ID: 47353
Updated by: tony2...@php.net
Reported By: ob dot php at daevel dot fr
-Status: Open
+Status: Assigned
Bug Type: Reproducible crash
Operating System: debian lenny 64bits
PHP Version: 5.3CVS-2009-02-10 (snap)
-Assigned To:
+Assigned To: tony2001
New Comment:
I have a patch, but need to consult first before applying it.
Previous Comments:
------------------------------------------------------------------------
[2009-02-10 16:11:39] ob dot php at daevel dot fr
Excuse me, it's not due to the reference. This is one have the same
problem :
<?php
class A
{
function __destruct()
{
$myArray = array();
for($i = 1; $i <= 2000; $i++) {
if(!isset($myArray[$i]))
$myArray[$i] = array();
$myArray[$i][] = new stdClass();
}
}
}
$a = new A();
?>
Note : all my tests was done with USE_ZEND_ALLOC=0
------------------------------------------------------------------------
[2009-02-10 15:57:09] ob dot php at daevel dot fr
Description:
------------
PHP may segfault if in an object destructor we use reference to a large
array to add an other object instance.
Reproduce code:
---------------
<?php
class A
{
function __destruct()
{
$myArray = array();
for($i = 1; $i <= 2000; $i++) {
if(!isset($myArray[$i]))
$myArray[$i] = array();
$ref = & $myArray[$i];
$ref[] = new stdClass();
}
}
}
$a = new A();
?>
Expected result:
----------------
No crash, no valgrind alert.
Actual result:
--------------
==29611== Invalid read of size 4
==29611== at 0x7DCA72: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:211)
==29611== by 0x7DC87D: zend_objects_store_del_ref
(zend_objects_API.c:171)
==29611== by 0x7AC26E: _zval_dtor_func (zend_variables.c:52)
==29611== by 0x79BF37: _zval_dtor (zend_variables.h:35)
==29611== by 0x79C259: _zval_ptr_dtor (zend_execute_API.c:429)
==29611== by 0x7AC635: _zval_ptr_dtor_wrapper
(zend_variables.c:175)
==29611== by 0x7BF615: zend_hash_apply_deleter (zend_hash.c:611)
==29611== by 0x7BFC6A: zend_hash_reverse_apply (zend_hash.c:760)
==29611== by 0x79B920: shutdown_destructors
(zend_execute_API.c:219)
==29611== by 0x7ADFF5: zend_call_destructors (zend.c:867)
==29611== by 0x72FD04: php_request_shutdown (main.c:1516)
==29611== by 0x854339: main (php_cli.c:1340)
==29611== Address 0x6f0bf70 is 112 bytes inside a block of size 65,536
free'd
==29611== at 0x4C22741: realloc (vg_replace_malloc.c:429)
==29611== by 0x787FB0: _erealloc (zend_alloc.c:2316)
==29611== by 0x7DC6B4: zend_objects_store_put
(zend_objects_API.c:112)
==29611== by 0x7D78B2: zend_objects_new (zend_objects.c:124)
==29611== by 0x7B3C42: _object_and_properties_init
(zend_API.c:1058)
==29611== by 0x7B3D4D: _object_init_ex (zend_API.c:1075)
==29611== by 0x7E1D59: ZEND_NEW_SPEC_HANDLER
(zend_vm_execute.h:477)
==29611== by 0x7DF71A: execute (zend_vm_execute.h:104)
==29611== by 0x79E6FA: zend_call_function (zend_execute_API.c:928)
==29611== by 0x7CB5AF: zend_call_method (zend_interfaces.c:89)
==29611== by 0x7D77BB: zend_objects_destroy_object
(zend_objects.c:106)
==29611== by 0x7DCA40: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:205)
[some other errors]
==29611== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 40 from
3)
==29611== malloc/free: in use at exit: 324 bytes in 12 blocks.
==29611== malloc/free: 34,713 allocs, 34,701 frees, 4,559,428 bytes
allocated.
==29611== For counts of detected errors, rerun with: -v
==29611== searching for pointers to 12 not-freed blocks.
==29611== checked 961,440 bytes.
==29611==
==29611== LEAK SUMMARY:
==29611== definitely lost: 292 bytes in 11 blocks.
==29611== possibly lost: 0 bytes in 0 blocks.
==29611== still reachable: 32 bytes in 1 blocks.
==29611== suppressed: 0 bytes in 0 blocks.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47353&edit=1
