|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-11-11 07:09 UTC] tstarling@php.net
[2021-11-11 08:08 UTC] nikic@php.net
[2021-11-11 08:08 UTC] nikic@php.net
-Status: Open
+Status: Duplicate
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 09:00:02 2025 UTC |
Description: ------------ Handlers of jump-like opcodes update the opline to point to the jump target before checking EG(vm_interrupt) and calling the interrupt handler. If an exception is thrown by the interrupt handler, the ZEND_HANDLE_EXCEPTION handler will free the return value of the target opline, even though it has had no opportunity to run yet. There will be a PR. Test script: --------------- <?php /* Run with opcache.enable_cli=1 and send SIGUSR1 several times */ class C { public static $cond = 1; public static $a; } C::$a = [ C::$cond ]; // make countable zval function go() { while ( true ) { $cond = C::$cond; // T1 = FETCH_STATIC_PROP_R string("a") string("C") C::$a; // FREE T1 // JMPZ CV0($cond) 0000 if ( $cond ) // T1 = FETCH_STATIC_PROP_R string("a") string("C") // (not executed but T1 freed) C::$a; } } pcntl_async_signals( true ); pcntl_signal( SIGUSR1, function () { throw new Exception( 'ping' ); } ); while ( true ) { try { go(); } catch ( Exception $e ) {} } Actual result: -------------- It crashes after receiving about 4 SIGUSR1 signals.