<?php class MyTextSanitizer { var $smileys=array() function MyTextSanitizer() {} function getSmileys() { return $this->smileys; } } $myts = new MyTextSanitizer(); $smiles =& $myts->getSmileys(); //calling by ref alone causes improper ?>
The opcodes for the above script ZEND_FETCH_CLASS ZEND_NEW (Increases the refcount of smileys array from 1 to 2. zend_declare class made it 1 from 0) ZEND_JMP_NO_CTOR (Not executed) ZEND_INIT_CTOR_CALL (No change in smileys refcount) ZEND_DO_FCALL_BY_NAME(No change in smileys refcount) ZEND_FETCH_W(No change in smileys refcount) ZEND_ASSIGN(No change in smileys refcount) ZEND_FETCH_R(No change in smileys refcount) ZEND_INIT_METHOD_CALL(No change in smileys refcount) ZEND_DO_FCALL_BY_NAME(Increases the refcount of smileys array from 2 to 3) ZEND_FETCH_W(No change in smileys refcount) ZEND_ASSIGN_REF(Increases the refcount of smileys array from 3 to 1. _get_zval_ptr_ptr on &opline->op2 makes it 3 to 2. zend_assign_to_variable_reference(&opline->result, get_zval_ptr_ptr(&opline->op1, EX(Ts), BP_VAR_W), value_ptr_ptr, EX(Ts) TSRMLS_CC); decreases it from 2 to 1) ZEND_RETURN ZEND_HANDLE_EXCEPTION object destructor reduces the refcount from 1 to 0 and destroys the $smileys. zend_destroy_class now attempts to destroy it again. This causes a segfault. With regards Kamesh Jayachandran On Wed, 06 Apr 2005 00:18:35 -0700, "Kamesh Jayachandran" <[EMAIL PROTECTED]> said: > It happens in php-5.0.4 also. > > With regards > Kamesh Jayachandran > On Wed, 6 Apr 2005 09:16:34 +0200 (CEST), "Derick Rethans" > <[EMAIL PROTECTED]> said: > > On Wed, 6 Apr 2005, Kamesh Jayachandran wrote: > > > > > Hi All, > > > I have come across a double free because of improper refcount > > > manipulation. > > > <?php > > > class MyTextSanitizer > > > { > > > var $smileys=array() > > > function MyTextSanitizer() {} > > > function getSmileys() > > > { > > > return $this->smileys; > > > } > > > } > > > $myts = new MyTextSanitizer(); > > > $smiles =& $myts->getSmileys(); //calling by ref alone causes improper > > > refcount > > > $smiles = $myts->getSmileys(); //this does not cause improper refcount > > > ?> > > > > This fact is known, Marcus and I have a working patch for this - but > > it'll break binairy compat for PHP 4.4 - stay tuned for this. > > > > regards, > > Derick > > > > -- > > Derick Rethans > > http://derickrethans.nl | http://ez.no | http://xdebug.org > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php