corrupt CG(auto_globals) in zend_is_auto_global()

Hi All,

I'm currently in the process of building an SAPI client and I'm experiencing
a
crash using PHP 5.1.2 with both the current release sources and with the
newest
snapshot (php5.1-200604301630) on the Win32 platform. The crash happens
consistently with both the release and debug TS builds of the PHP library.

The crash seems to be caused by a corrupted CG(auto_globals) HashTable
pointer.
The zend_is_auto_global() function passes this pointer to zend_hash_find()
where it fails the IS_CONSISTENT() test. I've created a small demo
application
(see below) that duplicates this crash consistently on my platform.

I've spent two days trying to debug this problem but my knowledge of zend
internals are sorely lacking. Any suggestions on further debugging steps or
modifications to the test code that may resolve this crash would be greatly
appreciated :-).

Regards,
Marshall Greenblatt

[PLATFORM]

Microsoft Windows 2000 Professional
5.0.2195 Service Pack 4 Build 2195
Pavilion zv5200 (DP523AV)
x86 Family 15 Model 4 Stepping 10 AuthenticAMD ~797 Mhz

[PHP CONFIGURE OPTIONS]

call cscript /nologo configure.js --enable-cli --disable-cgi
--enable-sockets
--enable-exif --enable-mbstring --with-mime-magic --disable-ipv6
--disable-bcmath --without-gd --without-libxml --enable-debug

[PHP CONFIGURE OUTPUT]

Saving configure options to config.nice.bat
Checking for cl.exe ... <in default path>
Checking for cl.exe ... <in default path>
Detected MS compiler version 12
Checking for link.exe ... C:\PROGRA~1\MICROS~3\VC98\BIN
Checking for nmake.exe ... <in default path>
Checking for lib.exe ... <in default path>
Checking for bison.exe ... <in default path>
Checking for flex.exe ... <in default path>
Checking for re2c.exe ... <not found>
Checking for zip.exe ... <not found>
Checking for lemon.exe ... <not found>
Checking for mc.exe ... C:\PROGRA~1\MICROS~3\VC98\BIN
Checking for arpa\nameser.h ... ..\win32build\include
Checking for library resolv.lib ... ..\bindlib_w32\Debug\resolv.lib

Build dir: Debug_TS
PHP Core: php5ts_debug.dll and php5ts_debug.lib

Checking for NewAPIs.h ... <in default path>
Enabling SAPI sapi\cli
Checking for library oleaut32.lib ... <in LIB path> oleaut32.lib
Enabling extension ext\com_dotnet
Checking for mscoree.h ... <not found>
Checking for mscoree.h ... <not found>
Checking for timelib_config.h ... ext/date/lib
Enabling extension ext\standard
Enabling extension ext\mbstring
Enabling extension ext\mime_magic
Enabling extension ext\reflection
Enabling extension ext\tokenizer
Enabling extension ext\calendar
Checking for library ws2_32.lib ... <in LIB path> ws2_32.lib
Enabling extension ext\sockets
Enabling extension ext\session
Checking for iconv.h ... <not found>
Checking for iconv.h ... <not found>
Enabling extension ext\ctype
Enabling extension ext\zlib
Checking for library zlib.lib ... ..\win32build\lib\zlib.lib
Checking for zlib.h ... ..\win32build\include
Enabling extension ext\pcre
Enabling extension ext\odbc
Enabling extension ext\hash
Enabling extension ext\date
Enabling extension ext\spl
Enabling extension ext\ftp
Enabling extension ext\exif

Creating build dirs...
Generating files...
Generating Makefile
Generating main/internal_functions.c
[content unchanged; skipping]
Generating main/config.w32.h
Done.

[DEMO COMPILE OPTIONS]

/nologo /MDd /W3 /Gm /GX /ZI /Od /I "TSRM" /I "Zend" /D "_DEBUG" /D "ZTS"
/D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PHP_WIN32" /D "ZEND_WIN32"
/FR"Debug/" /Fp"Debug/Test.pch" /YX /Fo"Debug/" /Fd"Debug/" /FD /GZ /c

[DEMO LINK OPTIONS]

php5ts_debug.lib kernel32.lib user32.lib /nologo /subsystem:console
/incremental:yes /pdb:"Debug/Demo.pdb" /debug /machine:I386
/nodefaultlib:"msvcrtd.lib msvcrt.lib" /out:"Debug/Example.exe"
/pdbtype:sept

[DEMO PROGRAM]

#include <main/php.h>
#include <main/SAPI.h>
#include <main/php_main.h>
#include <main/php_variables.h>
#include <main/php_ini.h>
#include <zend_ini.h>

#ifdef PHP_WIN32
#include <io.h>
#include <fcntl.h>
#endif

static int context_ub_write(const char *str, uint str_length TSRMLS_DC)
{
printf("%*s", str_length, str);
return str_length;
}

static void context_flush(void *server_context)
{
fflush(stdout);
}

static void context_register_variables(zval *track_vars_array TSRMLS_DC)
{
// load standard server variables
php_import_environment_variables(track_vars_array TSRMLS_CC);
}

static void context_log_message(char *message)
{
fprintf(stderr, "LOG: %s", message);
}

sapi_module_struct php_context_sapimodule = {
"embed", // name
"PHP Embedded Library", // pretty name

NULL,                            // startup
php_module_shutdown_wrapper,    // shutdown

NULL,                            // activate
NULL,                           // deactivate

context_ub_write,                // unbuffered write
context_flush,                    // flush
NULL,                            // get uid
NULL,                            // getenv

php_error,                      // error handler

NULL,                            // header handler
NULL,                            // send headers handler
NULL,                              // send header handler

NULL,                            // read POST data
NULL,                            // read Cookies

context_register_variables,        // register server variables
context_log_message,            // Log message
NULL,                            // Get request time
  STANDARD_SAPI_MODULE_PROPERTIES

};

#define INI_HARDCODE(name, value)
zend_alter_ini_entry(name, strlen(name) + 1, value, strlen(value),
PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE)

int main(void)
{
// test code
char *code = "$var = 'my string';";

#ifdef ZTS
TSRMLS_D;
#endif

// STARTUP

php_context_sapimodule.phpinfo_as_text = 1;
php_context_sapimodule.php_ini_ignore = 1;

#ifdef ZTS
tsrm_startup(1, 1, 0, NULL);
#endif

// starting the SAPI engine
sapi_startup(&php_context_sapimodule);

if(php_module_startup(&php_context_sapimodule, NULL, 0) == FAILURE) {
    printf("Module startup failed\n");
    return 1;
}

// EXECUTION

#ifdef ZTS
TSRMLS_C = (void ***)ts_resource_ex(0, NULL);
#endif

if(php_request_startup(TSRMLS_C) == FAILURE) {
    printf("Request startup failed\n");
    return 1;
}

SG(headers_sent) = 1;
SG(request_info).no_headers = 1;

zend_first_try {
    CG(in_compilation) = 0;
    EG(uninitialized_zval_ptr) = NULL;

    // load hard-coded ini values
    INI_HARDCODE("report_zend_debug", "0");
    INI_HARDCODE("display_errors", "1");
    INI_HARDCODE("register_argc_argv", "1");
    INI_HARDCODE("html_errors", "0");
    INI_HARDCODE("implicit_flush", "1");
    INI_HARDCODE("output_buffering", "0");
    INI_HARDCODE("max_execution_time", "0");
    INI_HARDCODE("log_errors", "1");

    PG(during_request_startup) = 0;

    // execute code
    zend_eval_string_ex(code, NULL, "Embedded code", 1 TSRMLS_CC);
} zend_end_try();

php_request_shutdown(NULL);

// SHUTDOWN

php_module_shutdown(TSRMLS_C);
sapi_shutdown();

#ifdef ZTS
tsrm_shutdown();
#endif

return 0;

}

[STACK TRACE]

_zend_bailout(char * 0x104910f4 string', unsigned int 67) line 767 + 20 bytes _zend_is_inconsistent(_hashtable * 0x00eff700, char * 0x104910f4string',
int 847) line 67 + 21 bytes
zend_hash_find(_hashtable * 0x00eff700, char * 0x00dc58c8, unsigned int 4,
void * * 0x0012e554) line 847 + 25 bytes
zend_is_auto_global(char * 0x00dc58c8, unsigned int 3, void * * *
0x00da2d90)
line 3955 + 42 bytes
fetch_simple_variable_ex(_znode * 0x0012e884, _znode * 0x0012e8f0, int 1,
unsigned char 83, void * * * 0x00da2d90) line 345 + 52 bytes
fetch_simple_variable(_znode * 0x0012e884, _znode * 0x0012e8f0, int 1,
void * * * 0x00da2d90) line 383 + 23 bytes
zendparse(void * 0x00da2d90) line 4298 + 37 bytes
compile_string(_zval_struct * 0x0012fd94, char * 0x00413050 string', void * * * 0x00da2d90) line 3232 + 9 bytes zend_eval_string(char * 0x00413144string', _zval_struct * 0x00000000,
char * 0x00413050 string', void * * * 0x00da2d90) line 1073 + 17 bytes zend_eval_string_ex(char * 0x00413144string', _zval_struct * 0x00000000,
char * 0x00413050 `string', int 1, void * * * 0x00da2d90) line 1119 + 21
bytes
main() line 126 + 25 bytes