Edit report at https://bugs.php.net/bug.php?id=65382&edit=1
ID: 65382
Updated by: s...@php.net
Reported by: ni...@php.net
Summary: Segfault in closure_030.phpt
Status: Assigned
Type: Bug
Package: Scripting Engine problem
PHP Version: 5.5.2RC1
Assigned To: dmitry
Block user comment: N
Private report: N
New Comment:
Looks like consequence of 821d7169d9d575ceef71e69570b98519826ccb01 - prototype
is
being use as temp storage, but it is actually never reset. If I add:
op_array->prototype = NULL;
to zend_leave_helper_SPEC, it looks like it fixes the crash, but I'm not sure
if
it is the right thing to do (e.g. - what happens if such calls are nested?)
Previous Comments:
------------------------------------------------------------------------
[2013-08-11 08:18:35] s...@php.net
Looks like refcount for $b is decremented twice in the last call - once in
zend_leave_helper_SPEC and once when finishing
zend_do_fcall_common_helper_SPEC,
which causes $b to be destroyed. This code was added by Dmitry, so assigning
this
bug to him.
------------------------------------------------------------------------
[2013-08-03 12:45:43] ni...@php.net
Description:
------------
closure_030.phpt segfaults on Travis.
Short repro script:
<?php
$b = function() { };
$a = 'b';
$$a();
$b->__invoke();
Valgrind output:
~/dev/php-dev$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t22.php
==2074== Memcheck, a memory error detector
==2074== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2074== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2074== Command: sapi/cli/php t22.php
==2074==
==2074== Invalid read of size 1
==2074== at 0x8260376: zval_call_destructor (zend_execute_API.c:203)
==2074== by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775)
==2074== by 0x8260452: shutdown_destructors (zend_execute_API.c:217)
==2074== by 0x8274BC3: zend_call_destructors (zend.c:923)
==2074== by 0x81D6742: php_request_shutdown (main.c:1745)
==2074== by 0x831EDD9: do_cli (php_cli.c:1177)
==2074== by 0x831F6EC: main (php_cli.c:1378)
==2074== Address 0x44828f4 is 12 bytes inside a block of size 20 free'd
==2074== at 0x402B06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2074== by 0x823C602: _efree (zend_alloc.c:2437)
==2074== by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82)
==2074== by 0x82B1AC3: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:630)
==2074== by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:682)
==2074== by 0x82B097E: execute_ex (zend_vm_execute.h:356)
==2074== by 0x82B0A33: zend_execute (zend_vm_execute.h:381)
==2074== by 0x827636C: zend_execute_scripts (zend.c:1316)
==2074== by 0x81D85C6: php_execute_script (main.c:2484)
==2074== by 0x831E192: do_cli (php_cli.c:994)
==2074== by 0x831F6EC: main (php_cli.c:1378)
==2074==
==2074== Invalid read of size 4
==2074== at 0x825F4F3: zval_refcount_p (zend.h:397)
==2074== by 0x826038A: zval_call_destructor (zend_execute_API.c:203)
==2074== by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775)
==2074== by 0x8260452: shutdown_destructors (zend_execute_API.c:217)
==2074== by 0x8274BC3: zend_call_destructors (zend.c:923)
==2074== by 0x81D6742: php_request_shutdown (main.c:1745)
==2074== by 0x831EDD9: do_cli (php_cli.c:1177)
==2074== by 0x831F6EC: main (php_cli.c:1378)
==2074== Address 0x44828f0 is 8 bytes inside a block of size 20 free'd
==2074== at 0x402B06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2074== by 0x823C602: _efree (zend_alloc.c:2437)
==2074== by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82)
==2074== by 0x82B1AC3: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:630)
==2074== by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:682)
==2074== by 0x82B097E: execute_ex (zend_vm_execute.h:356)
==2074== by 0x82B0A33: zend_execute (zend_vm_execute.h:381)
==2074== by 0x827636C: zend_execute_scripts (zend.c:1316)
==2074== by 0x81D85C6: php_execute_script (main.c:2484)
==2074== by 0x831E192: do_cli (php_cli.c:994)
==2074== by 0x831F6EC: main (php_cli.c:1378)
==2074==
... and so on
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65382&edit=1
