php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74802 Bogus detection of values capture in destructors within garbage collector
Submitted: 2017-06-23 02:45 UTC Modified: 2017-06-23 08:58 UTC
From: bwoebi@php.net Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: master-Git-2017-06-23 (Git) OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bwoebi@php.net
New email:
PHP Version: OS:

 

 [2017-06-23 02:45 UTC] bwoebi@php.net
Description:
------------
Our current logic in garbage collector assumes that, if we have a refcount not higher than before, the data can be safely freed.

Which is not a valid assumption as the following snippet demonstrates: if the value is incremented by backing up and decremented again by manual unset(), the refcount is still equal; thus the garbage collector will free it, even though it cannot.

The relevant snippet within zend_gc.c, after invoking destructors, on each remaining root:

if (GC_REFCOUNT(current->ref) > current->refcount) {
  	gc_remove_nested_data_from_buffer(current->ref, current);
}


Test script:
---------------
(function() {
        $foo = new class {
                public $bar;

                function __destruct() {
                        global $bak;
                        $bak = $this->bar;
                        unset($this->bar); // do not fulfil the condition
                }
        };

        $bar = new stdClass;
        $bar->foo = $foo;
        $foo->bar = $bar;
})();

gc_collect_cycles();

var_dump($bak);


Expected result:
----------------
object(stdClass)#3 (1) {
  ["foo"]=>
  object(class@anonymous)#2 (1) {
    ["bar"]=>
    *RECURSION*
  }
}


Actual result:
--------------
Segmentation fault (or at least valgrind warning)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-23 08:58 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-06-23 08:58 UTC] nikic@php.net
Duplicate of bug #72530.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 15:01:28 2024 UTC