PHP :: Bug #36376 :: Segfault when using clone '$this>test2' notation in _

Bug #36376	Segfault when using clone '$this>test2' notation in __clone method
Submitted:	2006-02-13 11:01 UTC	Modified:	2006-02-13 16:59 UTC
From:	jaco at welnet dot nl	Assigned:	dmitry (profile)
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	5.1.2	OS:	CentOS 4.2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jaco at welnet dot nl
New email:
PHP Version:		OS:

New Comment:

[2006-02-13 11:01 UTC] jaco at welnet dot nl

Description:
------------
PHP segfaults when there is code like '$this->object = clone $this>object' in __clone method. note the '>' syntax which is faulty ofcourse but produces the segfault.

tested with latest cvs:
PHP 5.1.3-dev (cli) (built: Feb 13 2006 10:52:02)


Reproduce code:
---------------
class test2 {}

class test {
	public $test2;
	
	public function __construct() {
		$this->test2 = new test2();
	}
	
	public function __clone() {
		$test2 = clone $this>test2;
	}
}

$test = new test();
$test2 = clone $test; 

Expected result:
----------------
Notice: Use of undefined constant test2 - assumed 'test2' in FILE on line XX

Notice: Object of class test could not be converted to int in FILE on line XX


Actual result:
--------------
[Mon Feb 13 10:38:40 2006] [notice] child pid 12798 exit signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-02-13 11:11 UTC] derick@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2006-02-13 11:52 UTC] jaco at welnet dot nl

backtrace from latest cvs cli version:

(gdb) bt
#0  0x00979f1f in _int_malloc () from /lib/tls/libc.so.6
#1  0x0097bf81 in malloc () from /lib/tls/libc.so.6
#2  0x08204a69 in _emalloc (size=10745888, __zend_filename=0xfffffff0 <Address 0xfffffff0 out of bounds>,
    __zend_lineno=904, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php5.1-200602130930/Zend/zend_alloc.c:182
#3  0x0820f848 in zend_call_function (fci=0xbf4001d0, fci_cache=0xbf4001b0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:904
#4  0x0822aa1b in zend_call_method (object_pp=0xbf400250, obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7, retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#5  0x0822ed8e in zend_objects_clone_members (new_object=0xa30dadc, new_obj_val={handle = 0, handlers = 0xbf400250},
    old_object=0xa30d804, handle=13367) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:152
#6  0x0822ee2f in zend_objects_clone_obj (zobject=0x58) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:173
#7  0x0824724a in ZEND_CLONE_SPEC_VAR_HANDLER (execute_data=0xbf4003a0)
    at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:7198
#8  0x08234785 in execute (op_array=0x99d096c) at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:92
#9  0x0820f1fc in zend_call_function (fci=0xbf4004f0, fci_cache=0xbf4004d0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:913
#10 0x0822aa1b in zend_call_method (object_pp=0xbf400570, obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7, retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#11 0x0822ed8e in zend_objects_clone_members (new_object=0xa30d804, new_obj_val={handle = 0, handlers = 0xbf400570},
    old_object=0xa30d52c, handle=13366) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:152
#12 0x0822ee2f in zend_objects_clone_obj (zobject=0x58) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:173
#13 0x0824724a in ZEND_CLONE_SPEC_VAR_HANDLER (execute_data=0xbf4006c0)
    at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:7198
#14 0x08234785 in execute (op_array=0x99d096c) at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:92
#15 0x0820f1fc in zend_call_function (fci=0xbf400810, fci_cache=0xbf4007f0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:913
#16 0x0822aa1b in zend_call_method (object_pp=0xbf400890, obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7, retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#17 0x0822ed8e in zend_objects_clone_members (new_object=0xa30d52c, new_obj_val={handle = 0, handlers = 0xbf400890},
    old_object=0xa30d254, handle=13365) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:152

---
These are the last 17 frames (?) of the backtrace. Is this enough or do you need more?

[2006-02-13 13:51 UTC] tony2001@php.net

Assigned to Dmitry, he'll take a look at it.

[2006-02-13 16:59 UTC] dmitry@php.net

This is not a bug.

Note  that you have typo inside the _clone() method. You wrote "clone $this>test2", but probably liked "clone $this->test2". So you do recursive calls to clone, and PHP crashes because of stack overflow.

You can do the same with more simple script, without clone :)

<?php
function foo() {
  foo();
}
foo();
?>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Dec 03 17:00:01 2025 UTC