The bug happens in this line:
if (--(*op_array->refcount)>0) { return; }
of destroy_op_array, when the code tries to read the refcount, according to the disassembler:
Dump of assembler code for function destroy_op_array: 0x00007f6c321e2080 <+0>: push %r13 0x00007f6c321e2082 <+2>: push %r12 0x00007f6c321e2084 <+4>: push %rbp 0x00007f6c321e2085 <+5>: push %rbx 0x00007f6c321e2086 <+6>: mov %rdi,%rbx 0x00007f6c321e2089 <+9>: sub $0x8,%rsp 0x00007f6c321e208d <+13>: mov 0x48(%rdi),%rbp 0x00007f6c321e2091 <+17>: mov 0x50(%rdi),%r13d 0x00007f6c321e2095 <+21>: mov 0x90(%rdi),%rdi 0x00007f6c321e209c <+28>: test %rdi,%rdi 0x00007f6c321e209f <+31>: je 0x7f6c321e20b2 <destroy_op_array+50> 0x00007f6c321e20a1 <+33>: callq 0x7f6c321f6940 <zend_hash_destroy> 0x00007f6c321e20a6 <+38>: mov 0x90(%rbx),%rdi 0x00007f6c321e20ad <+45>: callq 0x7f6c321ccc80 <_efree> 0x00007f6c321e20b2 <+50>: mov 0x40(%rbx),%rdx => 0x00007f6c321e20b6 <+54>: mov (%rdx),%eax 0x00007f6c321e20b8 <+56>: sub $0x1,%eax 0x00007f6c321e20bb <+59>: test %eax,%eax 0x00007f6c321e20bd <+61>: mov %eax,(%rdx) 0x00007f6c321e20bf <+63>: je 0x7f6c321e20d0 <destroy_op_array+80>
The pointer look bad, as rdx points to 0x7f6c28390138:
(gdb) info registers rax 0x7f6c321e2270 140102674031216 rbx 0x7f6c36d2a7b0 140102752970672 rcx 0x201f0 131568 rdx 0x7f6c28390138 140102508020024 rsi 0x0 0 rdi 0x0 0 rbp 0x7f6c28390140 0x7f6c28390140 rsp 0x7fff2f1ae250 0x7fff2f1ae250 r8 0x7f6c36583290 140102744945296 r9 0xc08e69804da8f602 -4571600571954825726 r10 0x7f6c3691aad0 140102748711632 r11 0x7f6c365f2c20 140102745402400 r12 0x7f6c36d6bc00 140102753238016 r13 0xd42 3394 r14 0x7fff2f1aebf8 140733983681528 r15 0x113e0 70624 rip 0x7f6c321e20b6 0x7f6c321e20b6 <destroy_op_array+54> eflags 0x246 [ PF ZF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
and this location is not memory mapped:
(gdb) x 0x7f6c28390138 0x7f6c28390138: Cannot access memory at address 0x7f6c28390138
The bug does not happen with the php-cli, but with apache-php.
The bug happens in this line:
if (--(*op_ array-> refcount) >0) {
return;
}
of destroy_op_array, when the code tries to read the refcount, according to the disassembler:
Dump of assembler code for function destroy_op_array: 1e2080 <+0>: push %r13 1e2082 <+2>: push %r12 1e2084 <+4>: push %rbp 1e2085 <+5>: push %rbx 1e2086 <+6>: mov %rdi,%rbx 1e2089 <+9>: sub $0x8,%rsp 1e208d <+13>: mov 0x48(%rdi),%rbp 1e2091 <+17>: mov 0x50(%rdi),%r13d 1e2095 <+21>: mov 0x90(%rdi),%rdi 1e209c <+28>: test %rdi,%rdi 1e209f <+31>: je 0x7f6c321e20b2 <destroy_ op_array+ 50> 1e20a1 <+33>: callq 0x7f6c321f6940 <zend_hash_destroy> 1e20a6 <+38>: mov 0x90(%rbx),%rdi 1e20ad <+45>: callq 0x7f6c321ccc80 <_efree> 1e20b2 <+50>: mov 0x40(%rbx),%rdx 1e20b8 <+56>: sub $0x1,%eax 1e20bb <+59>: test %eax,%eax 1e20bd <+61>: mov %eax,(%rdx) 1e20bf <+63>: je 0x7f6c321e20d0 <destroy_ op_array+ 80>
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
=> 0x00007f6c321e20b6 <+54>: mov (%rdx),%eax
0x00007f6c32
0x00007f6c32
0x00007f6c32
0x00007f6c32
The pointer look bad, as rdx points to 0x7f6c28390138:
(gdb) info registers 25726 op_array+ 54>
rax 0x7f6c321e2270 140102674031216
rbx 0x7f6c36d2a7b0 140102752970672
rcx 0x201f0 131568
rdx 0x7f6c28390138 140102508020024
rsi 0x0 0
rdi 0x0 0
rbp 0x7f6c28390140 0x7f6c28390140
rsp 0x7fff2f1ae250 0x7fff2f1ae250
r8 0x7f6c36583290 140102744945296
r9 0xc08e69804da8f602 -45716005719548
r10 0x7f6c3691aad0 140102748711632
r11 0x7f6c365f2c20 140102745402400
r12 0x7f6c36d6bc00 140102753238016
r13 0xd42 3394
r14 0x7fff2f1aebf8 140733983681528
r15 0x113e0 70624
rip 0x7f6c321e20b6 0x7f6c321e20b6 <destroy_
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
and this location is not memory mapped:
(gdb) x 0x7f6c28390138
0x7f6c28390138: Cannot access memory at address 0x7f6c28390138
The bug does not happen with the php-cli, but with apache-php.