|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42976 ReflectionClass::newInstance[Args]() crashes if ctor takes arg by reference
Submitted: 2007-10-15 17:13 UTC Modified: 2007-10-28 13:47 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: robin_fernandes at uk dot ibm dot com Assigned: johannes (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.2.4 OS: *
Private report: No CVE-ID: None
 [2007-10-15 17:13 UTC] robin_fernandes at uk dot ibm dot com
In some cases, ReflectionClass::newInstance() and ReflectionClass::newInstanceArgs() can trigger a segmentation fault when the constructor of the reflected class takes arguments by reference.

Tested on PHP 5.2.5-dev (cli) (built: Oct 15 2007 12:04:27) on Win XP.

Reproduce code:
Class C {
	function __construct(&$x) {
		$x = "x.changed";

$x = "x.original";
new C($x); // OK

$rc = new ReflectionClass('C');
$x = "x.original";
$rc->newInstance($x); // causes crash
$x = "x.original";
$rc->newInstanceArgs(array($x)); // causes crash	

Expected result:
string(9) "x.changed"
string(9) "x.changed"
string(10) "x.original"

Actual result:
string(9) "x.changed"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-15 18:03 UTC] felipensp at gmail dot com
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211603264 (LWP 6092)]
0x0826a03c in _zval_ptr_dtor (zval_ptr=0xbfae34c8)
    at /home/felipe/php5.2-200710131830/Zend/zend_execute_API.c:412
412             (*zval_ptr)->refcount--;


#0  0x0826a03c in _zval_ptr_dtor (zval_ptr=0xbfae34c8)
    at /home/felipe/php5.2-200710131830/Zend/zend_execute_API.c:412
#1  0x08156d72 in zim_reflection_class_newInstance (ht=1, 
    return_value=0x847ef88, return_value_ptr=0x0, this_ptr=0x847eee0, 
    at /home/felipe/php5.2-200710131830/ext/reflection/php_reflection.c:3452
#2  0x08294748 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfae375c)
    at /home/felipe/php5.2-200710131830/Zend/zend_vm_execute.h:200
#3  0x082937b9 in execute (op_array=0x847e540)
    at /home/felipe/php5.2-200710131830/Zend/zend_vm_execute.h:92
#4  0x082761f2 in zend_execute_scripts (type=8, retval=<value optimized out>, 
    file_count=3) at /home/felipe/php5.2-200710131830/Zend/zend.c:1134
#5  0x08235251 in php_execute_script (primary_file=0xbfae5b1c)
    at /home/felipe/php5.2-200710131830/main/main.c:2003
#6  0x082eecf5 in main (argc=2, argv=0xbfae5c34)
    at /home/felipe/php5.2-200710131830/sapi/cli/php_cli.c:1140
 [2007-10-28 13:47 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Feb 21 10:01:28 2024 UTC