php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62210 Exceptions can leak temporary variables
Submitted: 2012-06-02 00:46 UTC Modified: 2015-11-13 12:38 UTC
Votes:4
Avg. Score:4.5 ± 0.5
Reproduced:1 of 3 (33.3%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nikic@php.net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2012-06-02 00:46 UTC] nikic@php.net
Description:
------------
The script

<?php
function throwException() { throw new Exception }
function doSomething() { [] + throwException(); }
try { doSomething(); } catch (Exception $e) { }

leaks

/home/nikic/dev/php-src/Zend/zend_vm_execute.h(25625) :  Freeing 0xB77ABA44 (44 bytes), script=-
/home/nikic/dev/php-src/Zend/zend_API.c(982) : Actual location (location was relayed)
=== Total 1 memory leaks detected ===

This generally always happens whenever an exception is thrown while evaluation an expression which contains (non-scalar) temporary variables. In the above case the array hash table is leaked.

The reason is that the FREE opcode for the temporary variable is never executed due to the exception. Exceptions only free temporary loop variables.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-03 14:20 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2012-06-25 08:12 UTC] dmitry@php.net
I confirm the bug, but I don't see a simple way to fix it.

In general, it's possible to extend zend_op_array with information about ranges of temporary variables livenes, but overhead is going to be too high.
 [2015-07-07 12:42 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5ee841325901a4b040cfea56292a24702fe224d9
Log: Fixed bug #62210 (Exceptions can leak temporary variables. As a part of the fix serious refactoring was done. op_array-&gt;brk_cont_array was removed, and replaced with more general and speed efficient op_array-&gt;T_liveliness. ZEND_GOTO opcode is always replaced by ZEND_JMP at compile time). (Bob, Dmitry, Laruence)
 [2015-07-07 12:42 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5ee841325901a4b040cfea56292a24702fe224d9
Log: Fixed bug #62210 (Exceptions can leak temporary variables. As a part of the fix serious refactoring was done. op_array-&gt;brk_cont_array was removed, and replaced with more general and speed efficient op_array-&gt;T_liveliness. ZEND_GOTO opcode is always replaced by ZEND_JMP at compile time). (Bob, Dmitry, Laruence)
 [2015-07-10 01:58 UTC] dmitry@php.net
-Status: Closed +Status: Re-Opened
 [2015-07-10 01:58 UTC] dmitry@php.net
The fix was reverted.
 [2015-07-10 10:31 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad8a73dd55c087de465ad80e8715611693bb1460
Log: Revert &quot;Fixed bug #62210 (Exceptions can leak temporary variables. As a part of the fix serious refactoring was done. op_array-&gt;brk_cont_array was removed, and replaced with more general and speed efficient op_array-&gt;T_liveliness. ZEND_GOTO opcode is always replaced by ZEND_JMP at compile time). (Bob, Dmitry, Laruence)&quot;
 [2015-07-10 10:31 UTC] ab@php.net
-Status: Re-Opened +Status: Closed
 [2015-07-10 11:04 UTC] dmitry@php.net
-Status: Closed +Status: Re-Opened
 [2015-11-13 12:38 UTC] dmitry@php.net
-Status: Re-Opened +Status: Closed
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5ee841325901a4b040cfea56292a24702fe224d9
Log: Fixed bug #62210 (Exceptions can leak temporary variables. As a part of the fix serious refactoring was done. op_array-&gt;brk_cont_array was removed, and replaced with more general and speed efficient op_array-&gt;T_liveliness. ZEND_GOTO opcode is always replaced by ZEND_JMP at compile time). (Bob, Dmitry, Laruence)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 01:01:27 2024 UTC