PHP :: Bug #54372 :: Crash accessing global object itself returned from its _

Bug #54372	Crash accessing global object itself returned from its __get() handle
Submitted:	2011-03-24 16:48 UTC	Modified:	2011-04-07 15:39 UTC
From:	atorkhov at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.3SVN-2011-03-24 (snap)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	atorkhov at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2011-03-24 16:48 UTC] atorkhov at gmail dot com

Description:
------------
PHP 5.2.17 crashes accessing object that is returned as $this from __get() handle (see code snapshot). If object is not global this code works fine.
PHP 5.2.10 did not crash in such situation.



Test script:
---------------
class test_class
{
    public function __get($name)
    {
        return $this;
    }

    public function b()
    {
        return;
    }
}

global $test3;
$test3 = new test_class();
$test3->a->b();


Expected result:
----------------
Nothing output.

Actual result:
--------------
Segmentation fault. Backtrace:

#0  zend_object_store_get_object (zobject=0x8da185c) at /home/alex/tmp/php-5.2.17/Zend/zend_objects_API.c:258
#1  0x082b08ac in zend_std_get_method (object_ptr=0xbfceb5a4, method_name=0x8da37f0 "b", method_len=1) at /home/alex/tmp/php-5.2.17/Zend/zend_object_handlers.c:801
#2  0x082bcf01 in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER (execute_data=0xbfceb580) at /home/alex/tmp/php-5.2.17/Zend/zend_vm_execute.h:9488
#3  0x082fea90 in execute (op_array=0x8da1d64) at /home/alex/tmp/php-5.2.17/Zend/zend_vm_execute.h:92
#4  0x082974c7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/alex/tmp/php-5.2.17/Zend/zend.c:1134
#5  0x08256a94 in php_execute_script (primary_file=0xbfced940) at /home/alex/tmp/php-5.2.17/main/main.c:2036
#6  0x0830078c in main (argc=3, argv=0xbfceda74) at /home/alex/tmp/php-5.2.17/sapi/cli/php_cli.c:1165

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-03-24 16:50 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2011-03-24 16:50 UTC] pajoye@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2011-03-24 17:14 UTC] atorkhov at gmail dot com

Crashes too with backtrace:

#0  zend_object_store_get_object (zobject=0x8e5621c) at /home/alex/tmp/php5.3-201103241530/Zend/zend_objects_API.c:269
#1  0x082b3ca1 in zend_std_get_method (object_ptr=0x8e85a78, method_name=0x8e581cc "b", method_len=1) at /home/alex/tmp/php5.3-201103241530/Zend/zend_object_handlers.c:842
#2  0x082d90c3 in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER (execute_data=0x8e85a60) at /home/alex/tmp/php5.3-201103241530/Zend/zend_vm_execute.h:10388
#3  0x082b7ab9 in execute (op_array=0x8e566a4) at /home/alex/tmp/php5.3-201103241530/Zend/zend_vm_execute.h:107
#4  0x082972b2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/alex/tmp/php5.3-201103241530/Zend/zend.c:1194
#5  0x08245dc0 in php_execute_script (primary_file=0xbfc959f0) at /home/alex/tmp/php5.3-201103241530/main/main.c:2270
#6  0x0831a318 in main (argc=3, argv=0xbfc95b64) at /home/alex/tmp/php5.3-201103241530/sapi/cli/php_cli.c:1193

[2011-03-24 17:21 UTC] atorkhov at gmail dot com

-Status: Feedback +Status: Open -PHP Version: 5.2.17 +PHP Version: 5.3SVN-2011-03-24 (snap)

[2011-03-24 17:21 UTC] atorkhov at gmail dot com

(changing version in header)

[2011-03-24 22:25 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2011-03-24 22:25 UTC] felipe@php.net

I can reproduce the issue using:
<?php
class test_class
{
    public function __get($name)
    {
        return $this;
    }
}

global $test3;
$test3 = new test_class();
var_dump($test3->a);
?>

Your test gives me 'Fatal error: Call to a member function b() on a non-object'.

[2011-03-25 14:32 UTC] atorkhov at gmail dot com

'Fatal error: Call to a member function b() on a non-object' is wrong behaviour either. Test should return nothing.

[2011-04-07 15:35 UTC] dmitry@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310009
Log: Fixed bug #54372 (Crash accessing global object itself returned from its __get() handle)

[2011-04-07 15:39 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2011-04-07 15:39 UTC] dmitry@php.net

fixed in php-trunk and php-5.3

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC