Skip to content

Fix use-after-free in exception trace with user objects#372

Merged
realFlowControl merged 1 commit intodevelopfrom
florian/fix-dangling-ce-ptr
Mar 16, 2026
Merged

Fix use-after-free in exception trace with user objects#372
realFlowControl merged 1 commit intodevelopfrom
florian/fix-dangling-ce-ptr

Conversation

@realFlowControl
Copy link
Collaborator

@realFlowControl realFlowControl commented Mar 16, 2026
edited
Loading

See #371

When a thread throws an exception whose trace contains a plain user object (a class without create_object), the exception is persistently copied via php_parallel_exceptions_save(). The persistent copy retains the thread-local zend_class_entry pointer in dest->ce.

The exception should not hold a pointer to an object in another thread.

@realFlowControl @nicolas-grekas
Fix use-after-free in exception trace with user objects
53786db 
Co-Authored-By: Nicolas Grekas <nicolas.grekas@gmail.com>
@realFlowControl realFlowControl mentioned this pull request Mar 16, 2026
Closed
@realFlowControl realFlowControl marked this pull request as ready for review March 16, 2026 13:27
@nicolas-grekas
Copy link
Contributor

nicolas-grekas commented Mar 16, 2026

Makes sense yes, thanks!

FTR, I'm working around the issue by starting my threads with ini_set('zend.exception_ignore_args', '1');

@realFlowControl realFlowControl merged commit 8f16ed2 into develop Mar 16, 2026
99 of 102 checks passed
@realFlowControl realFlowControl deleted the florian/fix-dangling-ce-ptr branch March 16, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@realFlowControl @nicolas-grekas