From: l dot barnaba at openssl dot it
Operating system: FreeBSD 4.9-STABLE
PHP version: 4.3.4
PHP Bug Type: Reproducible crash
Bug description: An overload()ed class with __set() and another object contained
crashes PHP
Description:
------------
If you have an overloaded class containing:
* The three __call(), __get() and __set() methods;
* An associated object instantiated in the constructor;
* A call to call_user_func() or call_user_func_array() on the newly
created object;
PHP will crash with signal 11.
I have noticed that removing the __set() magic method makes all behave
correctly, and also not using auxiliary variables in the
call_user_func_array() call (e.g, using:
$obj = new Obj(); call_user_func_array(array(&$obj, $method), $params);
$this->_obj = $obj; instead of:
$this->_obj = new Obj(); call_user_func_array(array(&$this->_obj,
$method), $params); makes things work, but at the end of execution of
large scripts I get memory allocation errors in Unknown Line 0.
Configure line:
'./configure' '--enable-versioning' '--enable-memory-limit'
'--with-layout=GNU' '--with-zlib-dir=/usr' '--disable-all'
'--with-regex=php' '--with-pear' '--enable-ctype' '--enable-ftp'
'--with-gd' '--enable-gd-native-ttf' '--enable-gd-jis-conv'
'--with-freetype-dir=/usr/local' '--with-jpeg-dir=/usr/local'
'--with-png-dir=/usr/local' '--enable-gd-lzw-gif' '--with-gmp=/usr/local'
'--with-mcal=/usr/local' '--with-mcrypt=/usr/local'
'--with-mhash=/usr/local' '--with-mime-magic=/usr/share/misc/magic.mime'
'--with-mysql=/usr/local' '--with-openssl-dir=/usr' '--with-openssl=/usr'
'--enable-overload' '--with-pcre-regex=yes' '--with-pdflib=/usr/local'
'--enable-posix' '--enable-session' '--enable-sockets'
'--with-sybase-ct=/usr/local' '--enable-sysvsem' '--enable-sysvshm'
'--enable-tokenizer' '--enable-wddx' '--with-expat-dir=/usr/local'
'--enable-xml' '--with-zip=/usr/local' '--with-zlib=yes'
'--with-apxs=/usr/local/sbin/apxs' '--with-imap=/usr/local'
'--with-imap-ssl=/usr/local' '--with-ncurses=/usr' '--prefix=/usr/local'
'i386-portbld-freebsd4.9'
Running under apache 1.3.28, with no special flags added, also using the
-dist php.ini.
Backtrace:
#0 0x81989ec in execute (op_array=0x82b8e24) at
/usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:2004
2004 expr_ptr =
*expr_ptr_ptr;
(gdb) bt
#0 0x81989ec in execute (op_array=0x82b8e24) at
/usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:2004
#1 0x817bdfc in call_user_function_ex (function_table=0x82c7418,
object_pp=0xbfbfe21c, function_name=0x82c7330, retval_ptr_ptr=0xbfbfe220,
param_count=0, params=0x82ca2a4, no_separation=0,
symbol_table=0x0) at
/usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute_API.c:567
#2 0x80cd812 in overload_call_method (ht=0, return_value=0x82b7664,
this_ptr=0x82b7fe4, return_value_used=1, property_reference=0xbfbfe37c)
at
/usr/ports/lang/php4-cli/work/php-4.3.4/ext/overload/overload.c:590
#3 0x8190230 in call_overloaded_function (T=0xbfbfe370, arg_count=0,
return_value=0x82b7664) at
/usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:978
#4 0x819559b in execute (op_array=0x82b85a4) at
/usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:1682
#5 0x81838ad in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend.c:884
#6 0x815c5f3 in php_execute_script (primary_file=0xbfbffb1c) at
/usr/ports/lang/php4-cli/work/php-4.3.4/main/main.c:1729
#7 0x819c585 in main (argc=2, argv=0xbfbffb84) at
/usr/ports/lang/php4-cli/work/php-4.3.4/sapi/cli/php_cli.c:819
Thanks if you fix this bug :>.
Reproduce code:
---------------
class Base
{
function Example() {
print("Object instantiated\n");
}
}
class Test
{
var $_obj;
function Test() {
$this->_obj = new Base();
call_user_func(array(&$this->_obj, 'Example'));
}
function __call($method, $params, &$return) { }
function __get($property, &$value) { }
function __set($property, $value) {
$this->$property = $value;
return true;
}
}
overload('Test');
$t = new Test();
Expected result:
----------------
"Object Instantiated"
Actual result:
--------------
PHP Crashes with signal 11.
--
Edit bug report at http://bugs.php.net/?id=26268&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26268&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26268&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=26268&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=26268&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=26268&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=26268&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=26268&r=support
Expected behavior: http://bugs.php.net/fix.php?id=26268&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=26268&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=26268&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=26268&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26268&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=26268&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=26268&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=26268&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26268&r=float
