From: [email protected]
Operating system: *
PHP version: 5.2.8
PHP Bug Type: Scripting Engine problem
Bug description: Possible memory corruption when passing return value by
reference by
Description:
------------
The following code cases a double free() and memory corruption
Reproduce code:
---------------
<?php
class Foo {
var $bar = array();
static function bar() {
static $instance = null;
$instance = new Foo();
return $instance->bar;
}
}
extract(Foo::bar());
echo "ok\n";
?>
Expected result:
----------------
ok
Actual result:
--------------
ok
[Tue Jan 20 14:11:52 2009] Script: 't.php'
/home/dmitry/php/php5.2/Zend/zend_vm_execute.h(7581) : Freeing 0x09EE74DC
(16 bytes), script=t.php
[Tue Jan 20 14:11:52 2009] Script: 't.php'
/home/dmitry/php/php5.2/Zend/zend_variables.h(45) : Freeing 0x09EE9C6C
(44 bytes), script=t.php
/home/dmitry/php/php5.2/Zend/zend_variables.c(132) : Actual location
(location was relayed)
[Tue Jan 20 14:11:52 2009] Script: 't.php'
/home/dmitry/php/php5.2/Zend/zend_variables.c(133) : Freeing 0x09EE9D68
(32 bytes), script=t.php
/home/dmitry/php/php5.2/Zend/zend_alloc.c(2386) : Actual location
(location was relayed)
=== Total 3 memory leaks detected ===
$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t.php
==30559== Memcheck, a memory error detector.
==30559== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==30559== Using LibVEX rev 1804, a library for dynamic binary
translation.
==30559== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==30559== Using valgrind-3.3.0, a dynamic binary instrumentation
framework.
==30559== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==30559== For more details, rerun with: -v
==30559==
ok
==30559== Invalid read of size 4
==30559== at 0x8389C3E: _zval_ptr_dtor (zend_execute_API.c:412)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559== by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559== by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559== by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559== by 0x839ADD6: zend_deactivate (zend.c:860)
==30559== by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559== by 0x84222C3: main (php_cli.c:1314)
==30559== Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559== at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559== by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559== by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559== by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559== by 0x83BD442: zend_objects_free_object_storage
(zend_objects.c:122)
==30559== by 0x83C1E33: zend_objects_store_del_ref_by_handle
(zend_objects_API.c:206)
==30559== by 0x83C1C7C: zend_objects_store_del_ref
(zend_objects_API.c:168)
==30559== by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559== by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559==
==30559== Invalid write of size 4
==30559== at 0x8389C44: _zval_ptr_dtor (zend_execute_API.c:412)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559== by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559== by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559== by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559== by 0x839ADD6: zend_deactivate (zend.c:860)
==30559== by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559== by 0x84222C3: main (php_cli.c:1314)
==30559== Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559== at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559== by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559== by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559== by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559== by 0x83BD442: zend_objects_free_object_storage
(zend_objects.c:122)
==30559== by 0x83C1E33: zend_objects_store_del_ref_by_handle
(zend_objects_API.c:206)
==30559== by 0x83C1C7C: zend_objects_store_del_ref
(zend_objects_API.c:168)
==30559== by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559== by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559==
==30559== Invalid read of size 4
==30559== at 0x8389C4C: _zval_ptr_dtor (zend_execute_API.c:413)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559== by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559== by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559== by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559== by 0x839ADD6: zend_deactivate (zend.c:860)
==30559== by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559== by 0x84222C3: main (php_cli.c:1314)
==30559== Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559== at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559== by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559== by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559== by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559== by 0x83BD442: zend_objects_free_object_storage
(zend_objects.c:122)
==30559== by 0x83C1E33: zend_objects_store_del_ref_by_handle
(zend_objects_API.c:206)
==30559== by 0x83C1C7C: zend_objects_store_del_ref
(zend_objects_API.c:168)
==30559== by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559== by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559==
==30559== Invalid read of size 4
==30559== at 0x8389CA6: _zval_ptr_dtor (zend_execute_API.c:416)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x838FABD: destroy_zend_class (zend_opcode.c:182)
==30559== by 0x83A8A26: zend_hash_apply_deleter (zend_hash.c:611)
==30559== by 0x83A8FD3: zend_hash_reverse_apply (zend_hash.c:760)
==30559== by 0x83897BC: shutdown_executor (zend_execute_API.c:291)
==30559== by 0x839ADD6: zend_deactivate (zend.c:860)
==30559== by 0x833EE1B: php_request_shutdown (main.c:1492)
==30559== by 0x84222C3: main (php_cli.c:1314)
==30559== Address 0x7bdae68 is 8 bytes inside a block of size 16 free'd
==30559== at 0x46CC90A: free (vg_replace_malloc.c:323)
==30559== by 0x837A0B3: _efree (zend_alloc.c:2303)
==30559== by 0x8389D28: safe_free_zval_ptr_rel (zend_execute.h:70)
==30559== by 0x8389C9E: _zval_ptr_dtor (zend_execute_API.c:415)
==30559== by 0x839933C: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==30559== by 0x83A8677: zend_hash_destroy (zend_hash.c:526)
==30559== by 0x83BCF7D: zend_object_std_dtor (zend_objects.c:45)
==30559== by 0x83BD442: zend_objects_free_object_storage
(zend_objects.c:122)
==30559== by 0x83C1E33: zend_objects_store_del_ref_by_handle
(zend_objects_API.c:206)
==30559== by 0x83C1C7C: zend_objects_store_del_ref
(zend_objects_API.c:168)
==30559== by 0x8398ED1: _zval_dtor_func (zend_variables.c:52)
==30559== by 0x8389A13: _zval_dtor (zend_variables.h:35)
==30559==
==30559== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 41 from 1)
==30559== malloc/free: in use at exit: 20,736 bytes in 1,349 blocks.
==30559== malloc/free: 16,443 allocs, 15,094 frees, 1,753,883 bytes
allocated.
==30559== For counts of detected errors, rerun with: -v
==30559== searching for pointers to 1,349 not-freed blocks.
==30559== checked 1,027,500 bytes.
==30559==
==30559== LEAK SUMMARY:
==30559== definitely lost: 92 bytes in 3 blocks.
==30559== possibly lost: 0 bytes in 0 blocks.
==30559== still reachable: 20,644 bytes in 1,346 blocks.
==30559== suppressed: 0 bytes in 0 blocks.
==30559== Rerun with --leak-check=full to see details of leaked memory.
--
Edit bug report at http://bugs.php.net/?id=47165&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=47165&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=47165&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=47165&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=47165&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=47165&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=47165&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=47165&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=47165&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=47165&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=47165&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=47165&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=47165&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=47165&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=47165&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47165&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=47165&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=47165&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=47165&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=47165&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=47165&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=47165&r=mysqlcfg
