Edit report at https://bugs.php.net/bug.php?id=65382&edit=1
ID: 65382 Updated by: dmi...@php.net Reported by: ni...@php.net Summary: Segfault in closure_030.phpt -Status: Assigned +Status: Closed Type: Bug Package: Scripting Engine problem PHP Version: 5.5.2RC1 Assigned To: dmitry Block user comment: N Private report: N New Comment: The fix for this bug has been committed. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2013-08-12 06:54:44] dmi...@php.net I saw the problem only in master and it was related to "Improved IS_VAR operands fetching". ------------------------------------------------------------------------ [2013-08-12 06:53:38] dmi...@php.net Automatic comment on behalf of dmi...@zend.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=52dac3e8cda94c8f38287ec3c437d9450b31b527 Log: Fixed bug #65382 (Segfault in closure_030.phpt) ------------------------------------------------------------------------ [2013-08-11 08:32:00] s...@php.net Looks like consequence of 821d7169d9d575ceef71e69570b98519826ccb01 - prototype is being use as temp storage, but it is actually never reset. If I add: op_array->prototype = NULL; to zend_leave_helper_SPEC, it looks like it fixes the crash, but I'm not sure if it is the right thing to do (e.g. - what happens if such calls are nested?) ------------------------------------------------------------------------ [2013-08-11 08:18:35] s...@php.net Looks like refcount for $b is decremented twice in the last call - once in zend_leave_helper_SPEC and once when finishing zend_do_fcall_common_helper_SPEC, which causes $b to be destroyed. This code was added by Dmitry, so assigning this bug to him. ------------------------------------------------------------------------ [2013-08-03 12:45:43] ni...@php.net Description: ------------ closure_030.phpt segfaults on Travis. Short repro script: <?php $b = function() { }; $a = 'b'; $$a(); $b->__invoke(); Valgrind output: ~/dev/php-dev$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t22.php ==2074== Memcheck, a memory error detector ==2074== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==2074== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==2074== Command: sapi/cli/php t22.php ==2074== ==2074== Invalid read of size 1 ==2074== at 0x8260376: zval_call_destructor (zend_execute_API.c:203) ==2074== by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775) ==2074== by 0x8260452: shutdown_destructors (zend_execute_API.c:217) ==2074== by 0x8274BC3: zend_call_destructors (zend.c:923) ==2074== by 0x81D6742: php_request_shutdown (main.c:1745) ==2074== by 0x831EDD9: do_cli (php_cli.c:1177) ==2074== by 0x831F6EC: main (php_cli.c:1378) ==2074== Address 0x44828f4 is 12 bytes inside a block of size 20 free'd ==2074== at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==2074== by 0x823C602: _efree (zend_alloc.c:2437) ==2074== by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82) ==2074== by 0x82B1AC3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:630) ==2074== by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:682) ==2074== by 0x82B097E: execute_ex (zend_vm_execute.h:356) ==2074== by 0x82B0A33: zend_execute (zend_vm_execute.h:381) ==2074== by 0x827636C: zend_execute_scripts (zend.c:1316) ==2074== by 0x81D85C6: php_execute_script (main.c:2484) ==2074== by 0x831E192: do_cli (php_cli.c:994) ==2074== by 0x831F6EC: main (php_cli.c:1378) ==2074== ==2074== Invalid read of size 4 ==2074== at 0x825F4F3: zval_refcount_p (zend.h:397) ==2074== by 0x826038A: zval_call_destructor (zend_execute_API.c:203) ==2074== by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775) ==2074== by 0x8260452: shutdown_destructors (zend_execute_API.c:217) ==2074== by 0x8274BC3: zend_call_destructors (zend.c:923) ==2074== by 0x81D6742: php_request_shutdown (main.c:1745) ==2074== by 0x831EDD9: do_cli (php_cli.c:1177) ==2074== by 0x831F6EC: main (php_cli.c:1378) ==2074== Address 0x44828f0 is 8 bytes inside a block of size 20 free'd ==2074== at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==2074== by 0x823C602: _efree (zend_alloc.c:2437) ==2074== by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82) ==2074== by 0x82B1AC3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:630) ==2074== by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:682) ==2074== by 0x82B097E: execute_ex (zend_vm_execute.h:356) ==2074== by 0x82B0A33: zend_execute (zend_vm_execute.h:381) ==2074== by 0x827636C: zend_execute_scripts (zend.c:1316) ==2074== by 0x81D85C6: php_execute_script (main.c:2484) ==2074== by 0x831E192: do_cli (php_cli.c:994) ==2074== by 0x831F6EC: main (php_cli.c:1378) ==2074== ... and so on ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=65382&edit=1
