php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #64893 Crash due to dtor call happening after dtor shutdown
Submitted: 2013-05-21 22:42 UTC Modified: 2014-01-09 06:48 UTC
From: nikic@php.net Assigned: dmitry (profile)
Status: Wont fix Package: Scripting Engine problem
PHP Version: 5.5.0RC1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2013-05-21 22:42 UTC] nikic@php.net 
Description:
------------
If an object is created *after* the destructor shutdown, its dtor will be called when it is freed, which potentially happens during a phase of the shutdown process where the executor is no longer in a consistent state.

The test script uses the ob callback (called after dtor shutdown) to create an object and bind it to to the error callback, which is later freed during zend_deactivate, as part of the executor shutdown.

Result:
/home/nikic/dev/php-dev/Zend/zend_hash.c(946) : ht=0x42dea5c is already destroyed

Test script:
---------------
<?php
 
ob_start(function() {
    $foo = new Foo;
    set_error_handler(function() use ($foo) {});
});

class Foo {
    public function __destruct() {
        var_dump($GLOBALS);
    }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-04 08:17 UTC] arjen at react dot com 
The result '/home/nikic/dev/php-dev/Zend/zend_hash.c(946) : ht=0x42dea5c is already destroyed' only happens in a debug build.

In a normal build, a notice about a undefined variable $GLOBALS is generated: 
http://3v4l.org/jcBu6
 [2013-12-31 15:00 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2013-12-31 15:00 UTC] nikic@php.net 
Dmitry, do you think we could swap steps 2 and 3 of the php_request_shutdown process, i.e. flush OB first and then call dtors? (See http://lxr.php.net/xref/PHP_TRUNK/main/main.c#1747)

I think step 3 is the last one where user code (that potentially creates objects) can be run, so it would make sense to run the dtors after that. Or does that cause other issues?
 [2013-12-31 15:09 UTC] nikic@php.net
-Status: Assigned +Status: Wont fix
 [2013-12-31 15:09 UTC] nikic@php.net 
Nevermind, that would break code that uses echo in the destructor. Marking this as Wfx as there likely is no fix for this, short of calling zend_call_destructors() another time after the OB step.
 [2014-01-09 06:48 UTC] dmitry@php.net 
Yeah. you answered yourself. We can't swap them.

The second call to zend_call_destructors() is not a good option as well, because it'll slowdown each request just to fix very specific and tricky case.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 16:01:27 2024 UTC