|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-12-16 17:54 UTC] nikic@php.net
[2019-12-16 17:54 UTC] nikic@php.net
-Status: Open
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 23:00:01 2025 UTC |
Description: ------------ If global regs are used, and during the execution of a function the opline is never stored, then a destructor call during CV freeing may result in a segfault when attempting to read the current opline in zend_call_function. ==20975== Use of uninitialised value of size 8 ==20975== at 0x91F333: zend_call_function (zend_execute_API.c:678) ==20975== by 0x9895DE: zend_objects_destroy_object (zend_objects.c:179) ==20975== by 0x990A30: zend_objects_store_del (zend_objects_API.c:178) ==20975== by 0x93489B: rc_dtor_func (zend_variables.c:57) ==20975== by 0x9A6C9C: i_free_compiled_variables (zend_execute.c:3407) ==20975== by 0xA10528: execute_ex (zend_vm_execute.h:53450) ==20975== by 0xA14ACB: zend_execute (zend_vm_execute.h:57669) ==20975== by 0x938F4A: zend_execute_scripts (zend.c:1665) ==20975== by 0x89B078: php_execute_script (main.c:2619) ==20975== by 0xA1769D: do_cli (php_cli.c:961) ==20975== by 0xA18807: main (php_cli.c:1352) In PHP 7.3 this did not happen, because EX(opline) was always written during execute_data initialization. However, the behavior may not have been exactly right, as the opline might still have been stale. Test script: --------------- <?php function test($x) { } test(new class { public function __destruct() { } });