Ubuntu
php5 package

  1. Bug #602689
  2. Comment #11

Comment 11 for bug 602689

Revision history for this message
Kurt Huwig (k-huwig) wrote :

The bug happens in this line:

        if (--(*op_array->refcount)>0) {
                return;
        }

of destroy_op_array, when the code tries to read the refcount, according to the disassembler:

Dump of assembler code for function destroy_op_array:
   0x00007f6c321e2080 <+0>: push %r13
   0x00007f6c321e2082 <+2>: push %r12
   0x00007f6c321e2084 <+4>: push %rbp
   0x00007f6c321e2085 <+5>: push %rbx
   0x00007f6c321e2086 <+6>: mov %rdi,%rbx
   0x00007f6c321e2089 <+9>: sub $0x8,%rsp
   0x00007f6c321e208d <+13>: mov 0x48(%rdi),%rbp
   0x00007f6c321e2091 <+17>: mov 0x50(%rdi),%r13d
   0x00007f6c321e2095 <+21>: mov 0x90(%rdi),%rdi
   0x00007f6c321e209c <+28>: test %rdi,%rdi
   0x00007f6c321e209f <+31>: je 0x7f6c321e20b2 <destroy_op_array+50>
   0x00007f6c321e20a1 <+33>: callq 0x7f6c321f6940 <zend_hash_destroy>
   0x00007f6c321e20a6 <+38>: mov 0x90(%rbx),%rdi
   0x00007f6c321e20ad <+45>: callq 0x7f6c321ccc80 <_efree>
   0x00007f6c321e20b2 <+50>: mov 0x40(%rbx),%rdx
=> 0x00007f6c321e20b6 <+54>: mov (%rdx),%eax
   0x00007f6c321e20b8 <+56>: sub $0x1,%eax
   0x00007f6c321e20bb <+59>: test %eax,%eax
   0x00007f6c321e20bd <+61>: mov %eax,(%rdx)
   0x00007f6c321e20bf <+63>: je 0x7f6c321e20d0 <destroy_op_array+80>

The pointer look bad, as rdx points to 0x7f6c28390138:

(gdb) info registers
rax 0x7f6c321e2270 140102674031216
rbx 0x7f6c36d2a7b0 140102752970672
rcx 0x201f0 131568
rdx 0x7f6c28390138 140102508020024
rsi 0x0 0
rdi 0x0 0
rbp 0x7f6c28390140 0x7f6c28390140
rsp 0x7fff2f1ae250 0x7fff2f1ae250
r8 0x7f6c36583290 140102744945296
r9 0xc08e69804da8f602 -4571600571954825726
r10 0x7f6c3691aad0 140102748711632
r11 0x7f6c365f2c20 140102745402400
r12 0x7f6c36d6bc00 140102753238016
r13 0xd42 3394
r14 0x7fff2f1aebf8 140733983681528
r15 0x113e0 70624
rip 0x7f6c321e20b6 0x7f6c321e20b6 <destroy_op_array+54>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

and this location is not memory mapped:

(gdb) x 0x7f6c28390138
0x7f6c28390138: Cannot access memory at address 0x7f6c28390138

The bug does not happen with the php-cli, but with apache-php.