|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74802 Bogus detection of values capture in destructors within garbage collector
Submitted: 2017-06-23 02:45 UTC Modified: 2017-06-23 08:58 UTC
From: Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: master-Git-2017-06-23 (Git) OS: Irrelevant
Private report: No CVE-ID: None
 [2017-06-23 02:45 UTC]
Our current logic in garbage collector assumes that, if we have a refcount not higher than before, the data can be safely freed.

Which is not a valid assumption as the following snippet demonstrates: if the value is incremented by backing up and decremented again by manual unset(), the refcount is still equal; thus the garbage collector will free it, even though it cannot.

The relevant snippet within zend_gc.c, after invoking destructors, on each remaining root:

if (GC_REFCOUNT(current->ref) > current->refcount) {
  	gc_remove_nested_data_from_buffer(current->ref, current);

Test script:
(function() {
        $foo = new class {
                public $bar;

                function __destruct() {
                        global $bak;
                        $bak = $this->bar;
                        unset($this->bar); // do not fulfil the condition

        $bar = new stdClass;
        $bar->foo = $foo;
        $foo->bar = $bar;



Expected result:
object(stdClass)#3 (1) {
  object(class@anonymous)#2 (1) {

Actual result:
Segmentation fault (or at least valgrind warning)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-23 08:58 UTC]
-Status: Open +Status: Duplicate
 [2017-06-23 08:58 UTC]
Duplicate of bug #72530.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Mar 27 11:03:36 2023 UTC