Bug #12270 Updated: php4ts.dll crashes due to null-pointer assignment on shutdown

Sun, 03 Mar 2002 20:42:49 -0800 

 ID:               12270
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Feedback
+Status:           No Feedback
 Bug Type:         Reproducible crash
 Operating System: Win32
 PHP Version:      4.0.6
 New Comment:

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".


Previous Comments:
------------------------------------------------------------------------

[2002-02-03 20:19:29] [EMAIL PROTECTED]

Could you try 4.1.1?


------------------------------------------------------------------------

[2001-07-22 15:30:06] [EMAIL PROTECTED]

The fix is not valid - p->pLast cannot be NULLif everything works right
- i.e., the bug is elsewhere.

Do you have a script that reproduces this problem (preferably with the
CGI version of PHP)?

------------------------------------------------------------------------

[2001-07-20 03:02:45] [EMAIL PROTECTED]

The crash may be only reproducible in release builds with activated
bcmath. (In debug builds
the Zend efree() function returns prior actual freeing something, if the
thread which calls efree()
isn't the thread which original allocated the resource).

The "call stack" of this issue is:
php_module_shutdown_wrapper()     // pi3web_sapi.c
php_module_shutdown()     // main.c
zend_shutdown()    // zend.c
zend_hash_destroy(&module_registry)     // zend_hash.c
pefree(ht->arBuckets, ht->persistent)     // zend_hash.c
...
PHP_MSHUTDOWN_FUNCTION(bcmath)     // bcmath.c
bc_free_num (num)     // init.c, the global bcnum value is _two_
efree ((*num)->n_ptr);     // zend_alloc.c

In efree() the code in macro  REMOVE_POINTER_FROM_LIST() crashes

#define REMOVE_POINTER_FROM_LIST(p)             \
        if (!p->persistent && p==AG(head)) {            \
                AG(head) = p->pNext;            \
        } else if (p->persistent && p==AG(phead)) {     \
                AG(phead) = p->pNext;           \
        } else {                                        \
                p->pLast->pNext = p->pNext;             \
        }                                       \
        if (p->pNext) {                         \
                p->pNext->pLast = p->pLast;             \
        }

The reason of the crash is 

        } else {                                        \
                p->pLast->pNext = p->pNext;             \

if the pointer pLast == NULL. This is true for the last allocated
persistent
resource. This code is only called when bcmath performs shutdown,
because in other calls of efree() the condition p==AG(head) seems to
be always true.

A probable fix is:

        } else if (p->pLast) {                          \
                p->pLast->pNext = p->pNext;             \

---
regards,
Holger Zimmermann


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=12270&edit=1

Reply via email to