On Tue, 22 Jul 2003, Zeev Suraski wrote: > At 04:10 22/07/2003, Sascha Schumann wrote: > >sas Mon Jul 21 21:10:31 2003 EDT > > > > Modified files: (Branch: PHP_4_3) > > /php-src/ext/session session.c > > Log: > > Proper fix for #24592 > > > > The core issue is that undefined variables are refcounted (refcount != 0) > > while is_ref is still set to 0. I don't know whether this is a bug in > > the engine, but is it not the first time this irregularity has caused > > problems for the session extension. > > There's nothing irregular about it, the session extension should get used > to it :)
If it is not irregular, the engine code should be able to deal with it correctly. Right now, it falls over itself quickly and dies ungracefully. (gdb) p *val $1 = (zval *) 0x816db84 (gdb) p **val $1 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {ce = 0x0, properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0', refcount = 6} Note the refcount value. When passing this zval to ZEND_SET_SYMBOL_WITH_LENGTH for the second time, the engine causes a segfault, because it tries to free memory it should not: (gdb) p *val $1 = (zval *) 0x816db84 (gdb) p **val $2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {ce = 0x0, properties = 0x0}}, type = 0 '\0', is_ref = 1 '\001', refcount = 6} 641 ZEND_SET_SYMBOL_WITH_LENGTH(ht, str, str_len, *val, (gdb) n [Tue Jul 22 11:04:30 2003] Script: 'f' --------------------------------------- php-src/ext/session/session.c(642) : Block 0x0816DB60 status: Beginning: Overrun (magic=0x00000000, expected=0x7312F8DC) Program received signal SIGSEGV, Segmentation fault. 0x4010ca3c in memcpy () from /lib/libc.so.6 Testcase (without the IS_NULL check in migrate_global): <?php $foo = $bar = $a; @session_start(); $_SESSION['foo'] = $_SESSION['bar'] = $a; - Sascha -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php