php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39445 Calling debug_backtrace() in the __toString() function produces a crash
Submitted: 2006-11-09 10:54 UTC Modified: 2006-11-15 16:06 UTC
From: daan at parse dot nl Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.2.0 OS: Slackware 10.2
Private report: No CVE-ID:
 [2006-11-09 10:54 UTC] daan at parse dot nl
Description:
------------
Calling debug_backtrace() in an __toString() function produces a crash, but only when the __toString() function is triggered by a native php string function.


Reproduce code:
---------------
<?php
class test
{
	public function __toString()
	{
		debug_backtrace();
		return 'lowercase';
	}
}

	$test = new test();
	echo strtoupper($test);
?>

Expected result:
----------------
An echoed "LOWERCASE"

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28346)]
zend_objects_store_del_ref_by_handle (handle=1089634572)
   at /usr/src/php-5.2.0/Zend/zend_objects_API.c:187
187             if (EG(objects_store).object_buckets[handle].valid) {
(gdb) bt
#0  zend_objects_store_del_ref_by_handle (handle=1089634572)
   at /usr/src/php-5.2.0/Zend/zend_objects_API.c:187
#1  0x40656015 in zend_objects_store_del_ref (zobject=0x40f27e10)
   at /usr/src/php-5.2.0/Zend/zend_objects_API.c:165
#2  0x40636a52 in _convert_to_string (op=0x40f27e10)
   at /usr/src/php-5.2.0/Zend/zend_variables.h:35
#3  0x405c8b79 in zif_strtoupper (ht=1, return_value=0x40f27df8,
   return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
   at /usr/src/php-5.2.0/ext/standard/string.c:1132
#4  0x40658d64 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb260)
   at /usr/src/php-5.2.0/Zend/zend_vm_execute.h:200
#5  0x40658499 in execute (op_array=0x40f24184)
   at /usr/src/php-5.2.0/Zend/zend_vm_execute.h:92
#6  0x4063ec0c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
   at /usr/src/php-5.2.0/Zend/zend.c:1097
#7  0x40604e3a in php_execute_script (primary_file=0xbfffd5c0)
   at /usr/src/php-5.2.0/main/main.c:1758
#8  0x406bf8d2 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0)
   at /usr/src/php-5.2.0/sapi/apache/sapi_apache.c:53
#9  0x406c02e6 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0)
   at /usr/src/php-5.2.0/sapi/apache/mod_php5.c:660
#10 0x406c04f6 in send_parsed_php (r=0x80cb5bc)
   at /usr/src/php-5.2.0/sapi/apache/mod_php5.c:675
#11 0x08053ff7 in ap_invoke_handler ()
#12 0x08069039 in process_request_internal ()
#13 0x08069098 in ap_process_request ()
#14 0x080600ba in child_main ()
#15 0x08060262 in make_child ()
#16 0x080603c8 in startup_children ()
#17 0x08060a88 in standalone_main ()
#18 0x080612a6 in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-09 17:57 UTC] iliaa@php.net
This patch seems to fix the problem:
http://bb.prohost.org/patch/ze.txt

But I am not 100% certain of its validity.
 [2006-11-15 16:06 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_2.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 17:01:54 2014 UTC