From: [EMAIL PROTECTED]
Operating system: Win32
PHP version: 4.0.6
PHP Bug Type: Reproducible crash
Bug description: php4ts.dll crashes due to null-pointer assignment on shutdown
The crash may be only reproducible in release builds with activated bcmath.
(In debug builds
the Zend efree() function returns prior actual freeing something, if the
thread which calls efree()
isn't the thread which original allocated the resource).
The "call stack" of this issue is:
php_module_shutdown_wrapper() // pi3web_sapi.c
php_module_shutdown() // main.c
zend_shutdown() // zend.c
zend_hash_destroy(&module_registry) // zend_hash.c
pefree(ht->arBuckets, ht->persistent) // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath) // bcmath.c
bc_free_num (num) // init.c, the global bcnum value is _two_
efree ((*num)->n_ptr); // zend_alloc.c
In efree() the code in macro REMOVE_POINTER_FROM_LIST() crashes
#define REMOVE_POINTER_FROM_LIST(p) \
if (!p->persistent && p==AG(head)) { \
AG(head) = p->pNext; \
} else if (p->persistent && p==AG(phead)) { \
AG(phead) = p->pNext; \
} else { \
p->pLast->pNext = p->pNext; \
} \
if (p->pNext) { \
p->pNext->pLast = p->pLast; \
}
The reason of the crash is
} else { \
p->pLast->pNext = p->pNext; \
if the pointer pLast == NULL. This is true for the last allocated
persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.
A probable fix is:
} else if (p->pLast) { \
p->pLast->pNext = p->pNext; \
---
regards,
Holger Zimmermann
--
Edit bug report at: http://bugs.php.net/?id=12270&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
