Fix use after free during shutdown destruction #18834
Open
+36
−26
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ping @nielsdos |
nielsdos
requested changes
Jun 11, 2025
There was a problem hiding this comment.
Great work, nice find!
I think the solution needs changes however.
Rather than removing the fast shutdown path, it should also skip the weakmap free_obj handler. Note that we already skip the std free_obj handler.
There's 2 easy ways of doing this:
- Either extend the existing if condition to check for the weakmap free_obj handler.
- Or you add a check inside the function implementing the weakmap free_obj handler. You'd need to know whether we're in fast shutdown then though.
Option 1 is easier, option 2 might be cheaper. I'm not sure.
EDIT: Ah but I suppose that in option1, other internal classes holding onto weak refs can then trigger the same issue. Perhaps we should do it the other way around: call free_obj anyway if IS_OBJ_WEAKLY_REFERENCE is set...
Something like this perhaps:
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 80f5b747db7..df4b961a903 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -104,7 +104,7 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_free_object_storage(zend_objects_
if (IS_OBJ_VALID(obj)) {
if (!(OBJ_FLAGS(obj) & IS_OBJ_FREE_CALLED)) {
GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED);
- if (obj->handlers->free_obj != zend_object_std_dtor) {
+ if (obj->handlers->free_obj != zend_object_std_dtor || (GC_FLAGS(obj) & IS_OBJ_WEAKLY_REFERENCED)) {
GC_ADDREF(obj);
obj->handlers->free_obj(obj);
}
or even:
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 80f5b747db7..8ffdfa18af8 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -24,6 +24,7 @@
#include "zend_API.h"
#include "zend_objects_API.h"
#include "zend_fibers.h"
+#include "zend_weakrefs.h"
ZEND_API void ZEND_FASTCALL zend_objects_store_init(zend_objects_store *objects, uint32_t init_size)
{
@@ -107,6 +108,8 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_free_object_storage(zend_objects_
if (obj->handlers->free_obj != zend_object_std_dtor) {
GC_ADDREF(obj);
obj->handlers->free_obj(obj);
+ } else if (UNEXPECTED(GC_FLAGS(obj) & IS_OBJ_WEAKLY_REFERENCED)) {
+ zend_weakrefs_notify(obj);
}
}
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #18833 by removing the faulty fast path, which breaks weak reference notifications, also causing issues like phpredis/phpredis#2630.