Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57557 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66616 invoked from network); 29 Jan 2012 16:08:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jan 2012 16:08:04 -0000 Authentication-Results: pb1.pair.com smtp.mail=yoram.b@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yoram.b@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.199.177.89 as permitted sender) X-PHP-List-Original-Sender: yoram.b@zend.com X-Host-Fingerprint: 212.199.177.89 il-mr1.zend.com Received: from [212.199.177.89] ([212.199.177.89:36195] helo=il-mr1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7D/91-33940-2EE652F4 for ; Sun, 29 Jan 2012 11:08:03 -0500 Received: from il-gw1.zend.com (unknown [10.1.1.22]) by il-mr1.zend.com (Postfix) with ESMTP id BE192607E6; Sun, 29 Jan 2012 18:06:27 +0200 (IST) Received: from mandor.localnet (10.1.3.58) by il-ex2.zend.net (10.1.1.22) with Microsoft SMTP Server (TLS) id 14.1.255.0; Sun, 29 Jan 2012 18:07:21 +0200 To: PHP Internals , Dmitry Stogov , Stas Malyshev , Zeev Suraski Date: Sun, 29 Jan 2012 18:07:51 +0200 User-Agent: KMail/1.13.7 (Linux/2.6.37; KDE/4.7.2; i686; ; ) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Boundary-00=_Y7WJP3WXUmd7Ssi" Message-ID: <201201291807.52092.yoram.b@zend.com> X-Originating-IP: [10.1.3.58] Subject: One more crash in PHP 5.4 From: yoram.b@zend.com (yoram bar haim) --Boundary-00=_Y7WJP3WXUmd7Ssi Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit in zend_vm_execute.h:701 PHP free's the function struct in case of ZEND_OVERLOADED_FUNCTION. the problem is that in PHP 5.4, the opline calling the function hast a pointer to the very same struct in it's cache_slot. when this opcode is called againg, the cache is used and it crashes. my suggested fix is not to cache ZEND_OVERLOADED_FUNCTION, it does solve the problem and makes sense to me logically. it is also possible to not free it and let it be re-used from cache_slot. my pacth is attached. --Boundary-00=_Y7WJP3WXUmd7Ssi Content-Type: text/x-patch; charset="UTF-8"; name="php_5.4.0RC6_zend_vm_execute_no_cache+overloaded.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="php_5.4.0RC6_zend_vm_execute_no_cache+overloaded.diff" --- Zend/zend_vm_execute.h.orig 2012-01-29 17:56:48.000000000 +0200 +++ Zend/zend_vm_execute.h 2012-01-29 17:54:51.000000000 +0200 @@ -28994,7 +28994,9 @@ } if (IS_CONST == IS_CONST && EXPECTED((EX(fbc)->common.fn_flags & (ZEND_ACC_CALL_VIA_HANDLER|ZEND_ACC_NEVER_CACHE)) == 0) && - EXPECTED(EX(object) == object)) { + EXPECTED(EX(object) == object) && + EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION) && + EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION_TEMPORARY)) { CACHE_POLYMORPHIC_PTR(opline->op2.literal->cache_slot, EX(called_scope), EX(fbc)); } } --Boundary-00=_Y7WJP3WXUmd7Ssi--