php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54423 classes from dl()'ed extensions are not destroyed
Submitted: 2011-03-30 14:53 UTC Modified: 2011-03-31 13:59 UTC
From: tony2001@php.net Assigned: tony2001
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3SVN-2011-03-30 (SVN) OS:
Private report: No CVE-ID:
 [2011-03-30 14:53 UTC] tony2001@php.net
Description:
------------
If an extension loaded with dl() declares any clasess, these classes are not destroyed along with the module and it's other resources.
That causes crashes when using delayed early binding, though that's not a requirement, see reproduce case below.

Test script:
---------------
Reproduce case is quite intricate:
start ONE child process of any PHP SAPI (except CLI/CGI/embed, of course)
execute this code:
<?php
dl(<extension declaring any internal classes with create_object() handler>)
$o = new <That class>;
?>

then comment out the dl() and execute it again.
The class is still present, but it's handler pointers are invalid, therefore PHP will crash with a similar backtrace:
Program received signal SIGSEGV, Segmentation fault.
0xb6e17da0 in ?? ()
(gdb) bt
#0  0xb6e17da0 in ?? ()
#1  0x081cc629 in _object_and_properties_init (arg=0x83deae8, class_type=0x8455380, properties=0x0)
    at /local/dev/php/PHP_5_3/Zend/zend_API.c:1088
#2  0x081cc730 in _object_init_ex (arg=0x83deae8, class_type=0x8455380) at /local/dev/php/PHP_5_3/Zend/zend_API.c:1096
#3  0x081ee86d in ZEND_NEW_SPEC_HANDLER (execute_data=0x8411d80) at /local/dev/php/PHP_5_3/Zend/zend_vm_execute.h:476
#4  0x081eb4f9 in execute (op_array=0x83dd3f4) at /local/dev/php/PHP_5_3/Zend/zend_vm_execute.h:107
#5  0x081cab82 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/dev/php/PHP_5_3/Zend/zend.c:1194
#6  0x08179b90 in php_execute_script (primary_file=0xbfda0cb0) at /local/dev/php/PHP_5_3/main/main.c:2268
#7  0x0825a53d in main (argc=1, argv=0xbfda0e04) at /local/dev/php/PHP_5_3/sapi/fpm/fpm/fpm_main.c:1882
(gdb) f 1
#1  0x081cc629 in _object_and_properties_init (arg=0x83deae8, class_type=0x8455380, properties=0x0)
    at /local/dev/php/PHP_5_3/Zend/zend_API.c:1088
1088                    Z_OBJVAL_P(arg) = class_type->create_object(class_type TSRMLS_CC);
(gdb) p class_type->create_object
$1 = (zend_object_value (*)(zend_class_entry *)) 0xb6e17da0
(gdb) p *class_type->create_object
Cannot access memory at address 0xb6e17da0



Patches

dlunload_destroy_classes.diff (last revision 2011-03-30 12:55 UTC) by tony at daylessday dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-31 13:59 UTC] tony2001@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: tony2001
 [2011-03-31 13:59 UTC] tony2001@php.net
Patch committed.
 [2011-03-31 13:59 UTC] tony2001@php.net
Automatic comment from SVN on behalf of tony2001
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=309853
Log: fix bug #54423 (classes from dl()'ed extensions are not destroyed)
 [2011-04-01 01:58 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=309861
Log: - fix bug #54423, fix build in trunk, introduce by previous related commit
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 02:02:27 2014 UTC