Hi All, I have come across a double free because of improper refcount manipulation. <?php class MyTextSanitizer { var $smileys=array() function MyTextSanitizer() {} function getSmileys() { return $this->smileys; } } $myts = new MyTextSanitizer(); $smiles =& $myts->getSmileys(); //calling by ref alone causes improper refcount $smiles = $myts->getSmileys(); //this does not cause improper refcount ?>
What is happening is class_entry->default_properties and object->properties are sharing the same zval** as the data($smileys) against their keys with incrementing the refcount. In the execution of the script refcount of $smileys is changing from 1->2, 2->3, 3->2, 2->3, 3->2, 2->1, --->when it is 1 zend_objects_free_object_storage calls zend_hash_destroy of object->properties which calls _zval_ptr_dtor on each of its data($smiley) frees it if the refcount ==1 1->0 --destroy_zend_class also calls zend_hash_destroy(&ce->default_properties) by the time $smiley->refcount=0 and storage is already freed which is accessed by _zval_ptr_dtor to decrement the refcount which causes a segfault with a huge script. Anyway will see who and all increment/decrement the refcount and see where to increment it or not to decrement it. With regards Kamesh Jayachandran -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php