|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-02-10 15:57 UTC] ob dot php at daevel dot fr
Description:
------------
PHP may segfault if in an object destructor we use reference to a large array to add an other object instance.
Reproduce code:
---------------
<?php
class A
{
function __destruct()
{
$myArray = array();
for($i = 1; $i <= 2000; $i++) {
if(!isset($myArray[$i]))
$myArray[$i] = array();
$ref = & $myArray[$i];
$ref[] = new stdClass();
}
}
}
$a = new A();
?>
Expected result:
----------------
No crash, no valgrind alert.
Actual result:
--------------
==29611== Invalid read of size 4
==29611== at 0x7DCA72: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:211)
==29611== by 0x7DC87D: zend_objects_store_del_ref (zend_objects_API.c:171)
==29611== by 0x7AC26E: _zval_dtor_func (zend_variables.c:52)
==29611== by 0x79BF37: _zval_dtor (zend_variables.h:35)
==29611== by 0x79C259: _zval_ptr_dtor (zend_execute_API.c:429)
==29611== by 0x7AC635: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==29611== by 0x7BF615: zend_hash_apply_deleter (zend_hash.c:611)
==29611== by 0x7BFC6A: zend_hash_reverse_apply (zend_hash.c:760)
==29611== by 0x79B920: shutdown_destructors (zend_execute_API.c:219)
==29611== by 0x7ADFF5: zend_call_destructors (zend.c:867)
==29611== by 0x72FD04: php_request_shutdown (main.c:1516)
==29611== by 0x854339: main (php_cli.c:1340)
==29611== Address 0x6f0bf70 is 112 bytes inside a block of size 65,536 free'd
==29611== at 0x4C22741: realloc (vg_replace_malloc.c:429)
==29611== by 0x787FB0: _erealloc (zend_alloc.c:2316)
==29611== by 0x7DC6B4: zend_objects_store_put (zend_objects_API.c:112)
==29611== by 0x7D78B2: zend_objects_new (zend_objects.c:124)
==29611== by 0x7B3C42: _object_and_properties_init (zend_API.c:1058)
==29611== by 0x7B3D4D: _object_init_ex (zend_API.c:1075)
==29611== by 0x7E1D59: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:477)
==29611== by 0x7DF71A: execute (zend_vm_execute.h:104)
==29611== by 0x79E6FA: zend_call_function (zend_execute_API.c:928)
==29611== by 0x7CB5AF: zend_call_method (zend_interfaces.c:89)
==29611== by 0x7D77BB: zend_objects_destroy_object (zend_objects.c:106)
==29611== by 0x7DCA40: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:205)
[some other errors]
==29611== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 40 from 3)
==29611== malloc/free: in use at exit: 324 bytes in 12 blocks.
==29611== malloc/free: 34,713 allocs, 34,701 frees, 4,559,428 bytes allocated.
==29611== For counts of detected errors, rerun with: -v
==29611== searching for pointers to 12 not-freed blocks.
==29611== checked 961,440 bytes.
==29611==
==29611== LEAK SUMMARY:
==29611== definitely lost: 292 bytes in 11 blocks.
==29611== possibly lost: 0 bytes in 0 blocks.
==29611== still reachable: 32 bytes in 1 blocks.
==29611== suppressed: 0 bytes in 0 blocks.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |
Excuse me, it's not due to the reference. This is one have the same problem : <?php class A { function __destruct() { $myArray = array(); for($i = 1; $i <= 2000; $i++) { if(!isset($myArray[$i])) $myArray[$i] = array(); $myArray[$i][] = new stdClass(); } } } $a = new A(); ?> Note : all my tests was done with USE_ZEND_ALLOC=0