php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45467 Invoking dynamic method name within class segfaults
Submitted: 2008-07-09 13:28 UTC Modified: 2008-08-11 21:58 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: thijs dot wijnmaalen at gmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.2CVS, 5.3CVS (2008-07-09) OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2008-07-09 13:28 UTC] thijs dot wijnmaalen at gmail dot com 
Description:
------------
When accessing a method within or from another class, whereby the name 
is stored as value in an array as attribute in the class.

The proper way of doing this would be to enclose the method name in 
brackets (which works as expected):

return $this->{$this->_[0]}();




Reproduce code:
---------------
<?php

class A {
	private $_ = array();
	function __toString () {
		$this->_[0] = 'a';
		return $this->$this->_[0]();
	}
	
	function a () {
		return 'call';
	}
}

echo $a = new A();

?>

Expected result:
----------------
Syntax error message

Actual result:
--------------
Empty reply from server

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-10 10:27 UTC] jani@php.net 
It actually crashes, here's relevant part from valgrind:

==1178== Process terminating with default action of signal 11 (SIGSEGV)
==1178==  Access not within mapped region at address 0xBE1A0FFC
==1178==    at 0x823AF25: zend_get_property_info (zend_object_handlers.c:179)
==1178== Stack overflow in thread 1: can't grow stack to 0xBE1A0FF8

And this is the gdb output (relevant parts):

execute (op_array=0x8aad87c) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:53
53              memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);

The full backtrace is a bit too long to paste here.
 [2008-08-11 20:29 UTC] lbarnaud@php.net 
> return $this->$this->_[0]();

Here PHP will try to read the property $this->$this. So it will try to convert $this to a string, which will call __toString(), etc and it crashes.

This is basically the same as the following code:
<?php
class A {
	function __toString() {
		return (string)$this;
	}
}
echo $a = new A;
?>
 [2008-08-11 21:58 UTC] johannes@php.net 
Which is infinite recursion, which is known to segfault (see other reports)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 08:01:36 2025 UTC