php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78589 Memory leak with GC + __destruct()
Submitted: 2019-09-23 10:20 UTC Modified: 2019-09-23 10:35 UTC
From: nikic@php.net Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4Git-2019-09-23 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2019-09-23 10:20 UTC] nikic@php.net
Description:
------------
This is reduced from an OSS-Fuzz testcase involving unserialize(), but turns out to be some kind of generic GC bug. It is related to the changes to __destruct() handling in 7.4.

Test script:
---------------
class Test {
    public function __destruct() {} 
} 
 
$test = new Test; 
$test->foo = [&$test->foo];
$ary = [&$ary, $test];
unset($ary, $test);
gc_collect_cycles();

Actual result:
--------------
[Mon Sep 23 12:17:48 2019]  Script:  '/home/nikic/php-src-fuzz/t009.php'
Zend/zend_vm_execute.h(27609) :  Freeing 0x00007f8220201940 (32 bytes), script=/home/nikic/php-src-fuzz/t009.php
[Mon Sep 23 12:17:48 2019]  Script:  '/home/nikic/php-src-fuzz/t009.php'
/home/nikic/php-src-fuzz/Zend/zend_hash.c(256) :  Freeing 0x00007f82202588a0 (56 bytes), script=/home/nikic/php-src-fuzz/t009.php
[Mon Sep 23 12:17:48 2019]  Script:  '/home/nikic/php-src-fuzz/t009.php'
/home/nikic/php-src-fuzz/Zend/zend_hash.c(131) :  Freeing 0x00007f822025c280 (264 bytes), script=/home/nikic/php-src-fuzz/t009.php
=== Total 3 memory leaks detected ===


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-23 10:35 UTC] nikic@php.net
-Status: Open +Status: Analyzed
 [2019-09-23 10:35 UTC] nikic@php.net
The problem seems to be that we set gc_protected=1 during the zval destruction phase. However, in this case the destruction of the object wants to add the inner array to the GC buffer. (It was previously removed as nested data of the __destruct object.)
 [2019-09-24 10:19 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73115ef8730cc2466fdb039acb6b9463bc08808a
Log: Fixed bug #78589
 [2019-09-24 10:19 UTC] nikic@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jan 18 11:01:24 2020 UTC