On Tue, 22 Jul 2003, Zeev Suraski wrote:
> At 04:10 22/07/2003, Sascha Schumann wrote:
> >sas Mon Jul 21 21:10:31 2003 EDT
> >
> > Modified files: (Branch: PHP_4_3)
> > /php-src/ext/session session.c
> > Log:
> > Proper fix for #24592
> >
> > The core issue is that undefined variables are refcounted (refcount != 0)
> > while is_ref is still set to 0. I don't know whether this is a bug in
> > the engine, but is it not the first time this irregularity has caused
> > problems for the session extension.
>
> There's nothing irregular about it, the session extension should get used
> to it :)
If it is not irregular, the engine code should be able to
deal with it correctly. Right now, it falls over itself
quickly and dies ungracefully.
(gdb) p *val
$1 = (zval *) 0x816db84
(gdb) p **val
$1 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0,
obj = {ce = 0x0, properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0',
refcount = 6}
Note the refcount value. When passing this zval to
ZEND_SET_SYMBOL_WITH_LENGTH for the second time, the engine
causes a segfault, because it tries to free memory it should
not:
(gdb) p *val
$1 = (zval *) 0x816db84
(gdb) p **val
$2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0,
obj = {ce = 0x0, properties = 0x0}}, type = 0 '\0', is_ref = 1 '\001',
refcount = 6}
641 ZEND_SET_SYMBOL_WITH_LENGTH(ht, str, str_len,
*val,
(gdb) n
[Tue Jul 22 11:04:30 2003] Script: 'f'
---------------------------------------
php-src/ext/session/session.c(642) : Block 0x0816DB60 status:
Beginning: Overrun (magic=0x00000000, expected=0x7312F8DC)
Program received signal SIGSEGV, Segmentation fault.
0x4010ca3c in memcpy () from /lib/libc.so.6
Testcase (without the IS_NULL check in migrate_global):
<?php
$foo = $bar = $a;
@session_start();
$_SESSION['foo'] = $_SESSION['bar'] = $a;
- Sascha
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
