Corrupted class entries on shutdown when a destructor spawns another object
(C) 2017 CommerceByte Consulting
When zend_objects_store_call_destructors() is called from the shutdown sequence -
it's calling the dtor's for remaining objects one by one in sequence of object handles.
If the dtor spawns one or more objects, and the new objects happen to reuse the old handles -
their dtor's are not called in this cycle.
The dtor's are called later on, when zend_deactivete() kicks in, and the static property lists in the class entries are freed.
This causes "Undefined static property" errors, and/or SIGSEGV.
Solution:
zend_object_store.no_reuse field is added
Set to 0 on initialization, set to 1 on the shutdown sequence.
zend_objects_store_put(zend_object *) checks the no_reuse flag, and never reuses the old handle slots if set.
This way, the dtor's for newly spawned objects are guaranteed to be called in the zend_objects_store_call_destructors() loop.
objects->top = 1; /* Skip 0 so that handles are true */
objects->size = init_size;
objects->free_list_head = -1;
+ objects->no_reuse = 0;
memset(&objects->object_buckets[0], 0, sizeof(zend_object*));
}
ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects)
{
+ objects->no_reuse = 1; /* new objects spawned by dtors will never reuse unused slots, so their own dtors will be called further down the loop */
if (objects->top > 1) {
uint32_t i;
for (i = 1; i < objects->top; i++) {
{
int handle;
- if (EG(objects_store).free_list_head != -1) {
+ if (!EG(objects_store).no_reuse && EG(objects_store).free_list_head != -1) {
handle = EG(objects_store).free_list_head;
EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
} else {
uint32_t top;
uint32_t size;
int free_list_head;
+ char no_reuse; /* to be set to true when shutting down, to avoid missing dtor call on objects spawned by another dtor */
} zend_objects_store;
/* Global store handling functions */
projects / php / commitdiff