Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:3653 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69588 invoked from network); 31 Jul 2003 05:00:21 -0000 Received: from unknown (HELO bgbest.net) (212.91.188.18) by pb1.pair.com with SMTP; 31 Jul 2003 05:00:21 -0000 Received: (qmail 4164 invoked from network); 31 Jul 2003 05:00:17 -0000 Received: from unknown (HELO damagegqsaogpp) (212.91.188.170) by dns.bgbest.net with SMTP; 31 Jul 2003 05:00:17 -0000 To: "PHP-DEV" Date: Thu, 31 Jul 2003 07:59:58 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Please apply to PHP5 CVS From: vma1@abv.bg ("Vesselin Atanasov") Hello. I found the cause for bug #24842. In function shutdown_executor(), the "arg_types_stack" stack is cleaned way too early, and later when some destructor calls a function like printf(), the helper function zend_do_fcall_handler() uses the "arg_types_stack", which is freed earlier, thus overwriting any data that has replaced the arg_types_stack->elements memory block. A small patch follows: diff -ruN php5-200307300330.orig/Zend/zend_execute_API.c php5-200307300330/Zend/zend_execute_API.c --- php5-200307300330.orig/Zend/zend_execute_API.c 2003-07-27 17:07:14.000000000 +0000 +++ php5-200307300330/Zend/zend_execute_API.c 2003-07-30 07:55:39.000000000 +0000 @@ -189,7 +189,10 @@ void shutdown_executor(TSRMLS_D) { zend_try { +/* Moved after symbol table cleaners because arg_types_stack is used by zend_do_fcall_handler(), so if a + destructor calls a function like printf() it will cause memory corruption zend_ptr_stack_destroy(&EG(arg_types_stack)); + */ /* Removed because this can not be safely done, e.g. in this situation: Object 1 creates object 2 @@ -286,6 +289,7 @@ zend_hash_destroy(&EG(included_files)); + zend_ptr_stack_destroy(&EG(arg_types_stack)); zend_ptr_stack_destroy(&EG(user_error_handlers)); zend_ptr_stack_destroy(&EG(user_exception_handlers)); zend_objects_store_destroy(&EG(objects_store));