in zend_vm_execute.h:701 PHP free's the function struct in case of ZEND_OVERLOADED_FUNCTION. the problem is that in PHP 5.4, the opline calling the function hast a pointer to the very same struct in it's cache_slot. when this opcode is called againg, the cache is used and it crashes.
my suggested fix is not to cache ZEND_OVERLOADED_FUNCTION, it does solve the problem and makes sense to me logically. it is also possible to not free it and let it be re-used from cache_slot. my pacth is attached.
--- Zend/zend_vm_execute.h.orig 2012-01-29 17:56:48.000000000 +0200 +++ Zend/zend_vm_execute.h 2012-01-29 17:54:51.000000000 +0200 @@ -28994,7 +28994,9 @@ } if (IS_CONST == IS_CONST && EXPECTED((EX(fbc)->common.fn_flags & (ZEND_ACC_CALL_VIA_HANDLER|ZEND_ACC_NEVER_CACHE)) == 0) && - EXPECTED(EX(object) == object)) { + EXPECTED(EX(object) == object) && + EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION) && + EXPECTED(EX(fbc)->type != ZEND_OVERLOADED_FUNCTION_TEMPORARY)) { CACHE_POLYMORPHIC_PTR(opline->op2.literal->cache_slot, EX(called_scope), EX(fbc)); } }
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php