Edit report at http://bugs.php.net/bug.php?id=52001&edit=1
ID: 52001
Comment by: boldin dot pavel at gmail dot com
Reported by: lisio at bk dot ru
Summary: Memory allocation problems after using variable
variables
Status: Assigned
Type: Bug
Package: Scripting Engine problem
Operating System: Linux
PHP Version: 5.3.2
Assigned To: dmitry
New Comment:
old patch brokes tests (Zend/tests/objects_020.phpt), new one don't.
Still don't sure if it is absolutely correct.
Previous Comments:
------------------------------------------------------------------------
[2010-06-06 19:15:45] boldin dot pavel at gmail dot com
Zend/zend_compile.c 1066:
if (opline && type == BP_VAR_W && arg_offset) {
opline->extended_value = ZEND_FETCH_MAKE_REF;
}
Is not this bug too? ZEND_FETCH_MAKE_REF is not set for first
(arg_offset == 0) arg?
------------------------------------------------------------------------
[2010-06-06 19:06:29] boldin dot pavel at gmail dot com
I have attached patch. It must be reviewed by professional PHP
developer.
For me it is clearly that call of SEPARATE_ZVAL_TO_MAKE_IS_REF must be
predicated with such a check (and it is done in all other cases).
------------------------------------------------------------------------
[2010-06-06 18:38:05] boldin dot pavel at gmail dot com
Finally: bug is at
if (opline->extended_value & ZEND_FETCH_MAKE_REF) {
SEPARATE_ZVAL_TO_MAKE_IS_REF(retval);
}
SEPARATE_ZVAL_TO_MAKE_IS_REF seems to ruine *retval (which is
executor_globals.uninitialized_ptr). Then this leads to incorrectly
working zend_send_by_var_helper and incorrect referencing count in
zend_assign_to_variable.
Trying to patch now.
------------------------------------------------------------------------
[2010-06-06 18:08:56] boldin dot pavel at gmail dot com
Version without bug:
(gdb)
zend_send_by_var_helper_SPEC_VAR (execute_data=0x88a28d0)
at /home/davinchi/php-5.3.2/Zend/zend_vm_execute.h:8257
8257 varptr = _get_zval_ptr_var(&opline->op1, EX(Ts),
&free_op1 TSRMLS_CC);
(gdb)
8259 if (varptr == &EG(uninitialized_zval)) {
(gdb) p varptr
$24 = (zval *) 0x877fd04
(gdb) p &executor_globals.uninitialized_zval
$25 = (zval *) 0x877fd04
(gdb) p executor_globals.uninitialized_zval_ptr
$26 = (zval *) 0x877fd04
And version with bug:
zend_send_by_var_helper_SPEC_VAR (execute_data=0x88a28d0)
at /home/davinchi/php-5.3.2/Zend/zend_vm_execute.h:8254
8254 zend_op *opline = EX(opline);
(gdb)
8257 varptr = _get_zval_ptr_var(&opline->op1, EX(Ts),
&free_op1 TSRMLS_CC);
(gdb) n
8259 if (varptr == &EG(uninitialized_zval)) {
(gdb) p varptr
$27 = (zval *) 0x8876d8c
(gdb) p &executor_globals.uninitialized_zval
$28 = (zval *) 0x877fd04
(gdb) p executor_globals.uninitialized_zval_ptr
$29 = (zval *) 0x8876d8c
See that uninitialized_zval_ptr dont pointers to the uninitialized_zval
at all!
------------------------------------------------------------------------
[2010-06-06 11:23:47] boldin dot pavel at gmail dot com
Here is the problem: Zend/zend_execution.c line 703 (version 5.3.2):
incorrect reference count (== 1) in case of bug. Should be == 3 and copy
data in 'else' branch.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=52001
--
Edit this bug report at http://bugs.php.net/bug.php?id=52001&edit=1
