|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-06-23 08:58 UTC] nikic@php.net
-Status: Open
+Status: Duplicate
[2017-06-23 08:58 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 10:00:02 2025 UTC |
Description: ------------ Our current logic in garbage collector assumes that, if we have a refcount not higher than before, the data can be safely freed. Which is not a valid assumption as the following snippet demonstrates: if the value is incremented by backing up and decremented again by manual unset(), the refcount is still equal; thus the garbage collector will free it, even though it cannot. The relevant snippet within zend_gc.c, after invoking destructors, on each remaining root: if (GC_REFCOUNT(current->ref) > current->refcount) { gc_remove_nested_data_from_buffer(current->ref, current); } Test script: --------------- (function() { $foo = new class { public $bar; function __destruct() { global $bak; $bak = $this->bar; unset($this->bar); // do not fulfil the condition } }; $bar = new stdClass; $bar->foo = $foo; $foo->bar = $bar; })(); gc_collect_cycles(); var_dump($bak); Expected result: ---------------- object(stdClass)#3 (1) { ["foo"]=> object(class@anonymous)#2 (1) { ["bar"]=> *RECURSION* } } Actual result: -------------- Segmentation fault (or at least valgrind warning)