php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39819 Using $this not in object context can cause segfaults
Submitted: 2006-12-13 16:21 UTC Modified: 2007-01-09 17:19 UTC
Votes:5
Avg. Score:3.6 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: matteo at beccati dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.4.4 OS: NetBSD
Private report: No CVE-ID: None
 [2006-12-13 16:21 UTC] matteo at beccati dot com
Description:
------------
Using $this outside of an object context doesn't throw a fatal error (it does on PHP 5.2.0). Subsequent static method calls throw warnings or exit with SIGSEGV if a custom error handler is set.

The bug was also reproduced on Linux and on previous versions (4.4.3, 4.3.11).



Reproduce code:
---------------
http://beccati.com/php-this-bug.phps

Expected result:
----------------
Calling Foo::bar(): BAR
Setting $this->test = 1

Fatal error: Using $this when not in object context in /www/- on line 22


Actual result:
--------------
Calling Foo::bar(): BAR
Setting $this->test = 1
Calling Foo::bar():
Warning: Problem with method call - please report this bug in /tmp/php-this-bug.phps on line 25
BAR
Setting a custom error handler
Calling Foo::bar(): Segmentation fault (core dumped)


-- Backtrace --

#0  0x081fa452 in zval_add_ref (p=0x846cb30)
    at /root/compile/php-4.4.4/Zend/zend_variables.c:85
No locals.
#1  0x0820224c in zend_hash_copy (target=0x846ca24, source=0x846c124,
    pCopyConstructor=0x81fa44a <zval_add_ref>, tmp=0xbfbfcbcc, size=4)
    at /root/compile/php-4.4.4/Zend/zend_hash.c:804
        p = (Bucket *) 0x846c324
        new_entry = (void *) 0x846cb30
#2  0x081fa5b1 in _zval_copy_ctor (zvalue=0x8469c64,
    __zend_filename=0x8395ca0 "/root/compile/php-4.4.4/Zend/zend_builtin_functions.c", __zend_lineno=246) at /root/compile/php-4.4.4/Zend/zend_variables.c:125
        tmp = (zval *) 0x82047fd
        original_ht = (HashTable *) 0x846c124
        tmp_ht = (HashTable *) 0x846ca24
        tmp = (zval *) 0x846ca24
        original_ht = (HashTable *) 0x846c124
        tmp_ht = (HashTable *) 0x8c
#3  0x08204841 in zif_func_get_args (ht=0, return_value=0x8469ae4,
    this_ptr=0x0, return_value_used=1)
    at /root/compile/php-4.4.4/Zend/zend_builtin_functions.c:246
        element = (zval *) 0x8469c64
        p = (void **) 0x845d240
        arg_count = 5
        i = 4
#4  0x0820fd46 in execute (op_array=0x846c080)
    at /root/compile/php-4.4.4/Zend/zend_execute.c:1675
        original_return_value = (zval **) 0x846b21c
        return_value_used = 1
        execute_data = {opline = 0x846b204, function_state = {
    function_symbol_table = 0x0, function = 0x83f3280, reserved = {0x8200292,
      0x8, 0x4, 0x8395720}}, fbc = 0x0, ce = 0x0, object = {ptr = 0x0},
  Ts = 0xbfbfcc20, original_in_execution = 1 '\001', op_array = 0x846c080,
  prev_execute_data = 0xbfbfcf30}
#5  0x081f21bd in call_user_function_ex (function_table=0x83f0040,
    object_pp=0x0, function_name=0x84699a4, retval_ptr_ptr=0xbfbfd010,
    param_count=5, params=0x8469aa4, no_separation=1, symbol_table=0x0)
    at /root/compile/php-4.4.4/Zend/zend_execute_API.c:570
        i = 5
        original_return_value = (zval **) 0xbfbfd2bc
        calling_symbol_table = (HashTable *) 0x846c124
        original_function_state_ptr = <incomplete type>
        original_op_array = (zend_op_array *) 0x84629a4
        original_opline_ptr = <incomplete type>
        orig_free_op1 = 0
        orig_free_op2 = 0
        orig_unary_op = <incomplete type>
        orig_binary_op = <incomplete type>
        function_name_copy = {value = {lval = 138844900,
    dval = 2.7654543777738803e-313, str = {val = 0x8469ae4 "??F\b", len = 13},
    ht = 0x8469ae4, obj = {ce = 0x8469ae4, properties = 0xd}},
  type = 3 '\003', is_ref = 0 '\0', refcount = 1}
        execute_data = {opline = 0x0, function_state = {
    function_symbol_table = 0x40, function = 0x846c080, reserved = {
      0xbd6d7713, 0x40, 0x83d7554, 0x4}}, fbc = 0x0, ce = 0x0, object = {
    ptr = 0x0}, Ts = 0x0, original_in_execution = 36 '$', op_array = 0x0,
  prev_execute_data = 0xbfbfd240}
#6  0x081fbe2d in zend_error (type=2,
    format=0x83968e0 "Problem with method call - please report this bug")
    at /root/compile/php-4.4.4/Zend/zend.c:846
        args = 0xbfbfd038 "\001"
        usr_copy = 0xbfbfd038 "\001"
        params = (zval ***) 0x8469aa4
        retval = (zval *) 0x0
        z_error_type = (zval *) 0x8469924
        z_error_message = (zval *) 0x84698e4
        z_error_filename = (zval *) 0x8469964
        z_error_lineno = (zval *) 0x8469a24
        z_context = (zval *) 0x8469a64
        error_filename = 0x8460f64 "/tmp/php-this-bug.phps"
        error_lineno = 31
        orig_user_error_handler = (zval *) 0x84699a4
#7  0x0820ff13 in execute (op_array=0x84629a4)
    at /root/compile/php-4.4.4/Zend/zend_execute.c:1710
        this_ptr = (zval **) 0x846c330
        null_ptr = (zval *) 0x0
        calling_symbol_table = (HashTable *) 0x83ee7cc
        original_return_value = (zval **) 0x846c1b0
        return_value_used = 0
        execute_data = {opline = 0x8468420, function_state = {
    function_symbol_table = 0x846c124, function = 0x8462e24, reserved = {0x0,
      0x0, 0xbfbfe8dc, 0x0}}, fbc = 0x8462e24, ce = 0x8462e80, object = {
    ptr = 0x8460b64}, Ts = 0xbfbfd040, original_in_execution = 0 '\0',
  op_array = 0x84629a4, prev_execute_data = 0x0}
#8  0x081fc14b in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /root/compile/php-4.4.4/Zend/zend.c:934
        files = 0xbfbfd2f4 ""
        i = 1
        file_handle = <incomplete type>
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#9  0x081c34a1 in php_execute_script (primary_file=0xbfbfe8dc)
    at /root/compile/php-4.4.4/main/main.c:1752
        orig_bailout = {136409924, 138247356, -1077942308, -1077941980,
  137986052, -1077941880, 0, 0, 0, 0, 0, 0, 0}
        orig_bailout_set = 1 '\001'
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
  handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
  handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
        old_cwd = 0xbfbfd300 ""
        old_primary_file_path = 0xbfbfea5b "php-this-bug.phps"
        retval = 0
#10 0x08217aec in main (argc=2, argv=0xbfbfe988)
    at /root/compile/php-4.4.4/sapi/cli/php_cli.c:832
        orig_bailout = {0 <repeats 13 times>}
        orig_bailout_set = 0 '\0'
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002',
  filename = 0xbfbfe310 "/tmp/php-this-bug.phps", opened_path = 0x0, handle = {
    fd = -1116784864, fp = 0xbd6f3720}, free_filename = 0 '\0'}
        behavior = 1
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0xbfbfea5b "php-this-bug.phps"
        arg_excp = (char **) 0xbfbfe98c
        script_file = 0xbfbfea5b "php-this-bug.phps"
        global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0,
  persistent = 0 '\0', traverse_ptr = 0xbd6fa0c0}
        interactive = 0
        module_started = 1
        lineno = 1
        exec_direct = 0x0
        param_error = 0x0
        hide_argv = 0
#11 0x08071046 in ___start ()



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-13 16:23 UTC] matteo at beccati dot com
Sorry, Firefox replaced the bug summary :(
 [2007-01-09 17:19 UTC] dmitry@php.net
Fixedd in PHP_4_4.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC