Edit report at https://bugs.php.net/bug.php?id=60042&edit=1
ID: 60042 User updated by: tom at punkave dot com Reported by: tom at punkave dot com Summary: spl_autoload_call may manipulate a dangling pointer Status: Bogus Type: Bug Package: SPL related Operating System: Any PHP Version: 5.3.8 Block user comment: N Private report: N New Comment: But there's a while loop, and if there are multiple iterations through the loop and one of them doesn't change retval then the same value is destroyed more than once, isn't it? That's bad, right? Previous Comments: ------------------------------------------------------------------------ [2011-10-11 22:12:32] [email protected] The retval variable doesn't need to be set to NULL there. The pointer only live in the current scope and it isn't used after zval_ptr_dtor. Thanks. ------------------------------------------------------------------------ [2011-10-11 21:05:22] tom at punkave dot com Fixed typo ------------------------------------------------------------------------ [2011-10-11 21:04:15] tom at punkave dot com Edit: I determined that this was not causing my segmentation faults. However it still may be a bug. I've read the _zval_ptr_dtor source code and although it is passed the address of the zval rather than the zval itself it doesn't appear to use this opportunity to null it out. Can anyone clarify whether zval_ptr_dtor(&retval) actually nulls out retval before closing this? ------------------------------------------------------------------------ [2011-10-11 17:03:00] tom at punkave dot com Description: ------------ spl_autoload_call initializes retval to null at the start of the function, but does not reinitialize it to null after destroying the return value of each autoloader call. As a result, if a subsequent autoloader call does not have any return value, then the old dangling pointer is used, resulting in a null pointer reference and a segmentation fault, bus error or other entertaining symptom depending on the time of day. Many common autoloaders, such as the Symfony autoloaders, always return true or false depending on whether they load a class, even though the documentation for spl_autoload_register does not call for this at all. This is probably because the developers learned the hard way that autoloaders won't play nice together unless they return something due to this bug. A good example of an autoloader that does trigger this bug is the one provided with the Amazon AWS standard library for PHP. Their implementation does not return a value, so PHP segfaults (or similar) if it is later in the chain of autoloaders. This bug can be fixed as follows: if (retval) { zval_ptr_dtor(&retval); } Becomes: if (retval) { zval_ptr_dtor(&retval); retval = NULL; } Patch attached. Expected result: ---------------- Multiple autoloaders play nice. Actual result: -------------- If an autoloader other than the first one has no return value a PHP crash takes place due to a dangling pointer to a destroyed value. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60042&edit=1
