php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77339 __callStatic may get incorrect arguments
Submitted: 2018-12-23 02:02 UTC Modified: 2018-12-23 14:21 UTC
From: php at zsxsoft dot com Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3.0 OS: macOS 10.14.2
Private report: No CVE-ID: None
 [2018-12-23 02:02 UTC] php at zsxsoft dot com
Description:
------------
This only happened in PHP 7.3.

Test script followed. $arguments should be ['getSomeWhat'], but __callStatic get [?] here.

I checked *myht->arData, $arguments[0] got a wrong type.

The normal one, you can see type = 0x6:

    (_zval_struct::(anonymous union)) u1 = {
      (_zval_struct::(anonymous struct)) v = {
        (zend_uchar) type = '\x06'
        (zend_uchar) type_flags = '\x01'
        (_zval_struct::(anonymous union)) u = {
          (uint16_t) call_info = 0
          (uint16_t) extra = 0
        }
      }
      (uint32_t) type_info = 262
    }

(lldb) fr v --show-types *myht->arData->val.value.str
(zend_string) *myht->arData->val.value.str = {
  (zend_refcounted_h) gc = {
    (uint32_t) refcount = 1
    (_zend_refcounted_h::(anonymous union)) u = {
      (uint32_t) type_info = 6
    }
  }
  (zend_ulong) h = 0
  (size_t) len = 6
  (char [1]) val = "aaazzz"
}

The __callStatic's argument, you can see data is normal but type is not initialized.

    (_zval_struct::(anonymous union)) u1 = {
      (_zval_struct::(anonymous struct)) v = {
        (zend_uchar) type = '\0'
        (zend_uchar) type_flags = '\0'
        (_zval_struct::(anonymous union)) u = {
          (uint16_t) call_info = 0
          (uint16_t) extra = 0
        }
      }
      (uint32_t) type_info = 0
    }
    (_zval_struct::(anonymous union)) u2 = {
      (uint32_t) next = 4294967295
      (uint32_t) cache_slot = 4294967295
      (uint32_t) opline_num = 4294967295
      (uint32_t) lineno = 4294967295
      (uint32_t) num_args = 4294967295
      (uint32_t) fe_pos = 4294967295
      (uint32_t) fe_iter_idx = 4294967295
      (uint32_t) access_flags = 4294967295
      (uint32_t) property_guard = 4294967295
      (uint32_t) constant_flags = 4294967295
      (uint32_t) extra = 4294967295
    }


Test script:
---------------
<?php
class Foo
{
    static function __callStatic($name, $arguments) {
        if ($name === 'get') {
            if (!isset($arguments[0])) {
                var_dump(['getSomeWhat']);
                var_dump($arguments);
                exit;
            }
        } 
        echo 'OK';
    }

    protected function get ($key) {
        // BUG!!!
    }
}

class Bar
{
    static function __callStatic($name, $arguments) {
        echo Foo::get('getSomeWhat');
    }
}

Bar::someUndefinedStaticFunction();

Expected result:
----------------
OK

Actual result:
--------------
array(1) {
  [0]=>
  string(11) "getSomeWhat"
}
array(1) {
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-23 14:20 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Class/Object related +Package: Scripting Engine problem -Assigned To: +Assigned To: dmitry
 [2018-12-23 14:20 UTC] cmb@php.net
This regression is caused by commit d1d1aff[1].  Dmitry, could you
please have a look at this issue?

[1] <http://git.php.net/?p=php-src.git;a=commit;h=d1d1aff4e54a014d3d3693fe4505517226402eea>
 [2018-12-23 14:21 UTC] cmb@php.net
For reference: <https://3v4l.org/4ZQNJ>.
 [2018-12-24 10:25 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7e597f48e9fda982e930e4f617d2b2d98d8878a5
Log: Fixed bug #77339 (__callStatic may get incorrect arguments)
 [2018-12-24 10:25 UTC] dmitry@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC