Bug #51159 [Com]: session_set_save_handler Memory Corruption

[info at das-peter dot ch]

Edit report at http://bugs.php.net/bug.php?id=51159&edit=1

 ID:               51159
 Comment by:       info at das-peter dot ch
 Reported by:      achristianson at yakabod dot com
 Summary:          session_set_save_handler Memory Corruption
 Status:           Open
 Type:             Bug
 Package:          Scripting Engine problem
 Operating System: CentOS 5.4
 PHP Version:      5.3.1

 New Comment:

Hi there,



can confirm this behavior with gc enabled/disabled.

My current installation:

php 5.3.2 for win x86 [API220090626,TS,VC6 ]

Compiler VC6, thread safe



Run under Apache 2.2



Cheers,

Peter


Previous Comments:
------------------------------------------------------------------------
[2010-03-01 12:46:00] achristianson at yakabod dot com

We tried with GC off and we get the same result.

------------------------------------------------------------------------
[2010-02-28 16:52:02] j...@php.net

Try turn garbage collection of so we know if it's that.. zend.enable_gc
= off, IIRC. :)

------------------------------------------------------------------------
[2010-02-26 19:08:01] achristianson at yakabod dot com

We tried this with Zend MM and garbage collection turned on and off. No


change in result.

------------------------------------------------------------------------
[2010-02-26 18:49:11] achristianson at yakabod dot com

Small typo: I put 5.2.1 and 5.2.3RC3 text along with my backtraces. I 

meant to type 5.3.1 and 5.3.2RC3 respectively.

------------------------------------------------------------------------
[2010-02-26 18:39:55] achristianson at yakabod dot com

Description:
------------
Use of session_set_save_handler seems to cause memory corruption under 

certain conditions.



Inside of _write, there is code that causes a fatal error. The 

corruption seems to not happen if this is removed.



I get the problem in both 5.3.1 and 5.3.2RC3

Reproduce code:
---------------
<?php

session_set_save_handler('_open', '_close', '_read', '_write',
'_destroy', '_gc');

session_start();

session_write_close();

function _write() {

  self::$x = null;

}

function _destroy() {}

function _gc() {}

function _open() {}

function _close() {}

function _read() {}

for($i = 0; $i < 10000; $i++)

{

  $exampleArray[] = new C();

}

class C { }



Expected result:
----------------
No segmentation fault

Actual result:
--------------
5.2.1 backtrace:



Program received signal SIGSEGV, Segmentation fault.

0x014899c0 in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER 

(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302

302                zval ***ptr = &CV_OF(node->u.var);

(gdb) bt

#0  0x014899c0 in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER 

(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302

#1  0x0142d55d in execute (op_array=0x9a0e260) at /root/php-

5.3.1/Zend/zend_vm_execute.h:104

#2  0x0140bd57 in zend_execute_scripts (type=8, retval=0x0, 

file_count=3) at /root/php-5.3.1/Zend/zend.c:1194

#3  0x013bbf4e in php_execute_script (primary_file=0xbfa7c8c0) at 

/root/php-5.3.1/main/main.c:2225

#4  0x0148ad2b in php_handler (r=0x9a56160) at /root/php-

5.3.1/sapi/apache2handler/sapi_apache2.c:648

#5  0x08077bf3 in ap_invoke_handler ()

#6  0x080868df in ap_process_request ()

#7  0x080839e8 in ?? ()

#8  0x09a56160 in ?? ()

#9  0x00000004 in ?? ()

#10 0x09a56160 in ?? ()

#11 0x0987c2f8 in ?? ()

#12 0x00000002 in ?? ()

#13 0x09a43be8 in ?? ()

#14 0xbfa7c9c8 in ?? ()

#15 0x0807ff45 in ap_process_connection ()



5.2.3RC3 backtrace:



Program received signal SIGSEGV, Segmentation fault.

_zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-

5.3.2RC3/Zend/zend.h:385

385                return --pz->refcount__gc;

(gdb) bt

#0  _zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-

5.3.2RC3/Zend/zend.h:385

#1  0x014674fc in zend_do_fcall_common_helper_SPEC 

(execute_data=0x8558d30) at /root/php-5.3.2RC3/Zend/zend_execute.h:316

#2  0x01441b3d in execute (op_array=0x84f66d0) at /root/php-

5.3.2RC3/Zend/zend_vm_execute.h:104

#3  0x01420207 in zend_execute_scripts (type=8, retval=0x0, 

file_count=3) at /root/php-5.3.2RC3/Zend/zend.c:1194

#4  0x013cfe7e in php_execute_script (primary_file=0xbf902c10) at 

/root/php-5.3.2RC3/main/main.c:2260

#5  0x0149f22b in php_handler (r=0x853e5b8) at /root/php-

5.3.2RC3/sapi/apache2handler/sapi_apache2.c:655

#6  0x08077bf3 in ap_invoke_handler ()

#7  0x080868df in ap_process_request ()

#8  0x080839e8 in ?? ()

#9  0x0853e5b8 in ?? ()

#10 0x00000004 in ?? ()

#11 0x0853e5b8 in ?? ()

#12 0x08388758 in ?? ()

#13 0x00000002 in ?? ()

#14 0x0852c040 in ?? ()

#15 0xbf902d18 in ?? ()

#16 0x0807ff45 in ap_process_connection ()


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51159&edit=1