|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33966 wrong use of reflectionproperty causes a segfault
Submitted: 2005-08-02 14:23 UTC Modified: 2005-09-17 01:53 UTC
From: Assigned: helly
Status: Closed Package: Class/Object related
PHP Version: 5CVS-2005-08-02 OS: *
Private report: No CVE-ID:
 [2005-08-02 14:23 UTC]
When (ab)using the ReflectionProperty class' methods as static, it segfaults.

Reproduce code:
class Base
    public $x = 1;

    function __get($name)
        if ( !ReflectionProperty::isPublic() ) {
            /* throw error */

$b = new Base();
echo $b->foo;

Actual result:
0x083c2bdb in _property_check_flag (ht=0, return_value=0x878cfd4,
    return_value_ptr=0x0, this_ptr=0x878c714, return_value_used=1, mask=256)
    at /dat/dev/php/php-5.1dev/Zend/zend_reflection_api.c:3359
3359            RETURN_BOOL(ref->prop->flags & mask);
(gdb) bt
#0  0x083c2bdb in _property_check_flag (ht=0, return_value=0x878cfd4,
    return_value_ptr=0x0, this_ptr=0x878c714, return_value_used=1, mask=256)
    at /dat/dev/php/php-5.1dev/Zend/zend_reflection_api.c:3359
#1  0x083c2c24 in zif_reflection_property_isPublic (ht=0,
    return_value=0x878cfd4, return_value_ptr=0x0, this_ptr=0x878c714,
    at /dat/dev/php/php-5.1dev/Zend/zend_reflection_api.c:3366
#2  0x083c6309 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd090)
    at zend_vm_execute.h:184
#3  0x083c692d in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfffd090)
    at zend_vm_execute.h:299
#4  0x083c5f8a in execute (op_array=0x878dd34) at zend_vm_execute.h:87
#5  0x0838edc6 in zend_call_function (fci=0xbfffd260, fci_cache=0xbfffd220)
    at /dat/dev/php/php-5.1dev/Zend/zend_execute_API.c:871
#6  0x083aee9d in zend_call_method (object_pp=0xbfffd2f0, obj_ce=0x878c36c,
    fn_proxy=0x878c44c, function_name=0x85cfd54 "__get", function_name_len=5,
    retval_ptr_ptr=0xbfffd2e4, param_count=1, arg1=0x878cea4, arg2=0x0)
    at /dat/dev/php/php-5.1dev/Zend/zend_interfaces.c:87
#7  0x083b4e26 in zend_std_call_getter (object=0x878c714, member=0x878cea4)
    at /dat/dev/php/php-5.1dev/Zend/zend_object_handlers.c:72
#8  0x083b576e in zend_std_read_property (object=0x878c714, member=0x878b148,
    type=0) at /dat/dev/php/php-5.1dev/Zend/zend_object_handlers.c:305
#9  0x083ff3f9 in zend_fetch_property_address_read_helper_SPEC_CV_CONST (
    type=0, execute_data=0xbfffd440) at zend_vm_execute.h:20491
    execute_data=0xbfffd440) at zend_vm_execute.h:20513
#11 0x083c5f8a in execute (op_array=0x8786de4) at zend_vm_execute.h:87
#12 0x0839b2fb in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-5.1dev/Zend/zend.c:1087
#13 0x08350fc4 in php_execute_script (primary_file=0xbffff8b0)
    at /dat/dev/php/php-5.1dev/main/main.c:1672
#14 0x0841325c in main (argc=1, argv=0xbffff994)
    at /dat/dev/php/php-5.1dev/sapi/cli/php_cli.c:1039
(gdb) print *ref
Cannot access memory at address 0x2a8fcc84


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-02 20:52 UTC]
This happens because METHOD_NOTSTATIC just checks this_ptr presence and doesn't check it's class entry.
So I'd propose this patch:
 [2005-09-17 01:53 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sat Oct 10 19:01:29 2015 UTC