|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26268 An overload()ed class with __set() and another object contained crashes PHP
Submitted: 2003-11-15 19:26 UTC Modified: 2004-04-13 12:47 UTC
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:1 (25.0%)
From: l dot barnaba at openssl dot it Assigned:
Status: Wont fix Package: Class/Object related
PHP Version: 4CVS-2004-02-11 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2003-11-15 19:26 UTC] l dot barnaba at openssl dot it
If you have an overloaded class containing:
* The three __call(), __get() and __set() methods;
* An associated object instantiated in the constructor;
* A call to call_user_func() or call_user_func_array() on the newly created object;

PHP will crash with signal 11.

I have noticed that removing the __set() magic method makes all behave correctly, and also not using auxiliary variables in the call_user_func_array() call (e.g, using:
$obj = new Obj(); call_user_func_array(array(&$obj, $method), $params); $this->_obj = $obj; instead of:
$this->_obj = new Obj(); call_user_func_array(array(&$this->_obj, $method), $params); makes things work, but at the end of execution of large scripts I get memory allocation errors in Unknown Line 0.

Configure line:
'./configure' '--enable-versioning' '--enable-memory-limit' '--with-layout=GNU' '--with-zlib-dir=/usr' '--disable-all' '--with-regex=php' '--with-pear' '--enable-ctype' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--enable-gd-jis-conv' '--with-freetype-dir=/usr/local' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--enable-gd-lzw-gif' '--with-gmp=/usr/local' '--with-mcal=/usr/local' '--with-mcrypt=/usr/local' '--with-mhash=/usr/local' '--with-mime-magic=/usr/share/misc/magic.mime' '--with-mysql=/usr/local' '--with-openssl-dir=/usr' '--with-openssl=/usr' '--enable-overload' '--with-pcre-regex=yes' '--with-pdflib=/usr/local' '--enable-posix' '--enable-session' '--enable-sockets' '--with-sybase-ct=/usr/local' '--enable-sysvsem' '--enable-sysvshm' '--enable-tokenizer' '--enable-wddx' '--with-expat-dir=/usr/local' '--enable-xml' '--with-zip=/usr/local' '--with-zlib=yes' '--with-apxs=/usr/local/sbin/apxs' '--with-imap=/usr/local' '--with-imap-ssl=/usr/local' '--with-ncurses=/usr' '--prefix=/usr/local' 'i386-portbld-freebsd4.9'

Running under apache 1.3.28, with no special flags added, also using the -dist php.ini.

#0  0x81989ec in execute (op_array=0x82b8e24) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:2004
2004                                                    expr_ptr = *expr_ptr_ptr;
(gdb) bt
#0  0x81989ec in execute (op_array=0x82b8e24) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:2004
#1  0x817bdfc in call_user_function_ex (function_table=0x82c7418, object_pp=0xbfbfe21c, function_name=0x82c7330, retval_ptr_ptr=0xbfbfe220, param_count=0, params=0x82ca2a4, no_separation=0, 
    symbol_table=0x0) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute_API.c:567
#2  0x80cd812 in overload_call_method (ht=0, return_value=0x82b7664, this_ptr=0x82b7fe4, return_value_used=1, property_reference=0xbfbfe37c)
    at /usr/ports/lang/php4-cli/work/php-4.3.4/ext/overload/overload.c:590
#3  0x8190230 in call_overloaded_function (T=0xbfbfe370, arg_count=0, return_value=0x82b7664) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:978
#4  0x819559b in execute (op_array=0x82b85a4) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend_execute.c:1682
#5  0x81838ad in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/lang/php4-cli/work/php-4.3.4/Zend/zend.c:884
#6  0x815c5f3 in php_execute_script (primary_file=0xbfbffb1c) at /usr/ports/lang/php4-cli/work/php-4.3.4/main/main.c:1729
#7  0x819c585 in main (argc=2, argv=0xbfbffb84) at /usr/ports/lang/php4-cli/work/php-4.3.4/sapi/cli/php_cli.c:819

Thanks if you fix this bug :>.

Reproduce code:
class Base
    function Example() {
        print("Object instantiated\n");

class Test
    var $_obj;

    function Test() {
        $this->_obj = new Base();
        call_user_func(array(&$this->_obj, 'Example'));

    function __call($method, $params, &$return) { }
    function __get($property, &$value) { }
    function __set($property, $value) {
        $this->$property = $value;
        return true;

$t = new Test();

Expected result:
"Object Instantiated"

Actual result:
PHP Crashes with signal 11.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-25 04:22 UTC]
Just FYI: This works fine with PHP 5..

 [2004-03-31 03:38 UTC] ruust at lavtech dot ru
Same situation on PHP 4.3.3.
We can not use PHP 5 on production server.
 [2004-04-13 12:47 UTC]
Overload support in PHP 4 is experimental at best and won't be touched anymore. (to get really working OO support, switch to PHP 5)

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Sep 25 22:03:39 2021 UTC