#47353 [NEW]: crash with reference on array in a destructor

[ob dot php at daevel dot fr]

From:             ob dot php at daevel dot fr
Operating system: debian lenny 64bits
PHP version:      5.3CVS-2009-02-10 (snap)
PHP Bug Type:     Reproducible crash
Bug description:  crash with reference on array in a destructor

Description:
------------
PHP may segfault if in an object destructor we use reference to a large
array to add an other object instance.

Reproduce code:
---------------
<?php
class A
{
    function __destruct()
    {
        $myArray = array();

        for($i = 1; $i <= 2000; $i++) {
            if(!isset($myArray[$i]))
                $myArray[$i] = array();
            $ref = & $myArray[$i];
            $ref[] = new stdClass();
        }
    }
}

$a = new A();
?>

Expected result:
----------------
No crash, no valgrind alert.

Actual result:
--------------
==29611== Invalid read of size 4
==29611==    at 0x7DCA72: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:211)
==29611==    by 0x7DC87D: zend_objects_store_del_ref
(zend_objects_API.c:171)
==29611==    by 0x7AC26E: _zval_dtor_func (zend_variables.c:52)
==29611==    by 0x79BF37: _zval_dtor (zend_variables.h:35)
==29611==    by 0x79C259: _zval_ptr_dtor (zend_execute_API.c:429)
==29611==    by 0x7AC635: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==29611==    by 0x7BF615: zend_hash_apply_deleter (zend_hash.c:611)
==29611==    by 0x7BFC6A: zend_hash_reverse_apply (zend_hash.c:760)
==29611==    by 0x79B920: shutdown_destructors (zend_execute_API.c:219)
==29611==    by 0x7ADFF5: zend_call_destructors (zend.c:867)
==29611==    by 0x72FD04: php_request_shutdown (main.c:1516)
==29611==    by 0x854339: main (php_cli.c:1340)
==29611==  Address 0x6f0bf70 is 112 bytes inside a block of size 65,536
free'd
==29611==    at 0x4C22741: realloc (vg_replace_malloc.c:429)
==29611==    by 0x787FB0: _erealloc (zend_alloc.c:2316)
==29611==    by 0x7DC6B4: zend_objects_store_put (zend_objects_API.c:112)
==29611==    by 0x7D78B2: zend_objects_new (zend_objects.c:124)
==29611==    by 0x7B3C42: _object_and_properties_init (zend_API.c:1058)
==29611==    by 0x7B3D4D: _object_init_ex (zend_API.c:1075)
==29611==    by 0x7E1D59: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:477)
==29611==    by 0x7DF71A: execute (zend_vm_execute.h:104)
==29611==    by 0x79E6FA: zend_call_function (zend_execute_API.c:928)
==29611==    by 0x7CB5AF: zend_call_method (zend_interfaces.c:89)
==29611==    by 0x7D77BB: zend_objects_destroy_object
(zend_objects.c:106)
==29611==    by 0x7DCA40: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:205)

[some other errors]

==29611== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 40 from 3)
==29611== malloc/free: in use at exit: 324 bytes in 12 blocks.
==29611== malloc/free: 34,713 allocs, 34,701 frees, 4,559,428 bytes
allocated.
==29611== For counts of detected errors, rerun with: -v
==29611== searching for pointers to 12 not-freed blocks.
==29611== checked 961,440 bytes.
==29611== 
==29611== LEAK SUMMARY:
==29611==    definitely lost: 292 bytes in 11 blocks.
==29611==      possibly lost: 0 bytes in 0 blocks.
==29611==    still reachable: 32 bytes in 1 blocks.
==29611==         suppressed: 0 bytes in 0 blocks.


-- 
Edit bug report at http://bugs.php.net/?id=47353&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47353&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47353&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47353&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47353&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47353&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47353&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47353&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47353&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47353&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47353&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47353&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47353&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47353&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47353&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47353&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47353&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47353&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47353&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47353&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47353&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47353&r=mysqlcfg