php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42772 Storing $this in a static var fails while handling a cast to string
Submitted: 2007-09-27 00:40 UTC Modified: 2007-10-03 08:03 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: malterisio777 at gmail dot com Assigned: dmitry
Status: Closed Package: Class/Object related
PHP Version: 5.2.4 OS: Windows XP
Private report: No CVE-ID:
 [2007-09-27 00:40 UTC] malterisio777 at gmail dot com
Description:
------------
If $this is assigned to a static var while handling a cast to string inside the magic function __toString(), on return of this function the static variable points to the string representation rather than the object.

It has also been reported on the internals mailing list that this can even cause a seg-fault. I haven't experienced this problem. Another user reported this error message:

ALERT - canary mismatch on efree() - heap overflow detected
(attacker 'REMOTE_ADDR not set', file 'unknown')

Another user has provided a backtrace when a segfault occurred:

#0  0x000000000087a3b9 in zend_mm_check_ptr (heap=0xe20710,
ptr=0x7fffa5cd22c8, silent=0x1, __zend_filename=0xbf3e40
"/usr/src/php5/Zend/zend_variables.c", __zend_lineno=0xaf,
__zend_orig_filename=0xbf2830 "/usr/src/php5/Zend/zend_execute.h",
__zend_orig_lineno=0x46) at /usr/src/php5/Zend/zend_alloc.c:1264
#1  0x000000000087bdc8 in _zend_mm_free_int (heap=0xe20710,
p=0x7fffa5cd22c8, __zend_filename=0xbf3e40
"/usr/src/php5/Zend/zend_variables.c", __zend_lineno=0xaf,
__zend_orig_filename=0xbf2830 "/usr/src/php5/Zend/zend_execute.h",
__zend_orig_lineno=0x46) at /usr/src/php5/Zend/zend_alloc.c:1895
#2  0x000000000087d4b5 in _efree (ptr=0x7fffa5cd22c8,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf, __zend_orig_filename=0xbf2830
"/usr/src/php5/Zend/zend_execute.h", __zend_orig_lineno=0x46) at
/usr/src/php5/Zend/zend_alloc.c:2263
#3  0x000000000088c248 in safe_free_zval_ptr_rel (p=0x7fffa5cd22c8,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf, __zend_orig_filename=0xbf2798
"/usr/src/php5/Zend/zend_execute_API.c", __zend_orig_lineno=0x19f) at
zend_execute.h:70
#4  0x000000000088c1cd in _zval_ptr_dtor (zval_ptr=0x10d04d0,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf) at /usr/src/php5/Zend/zend_execute_API.c:415
#5  0x000000000089b0e1 in _zval_ptr_dtor_wrapper (zval_ptr=0x10d04d0) at
/usr/src/php5/Zend/zend_variables.c:175
#6  0x00000000008aa9fa in zend_hash_destroy (ht=0x10cfed8) at
/usr/src/php5/Zend/zend_hash.c:526
#7  0x0000000000891865 in destroy_zend_class (pce=0x10f9cb8) at
/usr/src/php5/Zend/zend_opcode.c:182
#8  0x00000000008aada8 in zend_hash_apply_deleter (ht=0xe21040,
p=0x10f9ca0) at /usr/src/php5/Zend/zend_hash.c:611
#9  0x00000000008ab3de in zend_hash_reverse_apply (ht=0xe21040,
apply_func=0x88b75b <clean_non_persistent_class>) at
/usr/src/php5/Zend/zend_hash.c:760
#10 0x000000000088be10 in shutdown_executor () at
/usr/src/php5/Zend/zend_execute_API.c:291
#11 0x000000000089c755 in zend_deactivate () at
/usr/src/php5/Zend/zend.c:860
#12 0x0000000000843392 in php_request_shutdown (dummy=0x0) at
/usr/src/php5/main/main.c:1463
#13 0x00000000009206de in main (argc=0x2, argv=0x7fffa5cd4cd8) at
/usr/src/php5/sapi/cli/php_cli.c:1332

Reproduce code:
---------------
<?php
class Foo {
    static public $foo;
    
    function __toString() {
        self::$foo = $this;
        return 'foo';
    }
}

$foo = (string)new Foo();
var_dump(Foo::$foo);
?>


Expected result:
----------------
object(Foo)#1 (0) {
}

Actual result:
--------------
string(3) "foo"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-27 03:02 UTC] judas dot iscariote at gmail dot com
to reproduce the crash easily.

export USE_ZEND_ALLOC=0 and execute the test case mentioned above.

/home/cristian/php5/sapi/cli/php tostr.php
[Thread debugging using libthread_db enabled]
[New Thread 47730662784256 (LWP 31643)]
string(3) "foo"

*** glibc detected *** /home/cristian/php5/sapi/cli/php: double free or corruption (out): 0x00007fff83114260 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2b6928e418fe]
/lib64/libc.so.6(cfree+0x76)[0x2b6928e42f36]
/home/cristian/php5/sapi/cli/php(_efree+0x3a)[0x6f7fe2]
/home/cristian/php5/sapi/cli/php[0x7085e8]
/home/cristian/php5/sapi/cli/php(_zval_ptr_dtor+0x69)[0x708560]
/home/cristian/php5/sapi/cli/php(_zval_ptr_dtor_wrapper+0x21)[0x718228]
/home/cristian/php5/sapi/cli/php(zend_hash_destroy+0x70)[0x728a5d]
/home/cristian/php5/sapi/cli/php(destroy_zend_class+0x86)[0x70e3cf]
/home/cristian/php5/sapi/cli/php[0x728e23]
/home/cristian/php5/sapi/cli/php(zend_hash_reverse_apply+0xac)[0x729478]
/home/cristian/php5/sapi/cli/php(shutdown_executor+0x332)[0x708089]
/home/cristian/php5/sapi/cli/php(zend_deactivate+0x82)[0x719b99]
/home/cristian/php5/sapi/cli/php(php_request_shutdown+0x2d6)[0x6b93a7]
/home/cristian/php5/sapi/cli/php(main+0x1981)[0x7a28de]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2b6928df2ae4]
/home/cristian/php5/sapi/cli/php[0x44aa29]
======= Memory map: ========
00400000-008a3000 r-xp 00000000 03:06 3436278                            /home/cristian/php5/sapi/cli/php
00aa2000-00ac0000 r--p 004a2000 03:06 3436278                            /home/cristian/php5/sapi/cli/php
00ac0000-00af0000 rw-p 004c0000 03:06 3436278                            /home/cristian/php5/sapi/cli/php
00af0000-00dde000 rw-p 00af0000 00:00 0                                  [heap]
2b6927991000-2b69279ad000 r-xp 00000000 03:06 1667906                    /lib64/ld-2.5.so
2b69279ad000-2b69279ae000 rw-p 2b69279ad000 00:00 0
2b69279d5000-2b69279d6000 rw-p 2b69279d5000 00:00 0
2b69279d7000-2b69279d9000 rw-p 2b69279d7000 00:00 0
2b6927a17000-2b6927a52000 r--p 00000000 03:01 358455                     /usr/lib/locale/es_ES.utf8/LC_CTYPE
2b6927a52000-2b6927a59000 r--s 00000000 03:01 406646                     /usr/lib64/gconv/gconv-modules.cache
2b6927bad000-2b6927baf000 rw-p 0001c000 03:06 1667906                    /lib64/ld-2.5.so
2b6927baf000-2b6927bb8000 r-xp 00000000 03:06 1667917                    /lib64/libcrypt-2.5.so
2b6927bb8000-2b6927db7000 ---p 00009000 03:06 1667917                    /lib64/libcrypt-2.5.so
2b6927db7000-2b6927dba000 rw-p 00008000 03:06 1667917                    /lib64/libcrypt-2.5.so
2b6927dba000-2b6927de8000 rw-p 2b6927dba000 00:00 0
2b6927de8000-2b6927df0000 r-xp 00000000 03:06 1667943                    /lib64/librt-2.5.so
2b6927df0000-2b6927fef000 ---p 00008000 03:06 1667943                    /lib64/librt-2.5.so
2b6927fef000-2b6927ff1000 rw-p 00007000 03:06 1667943                    /lib64/librt-2.5.so
2b6927ff1000-2b6928002000 r-xp 00000000 03:06 1667941                    /lib64/libresolv-2.5.so
2b6928002000-2b6928202000 ---p 00011000 03:06 1667941                    /lib64/libresolv-2.5.so
2b6928202000-2b6928204000 rw-p 00011000 03:06 1667941                    /lib64/libresolv-2.5.so
2b6928204000-2b6928207000 rw-p 2b6928204000 00:00 0
2b6928207000-2b692825c000 r-xp 00000000 03:06 1667921                    /lib64/libm-2.5.so
2b692825c000-2b692845b000 ---p 00055000 03:06 1667921                    /lib64/libm-2.5.so
2b692845b000-2b692845d000 rw-p 00054000 03:06 1667921                    /lib64/libm-2.5.so
2b692845d000-2b6928471000 r-xp 00000000 03:06 1667924                    /lib64/libnsl-2.5.so
2b6928471000-2b6928670000 ---p 00014000 03:06 1667924                    /lib64/libnsl-2.5.so
2b6928670000-2b6928672000 rw-p 00013000 03:06 1667924                    /lib64/libnsl-2.5.so
2b6928672000-2b6928674000 rw-p 2b6928672000 00:00 0
2b6928674000-2b6928688000 r-xp 00000000 03:06 1667970                    /lib64/libz.so.1.2.3
2b6928688000-2b6928887000 ---p 00014000 03:06 1667970                    /lib64/libz.so.1.2.3
2b6928887000-2b6928889000 rw-p 00013000 03:06 1667970                    /lib64/libz.so.1.2.3
2b6928889000-2b692888a000 rw-p 2b6928889000 00:00 0
2b692888a000-2b69289c6000 r-xp 00000000 03:01 407362                     /usr/lib64/libxml2.so.2.6.26
2b69289c6000-2b6928bc5000 ---p 0013c000 03:01 407362                     /usr/lib64/libxml2.s
Program received signal SIGABRT, Aborted.
[Switching to Thread 47730662784256 (LWP 31643)]
0x00002b6928e05535 in raise () from /lib64/libc.so.6


(gdb) bt full
#0  0x00002b6928e05535 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00002b6928e06990 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00002b6928e3c6db in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3  0x00002b6928e418fe in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4  0x00002b6928e42f36 in free () from /lib64/libc.so.6
No symbol table info available.
#5  0x00000000006f7fe2 in _efree (ptr=0x7fff83114260, __zend_filename=0x851a00 "/home/cristian/php5/Zend/zend_variables.c", __zend_lineno=175,
    __zend_orig_filename=0x8509a8 "/home/cristian/php5/Zend/zend_execute.h", __zend_orig_lineno=70) at /home/cristian/php5/Zend/zend_alloc.c:2260
No locals.
#6  0x00000000007085e8 in safe_free_zval_ptr_rel (p=0x7fff83114260, __zend_filename=0x851a00 "/home/cristian/php5/Zend/zend_variables.c", __zend_lineno=175,
    __zend_orig_filename=0x8508f8 "/home/cristian/php5/Zend/zend_execute_API.c", __zend_orig_lineno=415) at /home/cristian/php5/Zend/zend_execute.h:70
No locals.
#7  0x0000000000708560 in _zval_ptr_dtor (zval_ptr=0xdbe208, __zend_filename=0x851a00 "/home/cristian/php5/Zend/zend_variables.c", __zend_lineno=175)
    at /home/cristian/php5/Zend/zend_execute_API.c:415
No locals.
#8  0x0000000000718228 in _zval_ptr_dtor_wrapper (zval_ptr=0xdbe208) at /home/cristian/php5/Zend/zend_variables.c:175
No locals.
#9  0x0000000000728a5d in zend_hash_destroy (ht=0xdbde98) at /home/cristian/php5/Zend/zend_hash.c:526
        p = (Bucket *) 0x0
        q = (Bucket *) 0xdbe1f0
#10 0x000000000070e3cf in destroy_zend_class (pce=0xdbea78) at /home/cristian/php5/Zend/zend_opcode.c:182
        ce = (zend_class_entry *) 0xdbdd90
#11 0x0000000000728e23 in zend_hash_apply_deleter (ht=0xaf7bc0, p=0xdbea60) at /home/cristian/php5/Zend/zend_hash.c:611
        retval = (Bucket *) 0x100852c48
#12 0x0000000000729478 in zend_hash_reverse_apply (ht=0xaf7bc0, apply_func=0x70775b <clean_non_persistent_class>) at /home/cristian/php5/Zend/zend_hash.c:760
        result = 1
        p = (Bucket *) 0xc6df90
        q = (Bucket *) 0xdbea60
#13 0x0000000000708089 in shutdown_executor () at /home/cristian/php5/Zend/zend_execute_API.c:291
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47730638117856, -69113092759423093, 0, 140735392345040, 0, 0, -69113092759423349, -69231859290084026}, __mask_was_saved = 0, __saved_mask = {
      __val = {14413536, 127264, 47730660551008, 14413648, 127152, 0, 47730657603043, 1, 0, 1, 47730660551008, 140735392343344, 0, 140735392345040, 0, 0}}}}
#14 0x0000000000719b99 in zend_deactivate () at /home/cristian/php5/Zend/zend.c:860
No locals.
#15 0x00000000006b93a7 in php_request_shutdown (dummy=0x0) at /home/cristian/php5/main/main.c:1481
        report_memleaks = 1 '\001'
#16 0x00000000007a28de in main (argc=2, argv=0x7fff83116bd8) at /home/cristian/php5/sapi/cli/php_cli.c:1321
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff83117f27 "tostr.php", opened_path = 0x0, handle = {fd = 12794976, fp = 0xc33c60, stream = {handle = 0xc33c60,
      reader = 0x734f70 <zend_stream_stdio_reader>, closer = 0x734f9c <zend_stream_stdio_closer>, fteller = 0x734fc6 <zend_stream_stdio_fteller>, interactive = 0}},
  free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff83117f27 "tostr.php"
        arg_excp = (char **) 0x7fff83116be0
        script_file = 0x7fff83117f27 "tostr.php"
        interactive = 0
        module_started = 1
        request_started = 1
---Type <return> to continue, or q <return> to quit---
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110
 [2007-10-03 08:03 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 14:02:18 2014 UTC