Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15953
Return-Path: <kameshj@fastmail.fm>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38065 invoked by uid 1010); 13 Apr 2005 07:46:16 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 37998 invoked from network); 13 Apr 2005 07:46:14 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 13 Apr 2005 07:46:14 -0000
X-Host-Fingerprint: 66.111.4.25 out1.smtp.messagingengine.com  
Received: from ([66.111.4.25:54928] helo=out1.smtp.messagingengine.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id AE/DB-12569-44ECC524 for <internals@lists.php.net>; Wed, 13 Apr 2005 03:46:13 -0400
Received: from web2.messagingengine.com (web2.internal [10.202.2.211])
	by frontend1.messagingengine.com (Postfix) with ESMTP id 97D83C720C2;
	Wed, 13 Apr 2005 03:46:09 -0400 (EDT)
Received: by web2.messagingengine.com (Postfix, from userid 99)
	id C45A162B; Wed, 13 Apr 2005 03:46:07 -0400 (EDT)
Message-ID: <1113378367.21840.231757203@webmail.messagingengine.com>
X-Sasl-Enc: BvrmWqpBp27kLGXKC/SpfctTfuzxMZUpgC4y/i9gWQe/ 1113378367
To: "Kamesh Jayachandran" <kameshj@fastmail.fm>,
	"Derick Rethans" <derick@php.net>
Cc: internals@lists.php.net
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 1.5  (F2.73; T1.001; A1.64; B3.05; Q3.03)
References: <1112771633.21209.231222484@webmail.messagingengine.com>
	<Pine.LNX.4.62.0504060915520.4513@localhost>
	<1112771915.21486.231222681@webmail.messagingengine.com>
In-Reply-To: <1112771915.21486.231222681@webmail.messagingengine.com>
Date: Wed, 13 Apr 2005 00:46:07 -0700
Subject: Re: [PHP-DEV] refcount and hence double free issue
From: kameshj@fastmail.fm ("Kamesh Jayachandran")

<?php
class MyTextSanitizer
{
var $smileys=array()
function MyTextSanitizer() {}
function getSmileys()
{
return $this->smileys;
}
}
$myts = new MyTextSanitizer();
$smiles =& $myts->getSmileys(); //calling by ref alone causes improper
?>

The opcodes for the above script 
ZEND_FETCH_CLASS
ZEND_NEW (Increases the refcount of smileys array from 1 to 2.
zend_declare class made it 1 from 0)
ZEND_JMP_NO_CTOR (Not executed)
ZEND_INIT_CTOR_CALL (No change in smileys refcount)
ZEND_DO_FCALL_BY_NAME(No change in smileys refcount)
ZEND_FETCH_W(No change in smileys refcount)
ZEND_ASSIGN(No change in smileys refcount)
ZEND_FETCH_R(No change in smileys refcount)
ZEND_INIT_METHOD_CALL(No change in smileys refcount)
ZEND_DO_FCALL_BY_NAME(Increases the refcount of smileys array from 2 to
3)
ZEND_FETCH_W(No change in smileys refcount)
ZEND_ASSIGN_REF(Increases the refcount of smileys array from 3 to 1.
_get_zval_ptr_ptr on &opline->op2 makes it 3 to 2.
zend_assign_to_variable_reference(&opline->result,
get_zval_ptr_ptr(&opline->op1, EX(Ts), BP_VAR_W), value_ptr_ptr, EX(Ts)
TSRMLS_CC); decreases it from 2 to 1)
ZEND_RETURN
ZEND_HANDLE_EXCEPTION
object destructor reduces the refcount from 1 to 0 and destroys the
$smileys. zend_destroy_class now attempts to destroy it again. This
causes a segfault.


With regards
Kamesh Jayachandran

On Wed, 06 Apr 2005 00:18:35 -0700, "Kamesh Jayachandran"
<kameshj@fastmail.fm> said:
> It happens in php-5.0.4 also.
> 
> With regards
> Kamesh Jayachandran
> On Wed, 6 Apr 2005 09:16:34 +0200 (CEST), "Derick Rethans"
> <derick@php.net> said:
> > On Wed, 6 Apr 2005, Kamesh Jayachandran wrote:
> > 
> > > Hi All,
> > > I have come across a double free because of improper refcount
> > > manipulation.
> > > <?php
> > > class MyTextSanitizer
> > > {
> > >     var $smileys=array()
> > >     function MyTextSanitizer() {}
> > >     function getSmileys()
> > >     {
> > >         return $this->smileys;
> > >     }
> > > }
> > > $myts = new MyTextSanitizer();
> > > $smiles =& $myts->getSmileys(); //calling by ref alone causes improper
> > > refcount 
> > > $smiles = $myts->getSmileys(); //this does not cause improper refcount 
> > > ?>
> > 
> > This fact is known, Marcus and I have a working patch for this - but 
> > it'll break binairy compat for PHP 4.4 - stay tuned for this.
> > 
> > regards,
> > Derick
> > 
> > -- 
> > Derick Rethans
> > http://derickrethans.nl | http://ez.no | http://xdebug.org
> 
> -- 
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>