ID: 34617 User updated by: guillaume dot outters at free dot fr Reported By: guillaume dot outters at free dot fr Status: Assigned Bug Type: Scripting Engine problem Operating System: Mac OS X 10.4.2 PHP Version: 5CVS, 6CVS (2005-09-23) Assigned To: dmitry New Comment:
OK, here we go for a shorter crasher: <?php class Thing {} function boom() { $reader = xml_parser_create(); xml_set_object($reader, new Thing()); die("here"); xml_parser_free($reader); } boom(); ?> Some comments on the environment: - crashes with CLI (that could be useful to speed up testing and avoid crashing your company's internet web server) - Doesn't crash with the default Tiger PHP (4.3.11) - Doesn't crash with my modification (freing the store after resources). That said, it was a quick fix, and I don't know the Zend engine sufficently to ensure it is safe in other situations. Some comments on the crasher: - dying() after the xml_parser_free doesn't crash anymore (the parser has been manually freed, so that's the same as freing resources before the objects_store). - the code must be in a function to crash. Previous Comments: ------------------------------------------------------------------------ [2005-09-24 15:11:49] [EMAIL PROTECTED] Yet another chicken-and-egg problem with resources and objects. xml_parser uses object for callbacks that is already destroyed at the time when the resource is being destroyed. 2 guillaume dot outters at free dot fr: Please try to make a reproduce case shorter than 1.7Mb. ------------------------------------------------------------------------ [2005-09-23 20:06:38] [EMAIL PROTECTED] Dmitry, this is not looking good. Can you check it out? ------------------------------------------------------------------------ [2005-09-23 16:56:08] guillaume dot outters at free dot fr Same exact problem with 5.1.0RC2-dev (only line numbers in the backtrace differ). ------------------------------------------------------------------------ [2005-09-23 16:25:35] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip Please don't report issues unless you can reproduce the with PHP 5.1 snaps too. ------------------------------------------------------------------------ [2005-09-23 16:17:25] guillaume dot outters at free dot fr Description: ------------ In zend_deactivate: shutdown_executor() [ ] zend_destroy_rsrc_list() The first one calls zend_objects_store_destroy() and, in my case, the second one, through an xml_parser_dtor(), uses zend_objects_store_del_ref(). Inevitably, I got a crash. It seems that the XML parser (a resource) has kept references to Zend objects, because of a malformed XML; I don't know if, according to the Zend engine policy, it should have released them all or if it reveals a bug in the engine itself. What I know for sure is that commenting the zend_objects_store_destroy in zend_execute_API, and adding it to zend_deactivate() just before zend_ini_deactivate(), solves my problem. I use an Apache 2.1.7beta, but I don't think this has anything to do with it; my Mac is a PPC. The problem was revealed by an EXC_BAD_ACCESS, so I just put a breakpoint in free() and wait for it to be called with its first parameter looking like the beginning of the memory zone accessed at the crashing point. Reproduce code: --------------- Here is my crasher: http://guillaume.outters.free.fr/boum.tar.bz2 (uncompress in an Apache-accessible directory, everything should be here; call http://localhost/ /boum/album.php) racine.xml is the bad XML file (line 12: a closing "aff" instead of a "lieu" one). Maybe a simple parser with just an XML file read would reproduce the problem. I didn't try. Expected result: ---------------- No crash! Actual result: -------------- #0 0x0238e078 in zend_objects_store_del_ref (zobject=0x16ae108) at /tmp/php-src/Zend/zend_objects_API.c: 148 #1 0x02350874 in _zval_dtor_func (zvalue=0x16ae108, __zend_filename=0x2430a30 "/tmp/php-src/Zend/ zend_variables.h", __zend_lineno=35) at /tmp/php-src/Zend/ zend_variables.c:62 #2 0x0233804c in _zval_dtor (zvalue=0x16ae108, __zend_filename=0x2460fd0 "/tmp/php-src/Zend/ zend_execute_API.c", __zend_lineno=396) at /tmp/php-src/ Zend/zend_variables.h:35 #3 0x02338454 in _zval_ptr_dtor (zval_ptr=0x16adbc0, __zend_filename=0x245ae2c "/tmp/php-src/ext/xml/xml.c", __zend_lineno=374) at /tmp/php-src/Zend/zend_execute_API.c: 396 #4 0x022c6030 in xml_parser_dtor (rsrc=0x16ae048) at /tmp/ php-src/ext/xml/xml.c:374 #5 0x02370a34 in list_entry_destructor (ptr=0x16ae048) at / tmp/php-src/Zend/zend_list.c:184 #6 0x0236aff8 in zend_hash_apply_deleter (ht=0x251cf14, p=0x16adfe8) at /tmp/php-src/Zend/zend_hash.c:668 #7 0x0236b348 in zend_hash_graceful_reverse_destroy (ht=0x251cf14) at /tmp/php-src/Zend/zend_hash.c:734 #8 0x02370c9c in zend_destroy_rsrc_list (ht=0x251cf14) at / tmp/php-src/Zend/zend_list.c:240 #9 0x02355b4c in zend_deactivate () at /tmp/php-src/Zend/ zend.c:1602 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34617&edit=1