Hello.
I found the cause for bug #24842. In function shutdown_executor(), the
"arg_types_stack" stack is
cleaned way too early, and later when some destructor calls a function like
printf(), the helper function
zend_do_fcall_handler() uses the "arg_types_stack", which is freed earlier,
thus overwriting any data
that has replaced the arg_types_stack->elements memory block. A small patch
follows:
diff -ruN php5-200307300330.orig/Zend/zend_execute_API.c
php5-200307300330/Zend/zend_execute_API.c
--- php5-200307300330.orig/Zend/zend_execute_API.c 2003-07-27
17:07:14.000000000 +0000
+++ php5-200307300330/Zend/zend_execute_API.c 2003-07-30 07:55:39.000000000
+0000
@@ -189,7 +189,10 @@
void shutdown_executor(TSRMLS_D)
{
zend_try {
+/* Moved after symbol table cleaners because arg_types_stack is used by
zend_do_fcall_handler(), so if a
- destructor calls a function like
printf()it will cause memory
corruption
zend_ptr_stack_destroy(&EG(arg_types_stack)); - */
/* Removed because this can not be safely done, e.g. in this situation:
Object 1 creates object 2
@@ -286,6 +289,7 @@
zend_hash_destroy(&EG(included_files));
-
zend_ptr_stack_destroy(&EG(arg_types_stack)); zend_ptr_stack_destroy(&EG(user_error_handlers)); zend_ptr_stack_destroy(&EG(user_exception_handlers)); zend_objects_store_destroy(&EG(objects_store));