Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10243
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29937 invoked by uid 1010); 2 Jun 2004 12:22:20 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 29878 invoked from network); 2 Jun 2004 12:22:19 -0000
Received: from unknown (HELO e-matters.de) (217.69.76.213)
  by pb1.pair.com with SMTP; 2 Jun 2004 12:22:19 -0000
Received: (qmail 23018 invoked by uid 0); 2 Jun 2004 12:17:58 -0000
Received: from p508d7424.dip.t-dialin.net (HELO ?192.168.1.77?) (80.141.116.36)
  by /var/run/qmail-smtp.pid with SMTP; 2 Jun 2004 12:17:58 -0000
Message-ID: <40BDC6F4.2070109@php.net>
Date: Wed, 02 Jun 2004 14:24:20 +0200
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Stanislav Malyshev <stas@zend.com>,  internals@lists.php.net
References: <40BDBD4D.4050905@php.net> <Pine.LNX.4.58.0406021453150.5013@shire.zend.office>
In-Reply-To: <Pine.LNX.4.58.0406021453150.5013@shire.zend.office>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] ZendEngine 2 - Double Free BUG
From: sesser@php.net (Stefan Esser)

Stanislav Malyshev wrote:
> SE>>Z_OBJ_HT_P(object)->write_property(object, property, z TSRMLS_CC);
> SE>>
> SE>>within this function z is freed and
> 
> Why should write_property free z? 

static int zend_std_call_setter(zval *object, zval *member, zval *value 
TSRMLS_DC)
{
         zval **call_args[2];
         zval *retval = NULL;
         zval __set_name;
         int call_result;
         int ret;

         /* __set handler is called with two arguments:
            property name
            value to be set

            it should return whether the call was successfull or not
         */
         INIT_PZVAL(&__set_name);
         ZVAL_STRINGL(&__set_name, ZEND_SET_FUNC_NAME, 
sizeof(ZEND_SET_FUNC_NAME)-1, 0);

         call_args[0] = &member;
         value->refcount++;
         call_args[1] = &value;

         /* go call the __set handler */
         call_result = call_user_function_ex(NULL,
 
          &object,
 
          &__set_name,
 
          &retval,
 
          2, call_args,
 
          0, NULL TSRMLS_CC);

         /*
            call_result is if call_user_function gone OK.
            retval shows if __get method went OK.
         */


         if (call_result == FAILURE) {
                 zend_error(E_ERROR, "Could not call __set handler for 
class %s", Z_OBJCE_P(object)->name);
                 return FAILURE;
         }

         zval_ptr_dtor(&value);


Maybe you should ask the person who wrote it "why". Well the problem is 
not that it frees it. The problem is that the refcount is zero when the
std_setter is called.

Stefan