php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #46380 incorrect reference counting in "=&new".
Submitted: 2008-10-24 13:40 UTC Modified: 2008-11-04 01:00 UTC
From: marek dot miska at netart dot pl Assigned: dmitry (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.6 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: marek dot miska at netart dot pl
New email:
PHP Version: OS:

 

 [2008-10-24 13:40 UTC] marek dot miska at netart dot pl 
Description:
------------
Incorrect reference counting in:
ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV)
refcount is decremented twice.

(In short: ZEND_RETURNS_FUNCTION for "new" is missing).

It's fixed in 5.3.0alpha1 with ZEND_RETURNS_NEW.
But it will be nice to have it also in stable version.

Reproduce code:
---------------
<?
class A{
	function A() {
		global $g;
		$g[0] = $g[1] = $this;
	}

	function __destruct() { }
}

$g = array();

for($i=0; $i<1000; ++$i)
{
	$a =& new A;
}
?>

Expected result:
----------------
Exit without any errors.

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-24 15:40 UTC] jani@php.net 
Dmitry, can you check this out please?
 [2008-10-24 15:41 UTC] jani@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

Actually your script does not crash with latest CVS snapshot of PHP_5_2 branch.
 [2008-10-27 10:52 UTC] dmitry@php.net 
I don't see any memory errors on this script with PHP_5_2 too.
 [2008-11-04 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 17:00:01 2025 UTC