php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36234 segfault when testing property of an overloaded class in switch a statement
Submitted: 2006-01-31 18:22 UTC Modified: 2006-04-11 17:23 UTC
From: matt dot flaherty at hildebrand dot co dot uk Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 4.4.2 OS: SUSE LINUX 10.0 (i586)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: matt dot flaherty at hildebrand dot co dot uk
New email:
PHP Version: OS:

 

 [2006-01-31 18:22 UTC] matt dot flaherty at hildebrand dot co dot uk
Description:
------------
Apologies in advance if this turns out to be user error, but it seems odd to me. A segmentation fault occurs when evaluating in a switch statement an instance property of an overloaded class with which has a __get() method. It does not matter whether the evaluated property is native to the instance or overloaded. Also, native and overloaded properties on an overloaded class instance don't like to be passed by reference.

If you change the switch statements to cast the argument to (string), as in "switch ((string)$decorator->bar) {" (a memory copy), then the expected result occurs. If you leave either of the switch statements alone there is a crash. Interestingly, with both of the switch statements "fixed" and the block uncommented that calls function reverse_me, the output looks like this:

----%<----
I can see that the value of bar is 'bar' and the value of myVar is 'mine'.
I've tested === and that worked okay.
So did ==.
subst function is okay too.

Fatal error: Only variables can be passed by reference in /srv/www/htdocs/seagull/www/crash.php on line 54
----%<----

This is a native property on the instance so I can't understand why passing by reference is bad. Turning off overloading produces the expected result there, which is this:

----%<----
I can see that the value of bar is '' and the value of myVar is 'mine'.
I've tested === and that worked okay.
So did ==.
subst function is okay too.
Just passed by myVar by reference and reversed the string. The value is now enim
I am not expecting a switch statemtent on bar to segfault.
Switch says the value of bar is not 'bar'. It's 'baz'.

I am not expecting a switch statemtent on myVar to segfault.
Switch says the value of myVar is not 'mine'. It's 'yours'.
----%<----

I have observed this behaviour in php 4.4.0 and 4.4.2. Very strange.

Reproduce code:
---------------
http://www.jellybee.co.uk/overload_fault.txt

Expected result:
----------------
I can see that the value of bar is 'bar' and the value of myVar is 'mine'.
I've tested === and that worked okay.
So did ==.
subst function is okay too.
I am not expecting a switch statemtent on bar to segfault.
Switch says the value of bar is not 'bar'. It's 'baz'.

I am not expecting a switch statemtent on myVar to segfault.
Switch says the value of myVar is not 'mine'. It's 'yours'.

Actual result:
--------------
Last few lines of Apache2 strace...

open("/srv/www/htdocs/seagull/www/crash.php", O_RDONLY) = 35
fstat64(35, {st_mode=S_IFREG|0644, st_size=2110, ...}) = 0
fstat64(35, {st_mode=S_IFREG|0644, st_size=2110, ...}) = 0
lseek(35, 0, SEEK_CUR)                  = 0
lseek(35, 0, SEEK_SET)                  = 0
read(35, "<?php\nclass Decorator_Foo {\n    "..., 8192) = 2110
brk(0x8045f000)                         = 0x8045f000
read(35, "", 8192)                      = 0
close(35)                               = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
chdir("/srv/www")                       = 0
rt_sigaction(SIGSEGV, {SIG_DFL}, {SIG_DFL}, 8) = 0
kill(18058, SIGSEGV)                    = 0
sigreturn()                             = ? (mask now [])
--- SIGSEGV (Segmentation fault) @ 0 (0) ---


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-31 18:30 UTC] matt dot flaherty at hildebrand dot co dot uk
Almost forgot. PHP is configured in the standard way for this distro:
./configure  --prefix=/usr --datadir=/usr/share/php --mandir=/usr/share/man --bindir=/usr/bin --libdir=/usr/share --includedir=/usr/include --sysconfdir=/etc --with-_lib=lib --with-config-file-path=/etc --with-exec-dir=/usr/lib/php/bin --disable-debug --enable-inline-optimization --enable-memory-limit --enable-magic-quotes --enable-safe-mode --enable-sigchild --disable-ctype --disable-session --without-mysql --disable-cli --without-pear --with-openssl --with-apxs2=/usr/sbin/apxs2-prefork i586-suse-linux
 [2006-01-31 23:51 UTC] judas dot iscariote at gmail dot com
Program received signal SIGSEGV, Segmentation fault.
0x0000000000417258 in overload_get_property (property_reference=0x7fffffe61af8)
    at /home/cristian/php-src/ext/overload/overload.c:363
363                     if (Z_TYPE_P(overloaded_property) == OE_IS_OBJECT) {
(gdb) bt
#0  0x0000000000417258 in overload_get_property (property_reference=0x7fffffe61af8)
    at /home/cristian/php-src/ext/overload/overload.c:363
#1  0x00000000004e9c01 in get_overloaded_property (T=0x7fffffe61ae0) at /home/cristian/php-src/Zend/zend_execute.c:970
#2  0x00000000004e8327 in _get_zval_ptr (node=0x6a6bd0, Ts=0x7fffffe614c0, should_free=0x649c10)
    at /home/cristian/php-src/Zend/zend_execute.c:93
#3  0x00000000004f2503 in zend_switch_free (opline=0x6a6ba8, Ts=0x7fffffe614c0)
    at /home/cristian/php-src/Zend/zend_execute.c:236
#4  0x00000000004efe54 in execute (op_array=0x6978d0) at /home/cristian/php-src/Zend/zend_execute.c:2053
#5  0x00000000004d5cf5 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/cristian/php-src/Zend/zend.c:934
#6  0x0000000000498774 in php_execute_script (primary_file=0x7fffffe64750) at /home/cristian/php-src/main/main.c:1753
#7  0x00000000004f50eb in main (argc=2, argv=0x7fffffe648b8) at /home/cristian/php-src/sapi/cli/php_cli.c:830

./sapi/cli/php -v
PHP 4.4.3-dev (cli) (built: Jan 31 2006 19:48:51) (DEBUG)
 [2006-02-11 13:19 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2006-02-13 15:53 UTC] matt dot flaherty at hildebrand dot co dot uk
Thank you for this. I'm aware that the OO implementation in PHP5 is very different and I intend to use 5 for any serious OO development from now on. However, there is a project I'm working on which requires PHP 4 and needs a drop-in replacement for the PEAR DB libraries within a third-party framework. As support for PHP 4 is still a going concern I decided to raise this ticket. Since posting this bug report, I have also encountered the same problem in PHP 4.3.11. Thank you again for your response.
 [2006-02-13 19:38 UTC] andrei@php.net
I am not maintaining this anymore.
 [2006-04-11 17:23 UTC] sniper@php.net
As there is no maintainer and any serious OO stuff should be done with 5.1 anyway -> wont fix. (there are more important things to fix than hacks like this)
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Apr 20 10:01:23 2021 UTC