From: Antony Dovgal Date: Wed, 11 Feb 2009 09:58:58 +0000 (+0000) Subject: MFH: fix bug #47353 (crash when creating a lot of objects in object destructor) X-Git-Tag: php-5.2.9RC2~9 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=120b469bb41e710dfefcc65edfe25721aef41aed;p=php MFH: fix bug #47353 (crash when creating a lot of objects in object destructor) --- diff --git a/NEWS b/NEWS index edd684a5f9..7d6870d386 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? Feb 2009, PHP 5.2.9 +- Fixed bug #47353 (crash when creating a lot of objects in object destructor). + (Tony) - Fixed bug #47322 (sscanf %d doesn't work). (Felipe) - Fixed bug #46026 (bz2.decompress/zlib.inflate filter tries to decompress after end of stream). (Greg) diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index 4e49ea244a..7b73ab33c2 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -55,6 +55,7 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS if (obj->dtor && obj->object) { obj->refcount++; obj->dtor(obj->object, i TSRMLS_CC); + obj = &objects->object_buckets[i].bucket.obj; obj->refcount--; } } @@ -200,6 +201,10 @@ ZEND_API void zend_objects_store_del_ref_by_handle(zend_object_handle handle TSR } zend_end_try(); } } + + /* re-read the object from the object store as the store might have been reallocated in the dtor */ + obj = &EG(objects_store).object_buckets[handle].bucket.obj; + if (obj->refcount == 1) { if (obj->free_storage) { zend_try { @@ -241,6 +246,7 @@ ZEND_API zend_object_value zend_objects_store_clone_obj(zval *zobject TSRMLS_DC) } obj->clone(obj->object, &new_object TSRMLS_CC); + obj = &EG(objects_store).object_buckets[handle].bucket.obj; retval.handle = zend_objects_store_put(new_object, obj->dtor, obj->free_storage, obj->clone TSRMLS_CC); retval.handlers = Z_OBJ_HT_P(zobject);