in zend_vm_execute.h:701 PHP free's the function struct in case of
ZEND_OVERLOADED_FUNCTION. the problem is that in PHP 5.4, the opline calling
the function hast a pointer to the very same struct in it's cache_slot. when
this opcode is called againg, the cache is used and it crashes.
my suggested fix is not to cache ZEND_OVERLOADED_FUNCTION, it does solve the
problem and makes sense to me logically. it is also possible to not free it
and let it be re-used from cache_slot.
my pacth is attached.
--- Zend/zend_vm_execute.h.orig 2012-01-29 17:56:48.000000000 +0200
+++ Zend/zend_vm_execute.h 2012-01-29 17:54:51.000000000 +0200
@@ -28994,7 +28994,9 @@
}
if (IS_CONST == IS_CONST &&
EXPECTED((EX(fbc)->common.fn_flags & (ZEND_ACC_CALL_VIA_HANDLER|ZEND_ACC_NEVER_CACHE)) == 0) &&
- EXPECTED(EX(object) == object)) {
+ EXPECTED(EX(object) == object) &&
+ EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION) &&
+ EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION_TEMPORARY)) {
CACHE_POLYMORPHIC_PTR(opline->op2.literal->cache_slot, EX(called_scope), EX(fbc));
}
}
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
