diff options
| author | Keyur Govande <keyur@php.net> | 2014-08-14 00:55:14 +0000 |
|---|---|---|
| committer | Keyur Govande <keyur@php.net> | 2014-08-14 00:55:14 +0000 |
| commit | 32314f6b6715ec6bfd5a2d88310768e2fa9bf707 (patch) | |
| tree | d530587e1465216a870cb3b71310bec6d8cd86d0 /Zend/zend_inheritance.c | |
| parent | 42437dd870de28eee6c9127f4c7e7c78ba8e0152 (diff) | |
| download | php-git-32314f6b6715ec6bfd5a2d88310768e2fa9bf707.tar.gz | |
Fix destruction order in zend_shutdown (bug #65463, #66036)
If Apache or a similar SAPI receives a signal during PHP processing
it calls zend_shutdown() without calling shutdown_executor().
#65463: If a module like Gearman or Memcached is loaded,
in the unfixed version it is unloaded by zend_destroy_modules() before the
CG(CLASS_TABLE) is destructed. When CG(CLASS_TABLE) is destructed,
any pointers to methods (specifically around destruction) in the unloaded
module's .so are now dangling and the process segfaults.
#66036: Any subclasses of an internal class like ArrayObject need
to be destructed in order: subclass first and then the internal class. In the
unfixed version zend_shutdown() clears the CG(CLASS_TABLE) from the head
of the list onwards, so internal classes are destructed first and user-defined
classes last. Internal classes are alloc/deallocated with malloc/free while
user-defined classes with emalloc/efree. If there's shared data between them
then efree() could be called instead of free() leading to a seg-fault.
Diffstat (limited to 'Zend/zend_inheritance.c')
0 files changed, 0 insertions, 0 deletions