php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42976 ReflectionClass::newInstance[Args]() crashes if ctor takes arg by reference
Submitted: 2007-10-15 17:13 UTC Modified: 2007-10-28 13:47 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: robin_fernandes at uk dot ibm dot com Assigned: johannes
Status: Closed Package: Reproducible crash
PHP Version: 5.2.4 OS: *
Private report: No CVE-ID:
 [2007-10-15 17:13 UTC] robin_fernandes at uk dot ibm dot com
Description:
------------
In some cases, ReflectionClass::newInstance() and ReflectionClass::newInstanceArgs() can trigger a segmentation fault when the constructor of the reflected class takes arguments by reference.

Tested on PHP 5.2.5-dev (cli) (built: Oct 15 2007 12:04:27) on Win XP.

Reproduce code:
---------------
<?php
Class C {
	function __construct(&$x) {
		$x = "x.changed";
	}
}

$x = "x.original";
new C($x); // OK
var_dump($x);

$rc = new ReflectionClass('C');
$x = "x.original";
$rc->newInstance($x); // causes crash
var_dump($x);
$x = "x.original";
$rc->newInstanceArgs(array($x)); // causes crash	
var_dump($x);
?>

Expected result:
----------------
string(9) "x.changed"
string(9) "x.changed"
string(10) "x.original"

Actual result:
--------------
string(9) "x.changed"
*CRASH*

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-15 18:03 UTC] felipensp at gmail dot com
GDB:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211603264 (LWP 6092)]
0x0826a03c in _zval_ptr_dtor (zval_ptr=0xbfae34c8)
    at /home/felipe/php5.2-200710131830/Zend/zend_execute_API.c:412
412             (*zval_ptr)->refcount--;

---------------------

Backtrace:
#0  0x0826a03c in _zval_ptr_dtor (zval_ptr=0xbfae34c8)
    at /home/felipe/php5.2-200710131830/Zend/zend_execute_API.c:412
#1  0x08156d72 in zim_reflection_class_newInstance (ht=1, 
    return_value=0x847ef88, return_value_ptr=0x0, this_ptr=0x847eee0, 
    return_value_used=0)
    at /home/felipe/php5.2-200710131830/ext/reflection/php_reflection.c:3452
#2  0x08294748 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfae375c)
    at /home/felipe/php5.2-200710131830/Zend/zend_vm_execute.h:200
#3  0x082937b9 in execute (op_array=0x847e540)
    at /home/felipe/php5.2-200710131830/Zend/zend_vm_execute.h:92
#4  0x082761f2 in zend_execute_scripts (type=8, retval=<value optimized out>, 
    file_count=3) at /home/felipe/php5.2-200710131830/Zend/zend.c:1134
#5  0x08235251 in php_execute_script (primary_file=0xbfae5b1c)
    at /home/felipe/php5.2-200710131830/main/main.c:2003
#6  0x082eecf5 in main (argc=2, argv=0xbfae5c34)
    at /home/felipe/php5.2-200710131830/sapi/cli/php_cli.c:1140
 [2007-10-28 13:47 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 04:01:57 2014 UTC