Newsgroups: php.internals,php.pecl.dev
Path: news.php.net
Xref: news.php.net php.internals:63527 php.pecl.dev:9909
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.199.177.89 as permitted sender)
Message-ID: <507FE5DE.8010804@zend.com>
Date: Thu, 18 Oct 2012 15:19:58 +0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121009 Thunderbird/16.0
MIME-Version: 1.0
To: Laruence <laruence@php.net>
CC: Pierre Joye <pierre.php@gmail.com>, PHP Internals
	<internals@lists.php.net>, PECL Announce <pecl-dev@lists.php.net>, Dmitry
 Stogov <dmitry@php.net>
References: <CABBJUpcMfjQGWFjwrX0U8B1xoHfjR4Xs=54kodkSw9R+u0b-AQ@mail.gmail.com> <CAEZPtU6PTEj-f-+-_GDp0Jh+tAXPaTNY8gbOvRKjrpC3HP-FNQ@mail.gmail.com> <CABBJUpcKW7k9fCuKkhWiQs1i0A6inRhkDoCaSDQsvcqA8372ig@mail.gmail.com>
In-Reply-To: <CABBJUpcKW7k9fCuKkhWiQs1i0A6inRhkDoCaSDQsvcqA8372ig@mail.gmail.com>
Content-Type: multipart/mixed;
	boundary="------------000207050004000404070002"
Subject: Re: [PHP-DEV] Please do not call zval_dtor on recursive array
From: dmitry@zend.com (Dmitry Stogov)

--------------000207050004000404070002
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit

I think, I've found a more simple fix (attached) that don't require 
extension patching and even allow to optimize ZE a bit.

Laruence, can you please verify it.
Sorry, I'm quite busy with other tasks.

Thanks. Dmitry.

On 10/18/2012 02:56 PM, Laruence wrote:
> On Thu, Oct 18, 2012 at 6:45 PM, Pierre Joye <pierre.php@gmail.com> wrote:
>> hi Dmitry, Laruence!
>>
>> On Thu, Oct 18, 2012 at 11:46 AM, Laruence <laruence@php.net> wrote:
>>> Hey:
>>>
>>>    recently we found a problem, that is "usage zval_dtor on a recursive
>>> array while gc enabled"  has chance to result a segfault.
>>>
>>>    a reproduce script could be found here:
>>> https://github.com/php/php-src/blob/8bd5e15ff7a57791956c4017ee8fb4a8ac0d8d2e/ext/pcre/tests/bug63055.phpt
>>>
>>>    the preg_match used to call zval_dtor on the third argument. which
>>> result a segfault, reported at #63055
>>>
>>>    the segfault backtrace will looks like: http://pastebin.com/uPWBgrTZ
>>>
>>>    thanks to dmitry,  we got a simple solution,  that is:  instead of
>>> directly call to zval_dtor, please use following codes instead:
>>>    "
>>>      zval garbage = *subpats;
>>>      array_init(subpats);
>>>      zval_dtor(&garbage);
>>>     "
>> Nice catch!
>>
>> We could add a macro? As it looks like many will forget to do that :)
> maybe a seris macro:
>
> ZVAL_REPLACE_LONG()
> ZVAL_REPLACE_STRING{L}()
> ZVAL_REPLACE_ZVAL()
>
> etc;
>
> thanks , will do it later,  only for trunk I think
>
> thanks
>>
>> Cheers,
>> --
>> Pierre
>>
>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>
>
>


--------------000207050004000404070002
Content-Type: text/plain; charset="UTF-8"; name="zval_dtor.diff.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="zval_dtor.diff.txt"

ZGlmZiAtLWdpdCBhL1plbmQvemVuZF92YXJpYWJsZXMuYyBiL1plbmQvemVuZF92YXJpYWJs
ZXMuYwppbmRleCBjNzkwMTA4Li5mMmE4NWMzIDEwMDY0NAotLS0gYS9aZW5kL3plbmRfdmFy
aWFibGVzLmMKKysrIGIvWmVuZC96ZW5kX3ZhcmlhYmxlcy5jCkBAIC00MCw2ICs0MCw5IEBA
IFpFTkRfQVBJIHZvaWQgX3p2YWxfZHRvcl9mdW5jKHp2YWwgKnp2YWx1ZSBaRU5EX0ZJTEVf
TElORV9EQykKIAkJCQlUU1JNTFNfRkVUQ0goKTsKIAogCQkJCWlmICh6dmFsdWUtPnZhbHVl
Lmh0ICYmICh6dmFsdWUtPnZhbHVlLmh0ICE9ICZFRyhzeW1ib2xfdGFibGUpKSkgeworCQkJ
CQkvKiBicmVhayBwb3NzaWJsZSBjeWNsZXMgKi8KKwkJCQkJWl9UWVBFX1AoenZhbHVlKSA9
IElTX05VTEw7CisKIAkJCQkJemVuZF9oYXNoX2Rlc3Ryb3koenZhbHVlLT52YWx1ZS5odCk7
CiAJCQkJCUZSRUVfSEFTSFRBQkxFKHp2YWx1ZS0+dmFsdWUuaHQpOwogCQkJCX0K
--------------000207050004000404070002--