Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10270
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80082 invoked by uid 1010); 5 Jun 2004 15:55:17 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 78978 invoked from network); 5 Jun 2004 15:55:07 -0000
Received: from unknown (HELO e-matters.de) (217.69.76.213)
  by pb1.pair.com with SMTP; 5 Jun 2004 15:55:07 -0000
Received: (qmail 10182 invoked by uid 0); 5 Jun 2004 15:54:10 -0000
Received: from p508d6d45.dip.t-dialin.net (HELO ?192.168.1.77?) (80.141.109.69)
  by /var/run/qmail-smtp.pid with SMTP; 5 Jun 2004 15:54:10 -0000
Message-ID: <40C1ED88.3000508@php.net>
Date: Sat, 05 Jun 2004 17:58:00 +0200
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To:  internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Zend Engine 2 - ZTS Bugs Round 2
From: sesser@php.net (Stefan Esser)

Hi,

I have added a backtrace of a crash that occurs when a class function is 
destructed in ZTS.
It seems I only saw this because of Hardened-PHP using globals. Since 
Andi disabled ZEND_MM on
Win32 the same kind of errors should be seen on any Windows PHP 
installation (I guess).

Between 4 and 2. The tsrm_ls value changes. This happens because 
zend_hash_del_key_or_index calls
the destructor (in this case destroy_zend_function) with only one 
parameter. It does NOT call it with
a valid tsrm_ls value. So it is filled with stack crap.

Stefan

#0  0x0814a899 in zend_llist_apply_with_argument (l=0x81e2440, 
func=0x814ad2c <zend_extension_op_array_dtor_handler>, arg=0x826c288,
    tsrm_ls=0x401be9dc) at 
/XXX/hardened-php/php5/php-5.0.0RC3RC2/Zend/zend_llist.c:322
        l = (zend_llist *) 0x81e2440
        arg = (void *) 0x826c288
        tsrm_ls = (void ***) 0x401be9dc
        element = (zend_llist_element *) 0x4024d890
#1  0x0814b1a4 in destroy_op_array (op_array=0x826c288, tsrm_ls=0x401be9dc)
    at /XXX/hardened-php/php5/php-5.0.0RC3RC2/Zend/zend_opcode.c:232
        op_array = (zend_op_array *) 0x826c288
        opline = (zend_op *) 0x4024d890
        end = (zend_op *) 0x4024d890
        i = 1076156560
#2  0x0814ae9a in destroy_zend_function (function=0x826c288, 
tsrm_ls=0x401be9dc)
    at /XXX/hardened-php/php5/php-5.0.0RC3RC2/Zend/zend_opcode.c:103
        function = (zend_function *) 0x118
#3  0x081587dc in zend_hash_del_key_or_index (ht=0x81e6580, 
arKey=0x826ff30 "", nKeyLength=90, h=0, flag=0)
    at /XXX/hardened-php/php5/php-5.0.0RC3RC2/Zend/zend_hash.c:485
        h = 280
        nIndex = 37
        p = (Bucket *) 0x826ff10
#4  0x08158d37 in zend_hash_reverse_apply (ht=0x81e6580, 
apply_func=0x8146f08 <is_not_internal_function>, tsrm_ls=0x81e2db0)
    at /XXX/hardened-php/php5/php-5.0.0RC3RC2/Zend/zend_hash.c:733
        result = 1
        ht = (HashTable *) 0x81e6580
        p = (Bucket *) 0x826fde8
        q = (Bucket *) 0x3