Commit: 7da6498342d76c34892bfa247bc1779d8f5ee1e6 Author: Xinchen Hui <larue...@php.net> Fri, 30 Aug 2013 11:20:24 +0800 Parents: dfc6feb6e84f27094e6a2e3947caa094f7c35d26 Branches: PHP-5.4 PHP-5.5 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=7da6498342d76c34892bfa247bc1779d8f5ee1e6 Log: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation) Bugs: https://bugs.php.net/60598 Changed paths: M NEWS A Zend/tests/bug60598.phpt M Zend/zend_objects_API.c Diff: diff --git a/NEWS b/NEWS index 6169cd0..42b69f5 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2013, PHP 5.4.20 - Core: + . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation). + (Laruence) . Fixed bug #65579 (Using traits with get_class_methods causes segfault). (Adam) . Fixed bug #65490 (Duplicate calls to get lineno & filename for diff --git a/Zend/tests/bug60598.phpt b/Zend/tests/bug60598.phpt new file mode 100644 index 0000000..eeee75a --- /dev/null +++ b/Zend/tests/bug60598.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #60598 (cli/apache sapi segfault on objects manipulation) +--FILE-- +<?php +define('OBJECT_COUNT', 10000); + +$containers = array(); + +class Object { + protected $_guid = 0; + public function __construct() { + global $containers; + $this->guid = 1; + $containers[spl_object_hash($this)] = $this; + } + public function __destruct() { + global $containers; + $containers[spl_object_hash($this)] = NULL; + } +} + +for ($i = 0; $i < OBJECT_COUNT; ++$i) { + new Object(); +} + +// You probably won't see this because of the "zend_mm_heap corrupted" +?> +If you see this, try to increase OBJECT_COUNT to 100,000 +--EXPECT-- +If you see this, try to increase OBJECT_COUNT to 100,000 diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 1fe5d0c..b5dd48f 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS obj->dtor(obj->object, i TSRMLS_CC); obj = &objects->object_buckets[i].bucket.obj; obj->refcount--; + + if (obj->refcount == 0) { + /* in case gc_collect_cycle is triggered before free_storage */ + GC_REMOVE_ZOBJ_FROM_BUFFER(obj); + } } } } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php