Description:
------------
If you have an overloaded class containing:
* The three __call(), __get() and __set() methods;
* An associated object instantiated in the constructor;
* A call to call_user_func() or call_user_func_array() on the newly created object;

PHP will crash with signal 11.

I have noticed that removing the __set() magic method makes all behave correctly, and also not using auxiliary variables in the call_user_func_array() call (e.g, using:
$obj = new Obj(); call_user_func_array(array(&$obj, $method), $params); $this->_obj = $obj; instead of:
$this->_obj = new Obj(); call_user_func_array(array(&$this->_obj, $method), $params); makes things work, but at the end of execution of large scripts I get memory allocation errors in Unknown Line 0.

Configure line:
'./configure' '--enable-versioning' '--enable-memory-limit' '--with-layout=GNU' '--with-zlib-dir=/usr' '--disable-all' '--with-regex=php' '--with-pear' '--enable-ctype' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--enable-gd-jis-conv' '--with-freetype-dir=/usr/local' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--enable-gd-lzw-gif' '--with-gmp=/usr/local' '--with-mcal=/usr/local' '--with-mcrypt=/usr/local' '--with-mhash=/usr/local' '--with-mime-magic=/usr/share/misc/magic.mime' '--with-mysql=/usr/local' '--with-openssl-dir=/usr' '--with-openssl=/usr' '--enable-overload' '--with-pcre-regex=yes' '--with-pdflib=/usr/local' '--enable-posix' '--enable-session' '--enable-sockets' '--with-sybase-ct=/usr/local' '--enable-sysvsem' '--enable-sysvshm' '--enable-tokenizer' '--enable-wddx' '--with-expat-dir=/usr/local' '--enable-xml' '--with-zip=/usr/local' '--with-zlib=yes' '--with-apxs=/usr/local/sbin/apxs' '--with-imap=/usr/local' '--with-imap-ssl=/usr/local' '--with-ncurses=/usr' '--prefix=/usr/local' 'i386-portbld-freebsd4.9'

Running under apache 1.3.28, with no special flags added, also using the -dist php.ini.

Backtrace:
#0  0x81989ec in execute (op_array=0x82b8e24) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:2004
2004                                                    expr_ptr = *expr_ptr_ptr;
(gdb) bt
#0  0x81989ec in execute (op_array=0x82b8e24) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:2004
#1  0x817bdfc in call_user_function_ex (function_table=0x82c7418, object_pp=0xbfbfe21c, function_name=0x82c7330, retval_ptr_ptr=0xbfbfe220, param_count=0, params=0x82ca2a4, no_separation=0, 
    symbol_table=0x0) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute_API.c:567
#2  0x80cd812 in overload_call_method (ht=0, return_value=0x82b7664, this_ptr=0x82b7fe4, return_value_used=1, property_reference=0xbfbfe37c)
    at /usr/ports/lang/php4-cli/work/php-4.3.4/ext/overload/overload.c:590
#3  0x8190230 in call_overloaded_function (T=0xbfbfe370, arg_count=0, return_value=0x82b7664) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:978
#4  0x819559b in execute (op_array=0x82b85a4) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:1682
#5  0x81838ad in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend.c:884
#6  0x815c5f3 in php_execute_script (primary_file=0xbfbffb1c) at /usr/ports/lang/php4-cli/work/php-4.3.4/main/main.c:1729
#7  0x819c585 in main (argc=2, argv=0xbfbffb84) at /usr/ports/lang/php4-cli/work/php-4.3.4/sapi/cli/php_cli.c:819

Thanks if you fix this bug :>.


Reproduce code:
---------------
class Base
{
    function Example() {
        print("Object instantiated\n");
    }
}

class Test
{
    var $_obj;

    function Test() {
        $this->_obj = new Base();
        call_user_func(array(&$this->_obj, 'Example'));
    }

    function __call($method, $params, &$return) { }
    function __get($property, &$value) { }
    function __set($property, $value) {
        $this->$property = $value;
        return true;
    }
}

overload('Test');
$t = new Test();


Expected result:
----------------
"Object Instantiated"

Actual result:
--------------
PHP Crashes with signal 11.