php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34617 zend_deactivate: objects_store used after zend_objects_store_destroy is called
Submitted: 2005-09-23 16:17 UTC Modified: 2005-09-27 20:11 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: guillaume dot outters at free dot fr Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS, 6CVS (2005-09-23) OS: Mac OS X 10.4.2
Private report: No CVE-ID:
 [2005-09-23 16:17 UTC] guillaume dot outters at free dot fr

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-23 16:25 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

Please don't report issues unless you can reproduce the with PHP 5.1 snaps too. 
 [2005-09-23 16:56 UTC] guillaume dot outters at free dot fr
Same exact problem with 5.1.0RC2-dev (only line numbers in the 
backtrace differ).
 [2005-09-23 20:06 UTC] sniper@php.net
Dmitry, this is not looking good. Can you check it out?

 [2005-09-24 15:11 UTC] tony2001@php.net
Yet another chicken-and-egg problem with resources and objects.
xml_parser uses object for callbacks that is already destroyed at the time when the resource is being destroyed.

2 guillaume dot outters at free dot fr:
Please try to make a reproduce case shorter than 1.7Mb. 
 [2005-09-24 16:43 UTC] guillaume dot outters at free dot fr
OK, here we go for a shorter crasher:

<?php
class Thing {}
function boom()
{
    $reader = xml_parser_create();
    xml_set_object($reader, new Thing());
    die("here");
    xml_parser_free($reader);
}
boom();
?>

Some comments on the environment:

- crashes with CLI (that could be useful to speed up testing  
and avoid crashing your company's internet web server)
- Doesn't crash with the default Tiger PHP (4.3.11)
- Doesn't crash with my modification (freing the store after 
resources). That said, it was a quick fix, and I don't know 
the Zend engine sufficently to ensure it is safe in other 
situations.

Some comments on the crasher:

- dying() after the xml_parser_free doesn't crash anymore 
(the parser has been manually freed, so that's the same as 
freing resources before the objects_store).
- the code must be in a function to crash.
 [2005-09-27 20:11 UTC] dmitry@php.net
Fixed in CVS HEAD, PHP_5_1 and PHP_5_0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 19:01:51 2014 UTC