From 32314f6b6715ec6bfd5a2d88310768e2fa9bf707 Mon Sep 17 00:00:00 2001 From: Keyur Govande Date: Thu, 14 Aug 2014 00:55:14 +0000 Subject: Fix destruction order in zend_shutdown (bug #65463, #66036) If Apache or a similar SAPI receives a signal during PHP processing it calls zend_shutdown() without calling shutdown_executor(). #65463: If a module like Gearman or Memcached is loaded, in the unfixed version it is unloaded by zend_destroy_modules() before the CG(CLASS_TABLE) is destructed. When CG(CLASS_TABLE) is destructed, any pointers to methods (specifically around destruction) in the unloaded module's .so are now dangling and the process segfaults. #66036: Any subclasses of an internal class like ArrayObject need to be destructed in order: subclass first and then the internal class. In the unfixed version zend_shutdown() clears the CG(CLASS_TABLE) from the head of the list onwards, so internal classes are destructed first and user-defined classes last. Internal classes are alloc/deallocated with malloc/free while user-defined classes with emalloc/efree. If there's shared data between them then efree() could be called instead of free() leading to a seg-fault. --- Zend/zend_execute_API.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'Zend/zend_execute_API.c') diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c index a38504fbb4..9efc13bf85 100644 --- a/Zend/zend_execute_API.c +++ b/Zend/zend_execute_API.c @@ -108,19 +108,19 @@ static int clean_non_persistent_function(zend_function *function TSRMLS_DC) /* { } /* }}} */ -static int clean_non_persistent_function_full(zend_function *function TSRMLS_DC) /* {{{ */ +ZEND_API int clean_non_persistent_function_full(zend_function *function TSRMLS_DC) /* {{{ */ { return (function->type == ZEND_INTERNAL_FUNCTION) ? ZEND_HASH_APPLY_KEEP : ZEND_HASH_APPLY_REMOVE; } /* }}} */ -static int clean_non_persistent_class(zend_class_entry **ce TSRMLS_DC) /* {{{ */ +ZEND_API int clean_non_persistent_class(zend_class_entry **ce TSRMLS_DC) /* {{{ */ { return ((*ce)->type == ZEND_INTERNAL_CLASS) ? ZEND_HASH_APPLY_STOP : ZEND_HASH_APPLY_REMOVE; } /* }}} */ -static int clean_non_persistent_class_full(zend_class_entry **ce TSRMLS_DC) /* {{{ */ +ZEND_API int clean_non_persistent_class_full(zend_class_entry **ce TSRMLS_DC) /* {{{ */ { return ((*ce)->type == ZEND_INTERNAL_CLASS) ? ZEND_HASH_APPLY_KEEP : ZEND_HASH_APPLY_REMOVE; } -- cgit v1.2.1 From 5e338836ff4f52107ae722322ffe92b8cd7d3aa3 Mon Sep 17 00:00:00 2001 From: Keyur Govande Date: Thu, 14 Aug 2014 01:14:11 +0000 Subject: Fix typo from commit 32314f6b6 --- Zend/zend_execute_API.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zend/zend_execute_API.c') diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c index 9efc13bf85..0f8f41811b 100644 --- a/Zend/zend_execute_API.c +++ b/Zend/zend_execute_API.c @@ -114,7 +114,7 @@ ZEND_API int clean_non_persistent_function_full(zend_function *function TSRMLS_D } /* }}} */ -ZEND_API int clean_non_persistent_class(zend_class_entry **ce TSRMLS_DC) /* {{{ */ +static int clean_non_persistent_class(zend_class_entry **ce TSRMLS_DC) /* {{{ */ { return ((*ce)->type == ZEND_INTERNAL_CLASS) ? ZEND_HASH_APPLY_STOP : ZEND_HASH_APPLY_REMOVE; } -- cgit v1.2.1