php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56904 Non-overloaded binary assignment operators segfault
Submitted: 2006-03-21 06:52 UTC Modified: 2013-07-18 01:42 UTC
From: bspencer at plus dot net Assigned: pollita (profile)
Status: Closed Package: operator (PECL)
PHP Version: 5.1.1 OS: Debian unstable, kernel 2.6.16
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bspencer at plus dot net
New email:
PHP Version: OS:

 

 [2006-03-21 06:52 UTC] bspencer at plus dot net
Description:
------------
PHP Version 5.1.2 (debian unstable build)
Operator version 0.3

The code linked to below causes a segfault when the operator extension is enabled.  Note that it does not actually overload any operators, but it appears to be the .= that it dies on.

Reducing the complexity of the code stops the segfault from occuring.


Reproduce code:
---------------
http://www.ztestbspencer40.plus.com/operator_test.php


Actual result:
--------------
GDB backtrace:

#0  0xb7f0157d in _php_operator_binary_assign_op (execute_data=0xbf91c6cc, methodname=0xb7f03d56 "__assign_concat", methodname_len=15)
    at /tmp/tmp2aB13Z/operator-0.3/operator.c:278
#1  0x0829ad68 in execute ()
#2  0x0829b209 in execute ()
#3  0x0829ad68 in execute ()
#4  0x0829b209 in execute ()
#5  0x0829ad68 in execute ()
#6  0x0827eb3e in zend_execute_scripts ()
#7  0x0823e08e in php_execute_script ()
#8  0x0831d117 in main ()

(gdb) print object
$1 = (zval *) 0x1c



Line 278 of operator.c:

if (!object || Z_TYPE_P(object) != IS_OBJECT) {


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-04 16:28 UTC] kniolet at ildiinc dot com
I am also getting a segfault with code similar to the 
following:

class a {

public $v;

public function __assign_sl($val) {
$this->v = $val;
}
}

$bob = new a;
$a->__assign_sl('lkj'); // works
$a <<= 'lkj'; //segfault


now, if I take out the $a->__assign_sl('lkj'); it works 
fine. It seems I just cannot mix using the overloaded 
operators and calling the functions directly. Also, it 
seems to be on a per file basis, so if I use 
$a->__assign_sl('lkj'); in one file and $a <<= 'lkj'; in 
another I don't seem to have problems even when they are 
in the same app.

On a side note, I _LOVE_ the operator extension! Hands 
down it's one of the most useful for me.
 [2007-02-04 16:30 UTC] kniolet at ildiinc dot com
Oh, I should mention I am using PHP 5.2.0
 [2008-07-09 14:12 UTC] nick at boxdesign dot co dot uk
I have a patch against operator-0.3 (works against CVS too) 
which resolves the segfault:

--BEGIN PATCH--
--- operator-0.3/operator.c	2006-02-08 
00:34:17.000000000 +0000
+++ operator.c	2008-07-09 18:55:24.000000000 +0100
@@ -275,7 +275,7 @@
 			zval *object = 
php_operator_zval_ptr(&(opline->op1), &free_obj, 
execute_data TSRMLS_CC);
 			zval *prop = 
php_operator_zval_ptr(&(opline->op2), &free_prop, 
execute_data TSRMLS_CC);
 
-			if (!object || Z_TYPE_P(object) != 
IS_OBJECT) {
+			if (!object || Z_TYPE_P(object) != 
IS_OBJECT || !prop) {
 				/* Let orignal handler throw 
error */
 				return 
php_operator_original_opcode_handlers[PHP_OPERATOR_DECODE(op
line)](ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
 			}
--END PATCH--
 [2009-12-30 22:23 UTC] ryan dot brothers at gmail dot com
I'm running into the same above issue with segfaults, but I'm still getting them after applying the above patch.  I am using PHP 5.2.12.  Is that still the right patch or is there an updated one?  Thanks.
 [2013-07-18 01:42 UTC] pollita@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita
 [2013-07-18 01:42 UTC] pollita@php.net
Looks like this got fixed at some point, I've added a test case to watch out for 
it in the future though.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Sep 15 16:01:28 2024 UTC