Hi Stas,

Actually this change in zend_object structure doesn't affect the previous
structure layout,
because of field alignment. The new 1 byte field created inside a 2 byte
hole that wasn't used before.

Thanks. Dmitry,

On Wed, Jan 9, 2013 at 8:53 PM, Stas Malyshev <smalys...@sugarcrm.com>wrote:

> Hi!
>
> Doesn't change of zend_objects_API.h change binary API? I'm not sure we
> can do it in 5.4.
>
> On 1/8/13 11:30 PM, Dmitry Stogov wrote:
> > Commit:    f9e8678dd3a41ed8a100d8201153a41d6fd25f2e
> > Author:    Dmitry Stogov <dmi...@zend.com>         Wed, 9 Jan 2013
> 11:30:50 +0400
> > Parents:   f3b1b8516906fe900e521216c8f01e362790af30
> > Branches:  PHP-5.4 PHP-5.5 master
> >
> > Link:
> http://git.php.net/?p=php-src.git;a=commitdiff;h=f9e8678dd3a41ed8a100d8201153a41d6fd25f2e
> >
> > Log:
> > Fixed bug #63882 (zend_std_compare_objects crash on recursion)
> >
> > Bugs:
> > https://bugs.php.net/63882
> >
> > Changed paths:
> >   M  NEWS
> >   A  Zend/tests/bug63882.phpt
> >   M  Zend/zend_object_handlers.c
> >   M  Zend/zend_objects_API.c
> >   M  Zend/zend_objects_API.h
> >
> >
> > Diff:
> > diff --git a/NEWS b/NEWS
> > index 1abd398..cfc0fa9 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -5,6 +5,7 @@ PHP
>                    NEWS
> >  - Core:
> >    . Fixed bug #63943 (Bad warning text from strpos() on empty needle).
> >      (Laruence)
> > +  . Fixed bug #63882 (zend_std_compare_objects crash on recursion).
> (Dmitry)
> >
> >  - Litespeed:
> >    . Fixed bug #63228 (-Werror=format-security error in lsapi code).
> (George)
> > diff --git a/Zend/tests/bug63882.phpt b/Zend/tests/bug63882.phpt
> > new file mode 100644
> > index 0000000..0cc1bab
> > --- /dev/null
> > +++ b/Zend/tests/bug63882.phpt
> > @@ -0,0 +1,15 @@
> > +--TEST--
> > +Bug #63882 (zend_std_compare_objects crash on recursion)
> > +--FILE--
> > +<?php
> > +class Test { public $x = 5; }
> > +
> > +$testobj1 = new Test;
> > +$testobj2 = new Test;
> > +$testobj1->x = $testobj1;
> > +$testobj2->x = $testobj2;
> > +
> > +var_dump($testobj1 == $testobj2);
> > +?>
> > +--EXPECTF--
> > +Fatal error: Nesting level too deep - recursive dependency? in
> %sbug63882.php on line 9
> > diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
> > index a76dfb3..3881c0e 100644
> > --- a/Zend/zend_object_handlers.c
> > +++ b/Zend/zend_object_handlers.c
> > @@ -35,6 +35,17 @@
> >  #define Z_OBJ_P(zval_p) \
> >
> ((zend_object*)(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].bucket.obj.object))
> >
> > +#define Z_OBJ_PROTECT_RECURSION(zval_p) \
> > +     do { \
> > +             if
> (EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].apply_count++ >=
> 3) { \
> > +                     zend_error(E_ERROR, "Nesting level too deep -
> recursive dependency?"); \
> > +             } \
> > +     } while (0)
> > +
> > +
> > +#define Z_OBJ_UNPROTECT_RECURSION(zval_p) \
> > +
> EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zval_p)].apply_count--
> > +
> >  /*
> >    __X accessors explanation:
> >
> > @@ -1319,28 +1330,43 @@ static int zend_std_compare_objects(zval *o1,
> zval *o2 TSRMLS_DC) /* {{{ */
> >       }
> >       if (!zobj1->properties && !zobj2->properties) {
> >               int i;
> > +
> > +             Z_OBJ_PROTECT_RECURSION(o1);
> > +             Z_OBJ_PROTECT_RECURSION(o2);
> >               for (i = 0; i < zobj1->ce->default_properties_count; i++) {
> >                       if (zobj1->properties_table[i]) {
> >                               if (zobj2->properties_table[i]) {
> >                                       zval result;
> >
> >                                       if (compare_function(&result,
> zobj1->properties_table[i], zobj2->properties_table[i] TSRMLS_CC)==FAILURE)
> {
> > +
> Z_OBJ_UNPROTECT_RECURSION(o1);
> > +
> Z_OBJ_UNPROTECT_RECURSION(o2);
> >                                               return 1;
> >                                       }
> >                                       if (Z_LVAL(result) != 0) {
> > +
> Z_OBJ_UNPROTECT_RECURSION(o1);
> > +
> Z_OBJ_UNPROTECT_RECURSION(o2);
> >                                               return Z_LVAL(result);
> >                                       }
> >                               } else {
> > +                                     Z_OBJ_UNPROTECT_RECURSION(o1);
> > +                                     Z_OBJ_UNPROTECT_RECURSION(o2);
> >                                       return 1;
> >                               }
> >                       } else {
> >                               if (zobj2->properties_table[i]) {
> > +                                     Z_OBJ_UNPROTECT_RECURSION(o1);
> > +                                     Z_OBJ_UNPROTECT_RECURSION(o2);
> >                                       return 1;
> >                               } else {
> > +                                     Z_OBJ_UNPROTECT_RECURSION(o1);
> > +                                     Z_OBJ_UNPROTECT_RECURSION(o2);
> >                                       return 0;
> >                               }
> >                       }
> >               }
> > +             Z_OBJ_UNPROTECT_RECURSION(o1);
> > +             Z_OBJ_UNPROTECT_RECURSION(o2);
> >               return 0;
> >       } else {
> >               if (!zobj1->properties) {
> > diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
> > index 4f3561e..1fe5d0c 100644
> > --- a/Zend/zend_objects_API.c
> > +++ b/Zend/zend_objects_API.c
> > @@ -117,6 +117,7 @@ ZEND_API zend_object_handle
> zend_objects_store_put(void *object, zend_objects_st
> >       obj = &EG(objects_store).object_buckets[handle].bucket.obj;
> >       EG(objects_store).object_buckets[handle].destructor_called = 0;
> >       EG(objects_store).object_buckets[handle].valid = 1;
> > +     EG(objects_store).object_buckets[handle].apply_count = 0;
> >
> >       obj->refcount = 1;
> >       GC_OBJ_INIT(obj);
> > diff --git a/Zend/zend_objects_API.h b/Zend/zend_objects_API.h
> > index c973b7a..a6ea9b8 100644
> > --- a/Zend/zend_objects_API.h
> > +++ b/Zend/zend_objects_API.h
> > @@ -31,6 +31,7 @@ typedef void (*zend_objects_store_clone_t)(void
> *object, void **object_clone TSR
> >  typedef struct _zend_object_store_bucket {
> >       zend_bool destructor_called;
> >       zend_bool valid;
> > +     zend_uchar apply_count;
> >       union _store_bucket {
> >               struct _store_object {
> >                       void *object;
> >
> >
>
>
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227
>

Reply via email to