Home Original page

PHP :: Bug #38461 :: Segfault with __set()

Bug #38461 Segfault with __set()
Submitted: 2006-08-15 07:28 UTC Modified: 2006-08-15 13:20 UTC
From: derick@php.net Assigned: tony2001 (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2006-08-15 (CVS) OS: *
Private report: No CVE-ID: None

 [2006-08-15 07:28 UTC] derick@php.net

Description:
------------
The following script crashes.

Reproduce code:
---------------
<?php

class Operation
{
    function __set( $var, $value )
    {
        $this->$var = $value;
    }
}

class ExtOperation extends Operation
{
    private $x;
}

$op = new ExtOperation;
$op->x = 'test';

?>

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216329504 (LWP 14743)]
0x083c0de3 in zend_std_write_property (object=0xb77ce778, member=0xb77d0cbc,
    value=0xb77d0928)
    at /dat/dev/php/php-5.2dev/Zend/zend_object_handlers.c:440
440                             zend_hash_quick_update(zobj->properties, property_info->name, property_info->name_length+1, property_info->h, &value, sizeof(zval *), (void **) &foo);
(gdb) bt
#0  0x083c0de3 in zend_std_write_property (object=0xb77ce778,
    member=0xb77d0cbc, value=0xb77d0928)
    at /dat/dev/php/php-5.2dev/Zend/zend_object_handlers.c:440
#1  0x083e1405 in zend_assign_to_object (result=0xb77d01d8,
    object_ptr=0x869e4ac, op2=0xb77d0200, value_op=0xb77d0238, Ts=0xbfc25e50,
    opcode=136) at /dat/dev/php/php-5.2dev/Zend/zend_execute.c:614
#2  0x084010b8 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CV_HANDLER (
    execute_data=0xbfc25e84)
    at /dat/dev/php/php-5.2dev/Zend/zend_vm_execute.h:18886
#3  0x083c5062 in execute (op_array=0xb77d1418)
    at /dat/dev/php/php-5.2dev/Zend/zend_vm_execute.h:92
#4  0xb759f9d9 in xdebug_execute (op_array=0xb77d1418)
    at /dat/dev/php/xdebug/xdebug.c:1388
#5  0x08395673 in zend_call_function (fci=0xbfc26124, fci_cache=0xbfc260f8)
    at /dat/dev/php/php-5.2dev/Zend/zend_execute_API.c:952
#6  0x083b9457 in zend_call_method (object_pp=0xbfc261b0, obj_ce=0xb77d03a8,
    fn_proxy=0xb77d04b8, function_name=0x8627492 "__set", function_name_len=5,
    retval_ptr_ptr=0xbfc26198, param_count=2, arg1=0xb77d0cbc, arg2=0xb77d0928)
    at /dat/dev/php/php-5.2dev/Zend/zend_interfaces.c:88
#7  0x083bfc82 in zend_std_call_setter (object=0xb77ce778, member=0xb77d0cbc,
    value=0xb77d0928) at /dat/dev/php/php-5.2dev/Zend/zend_object_handlers.c:98
#8  0x083c0d11 in zend_std_write_property (object=0xb77ce778,
    member=0xb77ced70, value=0xb77d0928)
---Type <return> to continue, or q <return> to quit---
    at /dat/dev/php/php-5.2dev/Zend/zend_object_handlers.c:426
#9  0x083e1405 in zend_assign_to_object (result=0xb77ced44,
    object_ptr=0xb77d06dc, op2=0xb77ced6c, value_op=0xb77ceda4, Ts=0xbfc26330,
    opcode=136) at /dat/dev/php/php-5.2dev/Zend/zend_execute.c:614
#10 0x08408a3e in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_HANDLER (
    execute_data=0xbfc263e4)
    at /dat/dev/php/php-5.2dev/Zend/zend_vm_execute.h:21518
#11 0x083c5062 in execute (op_array=0xb77ce7ac)
    at /dat/dev/php/php-5.2dev/Zend/zend_vm_execute.h:92
#12 0xb759f9d9 in xdebug_execute (op_array=0xb77ce7ac)
    at /dat/dev/php/xdebug/xdebug.c:1388
#13 0x083a27ff in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-5.2dev/Zend/zend.c:1095
#14 0x083526fc in php_execute_script (primary_file=0xbfc2885c)
    at /dat/dev/php/php-5.2dev/main/main.c:1759
#15 0x0841b1ef in main (argc=1, argv=0xbfc28984)
    at /dat/dev/php/php-5.2dev/sapi/cli/php_cli.c:1097
(gdb) quit
The program is running.  Exit anyway? (y or n) y

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2006-08-15 13:20 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.