- Core:
. Fixed bug #76901 (method_exists on SPL iterator passthrough method corrupts
memory). (Nikita)
+ . Fixed bug #76846 (Segfault in shutdown function after memory limit error).
+ (Nikita)
- CURL:
. Fixed bug #76480 (Use curl_multi_wait() so that timeouts are respected).
--- /dev/null
+--TEST--
+Bug #76846: Segfault in shutdown function after memory limit error
+--INI--
+memory_limit=33M
+--SKIPIF--
+<?php
+$zend_mm_enabled = getenv("USE_ZEND_ALLOC");
+if ($zend_mm_enabled === "0") {
+ die("skip Zend MM disabled");
+}
+?>
+--FILE--
+<?php
+
+register_shutdown_function(function() {
+ new stdClass;
+});
+
+$ary = [];
+while (true) {
+ $ary[] = new stdClass;
+}
+
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d
+%A
EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
} else {
if (EG(objects_store).top == EG(objects_store).size) {
- EG(objects_store).size <<= 1;
- EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, EG(objects_store).size * sizeof(zend_object*));
+ uint32_t new_size = 2 * EG(objects_store).size;
+ EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, new_size * sizeof(zend_object*));
+ /* Assign size after realloc, in case it fails */
+ EG(objects_store).size = new_size;
}
handle = EG(objects_store).top++;
}
projects / php / commitdiff