From 7da6498342d76c34892bfa247bc1779d8f5ee1e6 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Fri, 30 Aug 2013 11:20:24 +0800 Subject: [PATCH] Fixed bug #60598 (cli/apache sapi segfault on objects manipulation) --- NEWS | 2 ++ Zend/tests/bug60598.phpt | 30 ++++++++++++++++++++++++++++++ Zend/zend_objects_API.c | 5 +++++ 3 files changed, 37 insertions(+) create mode 100644 Zend/tests/bug60598.phpt diff --git a/NEWS b/NEWS index 6169cd09023..42b69f535dd 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2013, PHP 5.4.20 - Core: + . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation). + (Laruence) . Fixed bug #65579 (Using traits with get_class_methods causes segfault). (Adam) . Fixed bug #65490 (Duplicate calls to get lineno & filename for diff --git a/Zend/tests/bug60598.phpt b/Zend/tests/bug60598.phpt new file mode 100644 index 00000000000..eeee75a19d9 --- /dev/null +++ b/Zend/tests/bug60598.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #60598 (cli/apache sapi segfault on objects manipulation) +--FILE-- +guid = 1; + $containers[spl_object_hash($this)] = $this; + } + public function __destruct() { + global $containers; + $containers[spl_object_hash($this)] = NULL; + } +} + +for ($i = 0; $i < OBJECT_COUNT; ++$i) { + new Object(); +} + +// You probably won't see this because of the "zend_mm_heap corrupted" +?> +If you see this, try to increase OBJECT_COUNT to 100,000 +--EXPECT-- +If you see this, try to increase OBJECT_COUNT to 100,000 diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 1fe5d0c1994..b5dd48f7984 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS obj->dtor(obj->object, i TSRMLS_CC); obj = &objects->object_buckets[i].bucket.obj; obj->refcount--; + + if (obj->refcount == 0) { + /* in case gc_collect_cycle is triggered before free_storage */ + GC_REMOVE_ZOBJ_FROM_BUFFER(obj); + } } } }