php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #39819 Using $this not in object context can cause segfaults
Submitted: 2006-12-13 16:21 UTC Modified: 2007-01-09 17:19 UTC
Votes:5
Avg. Score:3.6 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: matteo at beccati dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.4.4 OS: NetBSD
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: matteo at beccati dot com
New email:
PHP Version: OS:

 

 [2006-12-13 16:21 UTC] matteo at beccati dot com 
Description:
------------
Using $this outside of an object context doesn't throw a fatal error (it does on PHP 5.2.0). Subsequent static method calls throw warnings or exit with SIGSEGV if a custom error handler is set.

The bug was also reproduced on Linux and on previous versions (4.4.3, 4.3.11).



Reproduce code:
---------------
http://beccati.com/php-this-bug.phps

Expected result:
----------------
Calling Foo::bar(): BAR
Setting $this->test = 1

Fatal error: Using $this when not in object context in /www/- on line 22


Actual result:
--------------
Calling Foo::bar(): BAR
Setting $this->test = 1
Calling Foo::bar():
Warning: Problem with method call - please report this bug in /tmp/php-this-bug.phps on line 25
BAR
Setting a custom error handler
Calling Foo::bar(): Segmentation fault (core dumped)


-- Backtrace --

#0  0x081fa452 in zval_add_ref (p=0x846cb30)
    at /root/compile/php-4.4.4/Zend/zend_variables.c:85
No locals.
#1  0x0820224c in zend_hash_copy (target=0x846ca24, source=0x846c124,
    pCopyConstructor=0x81fa44a <zval_add_ref>, tmp=0xbfbfcbcc, size=4)
    at /root/compile/php-4.4.4/Zend/zend_hash.c:804
        p = (Bucket *) 0x846c324
        new_entry = (void *) 0x846cb30
#2  0x081fa5b1 in _zval_copy_ctor (zvalue=0x8469c64,
    __zend_filename=0x8395ca0 "/root/compile/php-4.4.4/Zend/zend_builtin_functions.c", __zend_lineno=246) at /root/compile/php-4.4.4/Zend/zend_variables.c:125
        tmp = (zval *) 0x82047fd
        original_ht = (HashTable *) 0x846c124
        tmp_ht = (HashTable *) 0x846ca24
        tmp = (zval *) 0x846ca24
        original_ht = (HashTable *) 0x846c124
        tmp_ht = (HashTable *) 0x8c
#3  0x08204841 in zif_func_get_args (ht=0, return_value=0x8469ae4,
    this_ptr=0x0, return_value_used=1)
    at /root/compile/php-4.4.4/Zend/zend_builtin_functions.c:246
        element = (zval *) 0x8469c64
        p = (void **) 0x845d240
        arg_count = 5
        i = 4
#4  0x0820fd46 in execute (op_array=0x846c080)
    at /root/compile/php-4.4.4/Zend/zend_execute.c:1675
        original_return_value = (zval **) 0x846b21c
        return_value_used = 1
        execute_data = {opline = 0x846b204, function_state = {
    function_symbol_table = 0x0, function = 0x83f3280, reserved = {0x8200292,
      0x8, 0x4, 0x8395720}}, fbc = 0x0, ce = 0x0, object = {ptr = 0x0},
  Ts = 0xbfbfcc20, original_in_execution = 1 '\001', op_array = 0x846c080,
  prev_execute_data = 0xbfbfcf30}
#5  0x081f21bd in call_user_function_ex (function_table=0x83f0040,
    object_pp=0x0, function_name=0x84699a4, retval_ptr_ptr=0xbfbfd010,
    param_count=5, params=0x8469aa4, no_separation=1, symbol_table=0x0)
    at /root/compile/php-4.4.4/Zend/zend_execute_API.c:570
        i = 5
        original_return_value = (zval **) 0xbfbfd2bc
        calling_symbol_table = (HashTable *) 0x846c124
        original_function_state_ptr = <incomplete type>
        original_op_array = (zend_op_array *) 0x84629a4
        original_opline_ptr = <incomplete type>
        orig_free_op1 = 0
        orig_free_op2 = 0
        orig_unary_op = <incomplete type>
        orig_binary_op = <incomplete type>
        function_name_copy = {value = {lval = 138844900,
    dval = 2.7654543777738803e-313, str = {val = 0x8469ae4 "??F\b", len = 13},
    ht = 0x8469ae4, obj = {ce = 0x8469ae4, properties = 0xd}},
  type = 3 '\003', is_ref = 0 '\0', refcount = 1}
        execute_data = {opline = 0x0, function_state = {
    function_symbol_table = 0x40, function = 0x846c080, reserved = {
      0xbd6d7713, 0x40, 0x83d7554, 0x4}}, fbc = 0x0, ce = 0x0, object = {
    ptr = 0x0}, Ts = 0x0, original_in_execution = 36 '$', op_array = 0x0,
  prev_execute_data = 0xbfbfd240}
#6  0x081fbe2d in zend_error (type=2,
    format=0x83968e0 "Problem with method call - please report this bug")
    at /root/compile/php-4.4.4/Zend/zend.c:846
        args = 0xbfbfd038 "\001"
        usr_copy = 0xbfbfd038 "\001"
        params = (zval ***) 0x8469aa4
        retval = (zval *) 0x0
        z_error_type = (zval *) 0x8469924
        z_error_message = (zval *) 0x84698e4
        z_error_filename = (zval *) 0x8469964
        z_error_lineno = (zval *) 0x8469a24
        z_context = (zval *) 0x8469a64
        error_filename = 0x8460f64 "/tmp/php-this-bug.phps"
        error_lineno = 31
        orig_user_error_handler = (zval *) 0x84699a4
#7  0x0820ff13 in execute (op_array=0x84629a4)
    at /root/compile/php-4.4.4/Zend/zend_execute.c:1710
        this_ptr = (zval **) 0x846c330
        null_ptr = (zval *) 0x0
        calling_symbol_table = (HashTable *) 0x83ee7cc
        original_return_value = (zval **) 0x846c1b0
        return_value_used = 0
        execute_data = {opline = 0x8468420, function_state = {
    function_symbol_table = 0x846c124, function = 0x8462e24, reserved = {0x0,
      0x0, 0xbfbfe8dc, 0x0}}, fbc = 0x8462e24, ce = 0x8462e80, object = {
    ptr = 0x8460b64}, Ts = 0xbfbfd040, original_in_execution = 0 '\0',
  op_array = 0x84629a4, prev_execute_data = 0x0}
#8  0x081fc14b in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /root/compile/php-4.4.4/Zend/zend.c:934
        files = 0xbfbfd2f4 ""
        i = 1
        file_handle = <incomplete type>
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#9  0x081c34a1 in php_execute_script (primary_file=0xbfbfe8dc)
    at /root/compile/php-4.4.4/main/main.c:1752
        orig_bailout = {136409924, 138247356, -1077942308, -1077941980,
  137986052, -1077941880, 0, 0, 0, 0, 0, 0, 0}
        orig_bailout_set = 1 '\001'
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
  handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
  handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
        old_cwd = 0xbfbfd300 ""
        old_primary_file_path = 0xbfbfea5b "php-this-bug.phps"
        retval = 0
#10 0x08217aec in main (argc=2, argv=0xbfbfe988)
    at /root/compile/php-4.4.4/sapi/cli/php_cli.c:832
        orig_bailout = {0 <repeats 13 times>}
        orig_bailout_set = 0 '\0'
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002',
  filename = 0xbfbfe310 "/tmp/php-this-bug.phps", opened_path = 0x0, handle = {
    fd = -1116784864, fp = 0xbd6f3720}, free_filename = 0 '\0'}
        behavior = 1
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0xbfbfea5b "php-this-bug.phps"
        arg_excp = (char **) 0xbfbfe98c
        script_file = 0xbfbfea5b "php-this-bug.phps"
        global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0,
  persistent = 0 '\0', traverse_ptr = 0xbd6fa0c0}
        interactive = 0
        module_started = 1
        lineno = 1
        exec_direct = 0x0
        param_error = 0x0
        hide_argv = 0
#11 0x08071046 in ___start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-13 16:23 UTC] matteo at beccati dot com 
Sorry, Firefox replaced the bug summary :(
 [2007-01-09 17:19 UTC] dmitry@php.net 
Fixedd in PHP_4_4.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC