in zend_vm_execute.h:701 PHP free's the function struct in case of 
ZEND_OVERLOADED_FUNCTION. the problem is that in PHP 5.4, the opline calling 
the function hast a pointer to the very same struct in it's cache_slot. when 
this opcode is called againg, the cache is used and it crashes.

my suggested fix is not to cache ZEND_OVERLOADED_FUNCTION, it does solve the 
problem and makes sense to me logically. it is also possible to not free it 
and let it be re-used from cache_slot.

my pacth is attached.
--- Zend/zend_vm_execute.h.orig	2012-01-29 17:56:48.000000000 +0200
+++ Zend/zend_vm_execute.h	2012-01-29 17:54:51.000000000 +0200
@@ -28994,7 +28994,9 @@
 			}
 			if (IS_CONST == IS_CONST &&
 			    EXPECTED((EX(fbc)->common.fn_flags & (ZEND_ACC_CALL_VIA_HANDLER|ZEND_ACC_NEVER_CACHE)) == 0) &&
-			    EXPECTED(EX(object) == object)) {
+			    EXPECTED(EX(object) == object) && 
+				EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION) && 
+				EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION_TEMPORARY)) {
 				CACHE_POLYMORPHIC_PTR(opline->op2.literal->cache_slot, EX(called_scope), EX(fbc));
 			}
 		}

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to