--- Comment #23 from Tim Starling <> ---
I spent some more time on this today. 

In zend_objects_store_call_destructors() there is this:

obj->dtor(obj->object, i TSRMLS_CC);
obj = &objects->object_buckets[i].bucket.obj;

XMPReader::__destruct() is called here, and frees the last reference to itself
by freeing the XML resource, so obj->refcount-- reduces the reference count to
zero. This is not checked for, and so the object is not freed. Normally,
objects have their reference count decremented in the del_ref handler
(zend_objects_store_del_ref_by_handle_ex()), and if it reaches zero, the
free_storage handler is called and zend_object_store_bucket.valid is set to

A zero reference count on a live object should be pretty harmless, even though
the del_ref handler doesn't guard against it, because there really are no
references, so there's a limited number of ways to access it. But in this case,
it appears that the zero reference count causes the GC to not free the object,
but it does free the object's xmlReader property. The object bucket is still
valid, so zend_objects_store_free_object_storage() does a double free.

Although the bug may not be actually in the GC, it does seem to require the GC
to run at a very specific time in the shutdown process. So a possible
alternative workaround would be something like:

--- a/tests/phpunit/phpunit.php
+++ b/tests/phpunit/phpunit.php
@@ -114,4 +114,9 @@ if ( PHPUnit_Runner_Version::id() !== '@package_version@'
 if ( !class_exists( 'PHPUnit_TextUI_Command' ) ) {
        require_once 'PHPUnit/Autoload.php';
+register_shutdown_function( function() {
+       gc_collect_cycles();
+       gc_disable();
+} );

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to