php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47353 crash with reference on array in a destructor
Submitted: 2009-02-10 15:57 UTC Modified: 2009-02-11 10:28 UTC
From: ob dot php at daevel dot fr Assigned: tony2001
Status: Closed Package: Reproducible crash
PHP Version: 5.3CVS-2009-02-10 (snap) OS: debian lenny 64bits
Private report: No CVE-ID:
 [2009-02-10 15:57 UTC] ob dot php at daevel dot fr
Description:
------------
PHP may segfault if in an object destructor we use reference to a large array to add an other object instance.

Reproduce code:
---------------
<?php
class A
{
    function __destruct()
    {
        $myArray = array();

        for($i = 1; $i <= 2000; $i++) {
            if(!isset($myArray[$i]))
                $myArray[$i] = array();
            $ref = & $myArray[$i];
            $ref[] = new stdClass();
        }
    }
}

$a = new A();
?>

Expected result:
----------------
No crash, no valgrind alert.

Actual result:
--------------
==29611== Invalid read of size 4
==29611==    at 0x7DCA72: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:211)
==29611==    by 0x7DC87D: zend_objects_store_del_ref (zend_objects_API.c:171)
==29611==    by 0x7AC26E: _zval_dtor_func (zend_variables.c:52)
==29611==    by 0x79BF37: _zval_dtor (zend_variables.h:35)
==29611==    by 0x79C259: _zval_ptr_dtor (zend_execute_API.c:429)
==29611==    by 0x7AC635: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==29611==    by 0x7BF615: zend_hash_apply_deleter (zend_hash.c:611)
==29611==    by 0x7BFC6A: zend_hash_reverse_apply (zend_hash.c:760)
==29611==    by 0x79B920: shutdown_destructors (zend_execute_API.c:219)
==29611==    by 0x7ADFF5: zend_call_destructors (zend.c:867)
==29611==    by 0x72FD04: php_request_shutdown (main.c:1516)
==29611==    by 0x854339: main (php_cli.c:1340)
==29611==  Address 0x6f0bf70 is 112 bytes inside a block of size 65,536 free'd
==29611==    at 0x4C22741: realloc (vg_replace_malloc.c:429)
==29611==    by 0x787FB0: _erealloc (zend_alloc.c:2316)
==29611==    by 0x7DC6B4: zend_objects_store_put (zend_objects_API.c:112)
==29611==    by 0x7D78B2: zend_objects_new (zend_objects.c:124)
==29611==    by 0x7B3C42: _object_and_properties_init (zend_API.c:1058)
==29611==    by 0x7B3D4D: _object_init_ex (zend_API.c:1075)
==29611==    by 0x7E1D59: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:477)
==29611==    by 0x7DF71A: execute (zend_vm_execute.h:104)
==29611==    by 0x79E6FA: zend_call_function (zend_execute_API.c:928)
==29611==    by 0x7CB5AF: zend_call_method (zend_interfaces.c:89)
==29611==    by 0x7D77BB: zend_objects_destroy_object (zend_objects.c:106)
==29611==    by 0x7DCA40: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:205)

[some other errors]

==29611== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 40 from 3)
==29611== malloc/free: in use at exit: 324 bytes in 12 blocks.
==29611== malloc/free: 34,713 allocs, 34,701 frees, 4,559,428 bytes allocated.
==29611== For counts of detected errors, rerun with: -v
==29611== searching for pointers to 12 not-freed blocks.
==29611== checked 961,440 bytes.
==29611== 
==29611== LEAK SUMMARY:
==29611==    definitely lost: 292 bytes in 11 blocks.
==29611==      possibly lost: 0 bytes in 0 blocks.
==29611==    still reachable: 32 bytes in 1 blocks.
==29611==         suppressed: 0 bytes in 0 blocks.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-10 16:11 UTC] ob dot php at daevel dot fr
Excuse me, it's not due to the reference. This is one have the same problem :
<?php
class A
{
	function __destruct()
	{
		$myArray = array();

		for($i = 1; $i <= 2000; $i++) {
			if(!isset($myArray[$i]))
				$myArray[$i] = array();
			$myArray[$i][] = new stdClass();
		}
	}
}

$a = new A();
?>

Note : all my tests was done with USE_ZEND_ALLOC=0
 [2009-02-10 16:38 UTC] tony2001@php.net
I have a patch, but need to consult first before applying it.
 [2009-02-11 09:59 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fix commited to 5_2, 5_3 and HEAD.
 [2009-02-11 10:20 UTC] ob dot php at daevel dot fr
Thanks :)

Can I have the commit number to be able to backport this patch please ?
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC