From: malterisio777 at gmail dot com
Operating system: Windows XP
PHP version: 5.2.4
PHP Bug Type: Class/Object related
Bug description: Storing $this in a static var fails while handling a cast to
string
Description:
------------
If $this is assigned to a static var while handling a cast to string
inside the magic function __toString(), on return of this function the
static variable points to the string representation rather than the
object.
It has also been reported on the internals mailing list that this can even
cause a seg-fault. I haven't experienced this problem. Another user
reported this error message:
ALERT - canary mismatch on efree() - heap overflow detected
(attacker 'REMOTE_ADDR not set', file 'unknown')
Another user has provided a backtrace when a segfault occurred:
#0 0x000000000087a3b9 in zend_mm_check_ptr (heap=0xe20710,
ptr=0x7fffa5cd22c8, silent=0x1, __zend_filename=0xbf3e40
"/usr/src/php5/Zend/zend_variables.c", __zend_lineno=0xaf,
__zend_orig_filename=0xbf2830 "/usr/src/php5/Zend/zend_execute.h",
__zend_orig_lineno=0x46) at /usr/src/php5/Zend/zend_alloc.c:1264
#1 0x000000000087bdc8 in _zend_mm_free_int (heap=0xe20710,
p=0x7fffa5cd22c8, __zend_filename=0xbf3e40
"/usr/src/php5/Zend/zend_variables.c", __zend_lineno=0xaf,
__zend_orig_filename=0xbf2830 "/usr/src/php5/Zend/zend_execute.h",
__zend_orig_lineno=0x46) at /usr/src/php5/Zend/zend_alloc.c:1895
#2 0x000000000087d4b5 in _efree (ptr=0x7fffa5cd22c8,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf, __zend_orig_filename=0xbf2830
"/usr/src/php5/Zend/zend_execute.h", __zend_orig_lineno=0x46) at
/usr/src/php5/Zend/zend_alloc.c:2263
#3 0x000000000088c248 in safe_free_zval_ptr_rel (p=0x7fffa5cd22c8,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf, __zend_orig_filename=0xbf2798
"/usr/src/php5/Zend/zend_execute_API.c", __zend_orig_lineno=0x19f) at
zend_execute.h:70
#4 0x000000000088c1cd in _zval_ptr_dtor (zval_ptr=0x10d04d0,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf) at /usr/src/php5/Zend/zend_execute_API.c:415
#5 0x000000000089b0e1 in _zval_ptr_dtor_wrapper (zval_ptr=0x10d04d0) at
/usr/src/php5/Zend/zend_variables.c:175
#6 0x00000000008aa9fa in zend_hash_destroy (ht=0x10cfed8) at
/usr/src/php5/Zend/zend_hash.c:526
#7 0x0000000000891865 in destroy_zend_class (pce=0x10f9cb8) at
/usr/src/php5/Zend/zend_opcode.c:182
#8 0x00000000008aada8 in zend_hash_apply_deleter (ht=0xe21040,
p=0x10f9ca0) at /usr/src/php5/Zend/zend_hash.c:611
#9 0x00000000008ab3de in zend_hash_reverse_apply (ht=0xe21040,
apply_func=0x88b75b <clean_non_persistent_class>) at
/usr/src/php5/Zend/zend_hash.c:760
#10 0x000000000088be10 in shutdown_executor () at
/usr/src/php5/Zend/zend_execute_API.c:291
#11 0x000000000089c755 in zend_deactivate () at
/usr/src/php5/Zend/zend.c:860
#12 0x0000000000843392 in php_request_shutdown (dummy=0x0) at
/usr/src/php5/main/main.c:1463
#13 0x00000000009206de in main (argc=0x2, argv=0x7fffa5cd4cd8) at
/usr/src/php5/sapi/cli/php_cli.c:1332
Reproduce code:
---------------
<?php
class Foo {
static public $foo;
function __toString() {
self::$foo = $this;
return 'foo';
}
}
$foo = (string)new Foo();
var_dump(Foo::$foo);
?>
Expected result:
----------------
object(Foo)#1 (0) {
}
Actual result:
--------------
string(3) "foo"
--
Edit bug report at http://bugs.php.net/?id=42772&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42772&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42772&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42772&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42772&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42772&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42772&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42772&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42772&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42772&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42772&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42772&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42772&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42772&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42772&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42772&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42772&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42772&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42772&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42772&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42772&r=mysqlcfg
