php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55305 ref lost: 1st ref instantiated in class def, 2nd ref made w/o instantiating
Submitted: 2011-07-27 23:32 UTC Modified: 2011-08-01 15:23 UTC
From: yaauie@php.net Assigned: dmitry (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4SVN-2011-07-27 (SVN) OS: ALL
Private report: No CVE-ID: None
 [2011-07-27 23:32 UTC] yaauie@php.net
Description:
------------
Reference is lost, causing segfault and/or oddities when primary reference is 
edited after secondary is edited.

Occurs only when the variable name is instantiated in the class definition, and 
the second reference is not instantiated before it is made. Possible workarounds 
include:

Instantiate neither variable name in the class definition
Instantiate both variable names in the class definition
Instantiate secondary variable name before making it a reference to the first:
  $this->bar = nil;
  $this->bar =& $this->foo;

The bug is new to 5.4.

Test script:
---------------
<?php
class Foo {
  var $foo; # bug present
  function __construct(){
    $this->foo = '';
    $this->bar =& $this->foo;
  }
  function dump(){
    echo 'foo: ';var_dump($this->foo);
    echo 'bar: ';var_dump($this->bar);
  }
}

$f = new Foo();
$f->dump();
$f->foo .= 'foo';
$f->dump();
$f->bar .= 'bar';
$f->dump();
$f->foo .= 'foo';
$f->dump();
?>

Expected result:
----------------
foo: string(0) ""
bar: string(0) ""
foo: string(3) "bar"
bar: string(3) "bar"
foo: string(6) "barfoo"
bar: string(6) "barfoo"


Actual result:
--------------
varies from platform to platform

On Windows:

foo: string(0) ""
bar: NULL
foo: string(3) "foo"
bar: NULL
foo: UNKNOWN:0
bar: string(3) "bar"
CRASH

On Linux (Ubuntu 11.04):

foo: string(0) ""
bar: NULL
foo: NULL
bar: string(3) "bar" 
foo: string(3) "foo"
bar: string(3) "???"

where ?? is 3 seemingly-random bytes.

OR, if an additional one-or-three-parameter method is defined in the class (even 
if it is not called):

string(0) ""
NULL
NULL
Segmentation fault

If the uncalled method has a different number of arguments, it generates a 
zend_mm_heap_corrupted instead

Patches

bug55305.patch (last revision 2011-07-28 00:30 UTC by cataphract@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-28 00:30 UTC] cataphract@php.net
The following patch has been added/updated:

Patch Name: bug55305.patch
Revision:   1311813002
URL:        https://bugs.php.net/patch-display.php?bug=55305&patch=bug55305.patch&revision=1311813002
 [2011-07-28 00:30 UTC] cataphract@php.net
The following patch has been added/updated:

Patch Name: bug55305.patch
Revision:   1311813005
URL:        https://bugs.php.net/patch-display.php?bug=55305&patch=bug55305.patch&revision=1311813005
 [2011-07-28 00:31 UTC] cataphract@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: dmitry
 [2011-07-28 00:31 UTC] cataphract@php.net
The patch attached fixes this issue, but there may be a better way than just building the properties hash table on zend_std_get_property_ptr_ptr.
 [2011-08-01 15:23 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=314054
Log: Fixed bug #55305 (ref lost: 1st ref instantiated in class def, 2nd ref made w/o instantiating)
 [2011-08-01 15:23 UTC] dmitry@php.net
-Status: Verified +Status: Closed
 [2011-08-01 15:23 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d4a80cfa8d7b2a5f30976c144efa33b3d159622a
Log: Fixed bug #55305 (ref lost: 1st ref instantiated in class def, 2nd ref made w/o instantiating)
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d4a80cfa8d7b2a5f30976c144efa33b3d159622a
Log: Fixed bug #55305 (ref lost: 1st ref instantiated in class def, 2nd ref made w/o instantiating)
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d4a80cfa8d7b2a5f30976c144efa33b3d159622a
Log: Fixed bug #55305 (ref lost: 1st ref instantiated in class def, 2nd ref made w/o instantiating)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC