Hi Dmitry, ah, I see, thanks very much.
in this case, the 5.3 branch should failed too since it also use a stack zval. I will make a improved fix soon.. :) thanks. On Tue, Jan 24, 2012 at 8:19 PM, Dmitry Stogov <dmi...@zend.com> wrote: > Hi Laruence, > > I'll try to demonstrate the problem I tried to describe with a script. > The following script is still fails on trunk. > > <?php > class test { > public static $x; > public function __toString() { > self::$x = $this; > return __FILE__; > } > } > $a = new test; > require_once $a; > var_dump(test::$x); > ?> > > So your fix is not enough. > It make no sense to play with refcounts of zvals allocated on stack. > Probably, the temporary zval needs to be allocated on heap. > > Tahnks. Dmitry. > > [dmitry@ws CGI-DEBUG]$ USE_ZEND_ALLOC=0 valgrind > ../../php-trunk/CGI-DEBUG/sapi/cli/php -n bug60825.php > ==25455== Memcheck, a memory error detector > ==25455== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. > ==25455== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info > ==25455== Command: ../../php-trunk/CGI-DEBUG/sapi/cli/php -n bug60825.php > ==25455== > ==25455== Conditional jump or move depends on uninitialised value(s) > ==25455== at 0x853E3C9: zend_send_by_var_helper_SPEC_VAR > (zend_execute.c:71) > ==25455== by 0x853F9C0: ZEND_SEND_VAR_SPEC_VAR_HANDLER > (zend_vm_execute.h:11056) > ==25455== by 0x8511872: execute (zend_vm_execute.h:410) > ==25455== by 0x84DBE85: zend_execute_scripts (zend.c:1272) > ==25455== by 0x8462641: php_execute_script (main.c:2476) > ==25455== by 0x85F1506: do_cli (php_cli.c:983) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== > &UNKNOWN:0 > ==25455== Invalid read of size 4 > ==25455== at 0x84C9964: _zval_ptr_dtor (zend.h:391) > ==25455== by 0x84CEE6E: cleanup_user_class_data (zend_opcode.c:165) > ==25455== by 0x84CEF5D: zend_cleanup_user_class_data (zend_opcode.c:198) > ==25455== by 0x84EB22C: zend_hash_reverse_apply (zend_hash.c:799) > ==25455== by 0x84C958B: shutdown_executor (zend_execute_API.c:289) > ==25455== by 0x84DB12B: zend_deactivate (zend.c:934) > ==25455== by 0x8461441: php_request_shutdown (main.c:1782) > ==25455== by 0x85F1EBC: do_cli (php_cli.c:1169) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== Address 0xfee969e4 is not stack'd, malloc'd or (recently) free'd > ==25455== > ==25455== Invalid write of size 4 > ==25455== at 0x84C996D: _zval_ptr_dtor (zend.h:391) > ==25455== by 0x84CEE6E: cleanup_user_class_data (zend_opcode.c:165) > ==25455== by 0x84CEF5D: zend_cleanup_user_class_data (zend_opcode.c:198) > ==25455== by 0x84EB22C: zend_hash_reverse_apply (zend_hash.c:799) > ==25455== by 0x84C958B: shutdown_executor (zend_execute_API.c:289) > ==25455== by 0x84DB12B: zend_deactivate (zend.c:934) > ==25455== by 0x8461441: php_request_shutdown (main.c:1782) > ==25455== by 0x85F1EBC: do_cli (php_cli.c:1169) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== Address 0xfee969e4 is not stack'd, malloc'd or (recently) free'd > ==25455== > ==25455== Invalid read of size 4 > ==25455== at 0x84C997B: _zval_ptr_dtor (zend.h:379) > ==25455== by 0x84CEE6E: cleanup_user_class_data (zend_opcode.c:165) > ==25455== by 0x84CEF5D: zend_cleanup_user_class_data (zend_opcode.c:198) > ==25455== by 0x84EB22C: zend_hash_reverse_apply (zend_hash.c:799) > ==25455== by 0x84C958B: shutdown_executor (zend_execute_API.c:289) > ==25455== by 0x84DB12B: zend_deactivate (zend.c:934) > ==25455== by 0x8461441: php_request_shutdown (main.c:1782) > ==25455== by 0x85F1EBC: do_cli (php_cli.c:1169) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== Address 0xfee969e4 is not stack'd, malloc'd or (recently) free'd > ==25455== > ==25455== Invalid read of size 4 > ==25455== at 0x84C9A1E: _zval_ptr_dtor (zend.h:379) > ==25455== by 0x84CEE6E: cleanup_user_class_data (zend_opcode.c:165) > ==25455== by 0x84CEF5D: zend_cleanup_user_class_data (zend_opcode.c:198) > ==25455== by 0x84EB22C: zend_hash_reverse_apply (zend_hash.c:799) > ==25455== by 0x84C958B: shutdown_executor (zend_execute_API.c:289) > ==25455== by 0x84DB12B: zend_deactivate (zend.c:934) > ==25455== by 0x8461441: php_request_shutdown (main.c:1782) > ==25455== by 0x85F1EBC: do_cli (php_cli.c:1169) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== Address 0xfee969e4 is not stack'd, malloc'd or (recently) free'd > ==25455== > ==25455== Invalid read of size 1 > ==25455== at 0x84C9A40: _zval_ptr_dtor (zend_gc.h:182) > ==25455== by 0x84CEE6E: cleanup_user_class_data (zend_opcode.c:165) > ==25455== by 0x84CEF5D: zend_cleanup_user_class_data (zend_opcode.c:198) > ==25455== by 0x84EB22C: zend_hash_reverse_apply (zend_hash.c:799) > ==25455== by 0x84C958B: shutdown_executor (zend_execute_API.c:289) > ==25455== by 0x84DB12B: zend_deactivate (zend.c:934) > ==25455== by 0x8461441: php_request_shutdown (main.c:1782) > ==25455== by 0x85F1EBC: do_cli (php_cli.c:1169) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== Address 0xfee969e8 is not stack'd, malloc'd or (recently) free'd > ==25455== > ==25455== Invalid read of size 1 > ==25455== at 0x84C9A4B: _zval_ptr_dtor (zend_gc.h:182) > ==25455== by 0x84CEE6E: cleanup_user_class_data (zend_opcode.c:165) > ==25455== by 0x84CEF5D: zend_cleanup_user_class_data (zend_opcode.c:198) > ==25455== by 0x84EB22C: zend_hash_reverse_apply (zend_hash.c:799) > ==25455== by 0x84C958B: shutdown_executor (zend_execute_API.c:289) > ==25455== by 0x84DB12B: zend_deactivate (zend.c:934) > ==25455== by 0x8461441: php_request_shutdown (main.c:1782) > ==25455== by 0x85F1EBC: do_cli (php_cli.c:1169) > ==25455== by 0x85F2678: main (php_cli.c:1356) > ==25455== Address 0xfee969e8 is not stack'd, malloc'd or (recently) free'd > ==25455== > ==25455== > ==25455== HEAP SUMMARY: > ==25455== in use at exit: 36,448 bytes in 2,333 blocks > ==25455== total heap usage: 20,378 allocs, 18,045 frees, 2,405,048 bytes > allocated > ==25455== > ==25455== LEAK SUMMARY: > ==25455== definitely lost: 0 bytes in 0 blocks > ==25455== indirectly lost: 0 bytes in 0 blocks > ==25455== possibly lost: 0 bytes in 0 blocks > ==25455== still reachable: 36,448 bytes in 2,333 blocks > ==25455== suppressed: 0 bytes in 0 blocks > ==25455== Rerun with --leak-check=full to see details of leaked memory > ==25455== > ==25455== For counts of detected and suppressed errors, rerun with: -v > ==25455== Use --track-origins=yes to see where uninitialised values come > from > ==25455== ERROR SUMMARY: 7 errors from 7 contexts (suppressed: 0 from 0) > > > On 01/23/2012 01:02 PM, Laruence wrote: >> >> On Mon, Jan 23, 2012 at 4:09 PM, Dmitry Stogov<dmi...@zend.com> wrote: >>> >>> Hi Laruence, >>> >>> I'm not sure if the proposed patch fixes all the problems. >>> >>> Imagine that __FILE__ stored in some PHP variable and accessed after >>> include() has finished. That time C variable "tmp_inc_filename" won't be >>> valid but PHP variable may still refer to it. >>> >> Hi, >> >> I am not sure whether I got your point, >> >> but zend_std_cast_object_tostring will duplicate that "string", so >> zval_dtor tmp_inc_filename will okey(just efree that duplicate) I >> think. :) >> >> thanks >> >>> I didn't try to reproduce it, so I might be wrong. >>> >>> Thanks. Dmitry. >>> >>> >>> On 01/22/2012 06:42 AM, Laruence wrote: >>>> >>>> >>>> send again, >>>> >>>> dsp said he didn't received. >>>> >>>> thanks >>>> >>>> On Sun, Jan 22, 2012 at 1:19 AM, Laruence<larue...@php.net> wrote: >>>>> >>>>> >>>>> Hi: >>>>> >>>>> I have fixed #60825 (Segfault when running symfony 2 tests) >>>>> >>>>> cvs mail here: http://news.php.net/php.cvs/67503 >>>>> >>>>> should I also commit this fix to 5.4 branch now? >>>>> >>>>> thanks >>>>> >>>>> -- >>>>> Laruence Xinchen Hui >>>>> http://www.laruence.com/ >>>> >>>> >>>> >>>> >>>> >>> >> >> >> > -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php