Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10266
Return-Path: <helly@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37400 invoked by uid 1010); 3 Jun 2004 19:21:45 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 37375 invoked from network); 3 Jun 2004 19:21:45 -0000
Received: from unknown (HELO mx.thebrainroom.net) (65.200.24.98)
  by pb1.pair.com with SMTP; 3 Jun 2004 19:21:45 -0000
Received: by mx.thebrainroom.net (Postfix, from userid 517)
	id 54FC414880BE; Thu,  3 Jun 2004 12:21:44 -0700 (PDT)
Received: from BAUMBART (p508EAE6F.dip.t-dialin.net [80.142.174.111])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mx.thebrainroom.net (Postfix) with ESMTP
	id 11A7F14880BC; Thu,  3 Jun 2004 12:21:41 -0700 (PDT)
Date: Thu, 3 Jun 2004 21:21:47 +0200
Reply-To: Marcus Boerger <helly@php.net>
X-Priority: 3 (Normal)
Message-ID: <319579616.20040603212147@marcus-boerger.de>
To: Stefan Esser <sesser@php.net>
Cc: Stanislav Malyshev <stas@zend.com>, internals@lists.php.net
In-Reply-To: <40BDCF45.3010203@php.net>
References: <40BDBD4D.4050905@php.net>
 <Pine.LNX.4.58.0406021453150.5013@shire.zend.office> <40BDC6F4.2070109@php.net>
 <Pine.LNX.4.58.0406021545440.5868@shire.zend.office> <40BDCF45.3010203@php.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jc.thebrainroom.net
X-Spam-Status: No, hits=0.8 required=5.0 tests=PRIORITY_NO_NAME autolearn=no 
	version=2.63
X-Spam-Level: 
X-TBR-Filter: Virus scanned and defanged
Subject: Re: [PHP-DEV] ZendEngine 2 - Double Free BUG
From: helly@php.net (Marcus Boerger)

Hello Stefan,

i made a fix for TSRM which is comitted but disabled by
#if MBO_0
could you add
#define MBO_0
at the to of TSRM/TSRM.c and check if that helps a bit?

marcus

Wednesday, June 2, 2004, 2:59:49 PM, you wrote:

> Stanislav Malyshev wrote:

>> I think you are right, it should be fixed in zend_post_incdec_property. Do
>> you have reproducing code example so it can be tested? 

> No it cannot be tested. In the default configuration Zend_MM is 
> activated. This will catch double frees. No violation will happen when 
> it is activated. This is why valgrind etc... do not catch it.

> And I think there is another bug with simple classes on termination
> of a request.

> class xy
> {
> 	function a()
> 	{
> 	}
> }

> $y = new xy();

> crashes over here with Hardened-PHP applied AND maintainer-zts 
> activated. It crashs in a llist destruction from within
> zend_deactivate. The reason for the crash seems that the memory
> pointed to by TRMS_ls is already freed.

> Stefan




-- 
Best regards,
 Marcus                            mailto:helly@php.net