Hi All,
I have come across a double free because of improper refcount
manipulation.
<?php
class MyTextSanitizer
{
var $smileys=array()
function MyTextSanitizer() {}
function getSmileys()
{
return $this->smileys;
}
}
$myts = new MyTextSanitizer();
$smiles =& $myts->getSmileys(); //calling by ref alone causes improper
refcount
$smiles = $myts->getSmileys(); //this does not cause improper refcount
?>
What is happening is class_entry->default_properties and
object->properties are sharing the same zval** as the data($smileys)
against their keys with incrementing the refcount.
In the execution of the script refcount of $smileys is changing from
1->2,
2->3,
3->2,
2->3,
3->2,
2->1, --->when it is 1 zend_objects_free_object_storage calls
zend_hash_destroy of object->properties which calls _zval_ptr_dtor on
each of its data($smiley) frees it if the refcount ==1
1->0 --destroy_zend_class also calls
zend_hash_destroy(&ce->default_properties) by the time
$smiley->refcount=0 and storage is already freed which is accessed by
_zval_ptr_dtor to decrement the refcount which causes a segfault with a
huge script.
Anyway will see who and all increment/decrement the refcount and see
where to increment it or not to decrement it.
With regards
Kamesh Jayachandran
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
