown() // zend.c zend_hash_destroy(&module_registry) // zend_hash.c pefree(ht->arBuckets, ht->persistent) // zend_hash.c ... PHP_MSHUTDOWN_FUNCTION(bcmath) // bcmath.c bc_free_num (num) // init.c, the global bcnum value is _two_ efree ((*num)->n_ptr); // zend_alloc.c In efree() the code in macro REMOVE_POINTER_FROM_LIST() crashes #define REMOVE_POINTER_FROM_LIST(p) \ if (!p->persistent && p==AG(head)) { \ AG(head) = p->pNext; \ } else if (p->persistent && p==AG(phead)) { \ AG(phead) = p->pNext; \ } else { \ p->pLast->pNext = p->pNext; \ } \ if (p->pNext) { \ p->pNext->pLast = p->pLast; \ } The reason of the crash is } else { \ p->pLast->pNext = p->pNext; \ if the pointer pLast == NULL. This is true for the last allocated persistent resource. This code is only called when bcmath performs shutdown, because in other calls of efree() the condition p==AG(head) seems to be always true. A probable fix is: } else if (p->pLast) { \ p->pLast->pNext = p->pNext; \ --- regards, Holger Zimmermann -- Edit bug report at: http://bugs.php.net/?id=12270&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]