|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54423 classes from dl()'ed extensions are not destroyed
Submitted: 2011-03-30 14:53 UTC Modified: 2011-03-31 13:59 UTC
From: Assigned: tony2001 (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3SVN-2011-03-30 (SVN) OS:
Private report: No CVE-ID: None
 [2011-03-30 14:53 UTC]
If an extension loaded with dl() declares any clasess, these classes are not destroyed along with the module and it's other resources.
That causes crashes when using delayed early binding, though that's not a requirement, see reproduce case below.

Test script:
Reproduce case is quite intricate:
start ONE child process of any PHP SAPI (except CLI/CGI/embed, of course)
execute this code:
dl(<extension declaring any internal classes with create_object() handler>)
$o = new <That class>;

then comment out the dl() and execute it again.
The class is still present, but it's handler pointers are invalid, therefore PHP will crash with a similar backtrace:
Program received signal SIGSEGV, Segmentation fault.
0xb6e17da0 in ?? ()
(gdb) bt
#0  0xb6e17da0 in ?? ()
#1  0x081cc629 in _object_and_properties_init (arg=0x83deae8, class_type=0x8455380, properties=0x0)
    at /local/dev/php/PHP_5_3/Zend/zend_API.c:1088
#2  0x081cc730 in _object_init_ex (arg=0x83deae8, class_type=0x8455380) at /local/dev/php/PHP_5_3/Zend/zend_API.c:1096
#3  0x081ee86d in ZEND_NEW_SPEC_HANDLER (execute_data=0x8411d80) at /local/dev/php/PHP_5_3/Zend/zend_vm_execute.h:476
#4  0x081eb4f9 in execute (op_array=0x83dd3f4) at /local/dev/php/PHP_5_3/Zend/zend_vm_execute.h:107
#5  0x081cab82 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/dev/php/PHP_5_3/Zend/zend.c:1194
#6  0x08179b90 in php_execute_script (primary_file=0xbfda0cb0) at /local/dev/php/PHP_5_3/main/main.c:2268
#7  0x0825a53d in main (argc=1, argv=0xbfda0e04) at /local/dev/php/PHP_5_3/sapi/fpm/fpm/fpm_main.c:1882
(gdb) f 1
#1  0x081cc629 in _object_and_properties_init (arg=0x83deae8, class_type=0x8455380, properties=0x0)
    at /local/dev/php/PHP_5_3/Zend/zend_API.c:1088
1088                    Z_OBJVAL_P(arg) = class_type->create_object(class_type TSRMLS_CC);
(gdb) p class_type->create_object
$1 = (zend_object_value (*)(zend_class_entry *)) 0xb6e17da0
(gdb) p *class_type->create_object
Cannot access memory at address 0xb6e17da0


dlunload_destroy_classes.diff (last revision 2011-03-30 12:55 UTC by tony at daylessday dot org)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-31 13:59 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: tony2001
 [2011-03-31 13:59 UTC]
Patch committed.
 [2011-03-31 13:59 UTC]
Automatic comment from SVN on behalf of tony2001
Log: fix bug #54423 (classes from dl()'ed extensions are not destroyed)
 [2011-04-01 01:58 UTC]
Automatic comment from SVN on behalf of pajoye
Log: - fix bug #54423, fix build in trunk, introduce by previous related commit
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 01 11:01:29 2024 UTC