Crash accessing global object itself returned from its _

Crash accessing global object itself returned from its __get() handle

Bug #54372	Crash accessing global object itself returned from its __get() handle
Submitted:	2011-03-24 16:48 UTC	Modified:	2011-04-07 15:39 UTC
From:	atorkhov at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.3SVN-2011-03-24 (snap)	OS:	Linux
Private report:	No	CVE-ID:	None

[2011-03-24 16:48 UTC] atorkhov at gmail dot com

Description:
------------
PHP 5.2.17 crashes accessing object that is returned as $this from __get() handle (see code snapshot). If object is not global this code works fine.
PHP 5.2.10 did not crash in such situation.



Test script:
---------------
class test_class
{
    public function __get($name)
    {
        return $this;
    }

    public function b()
    {
        return;
    }
}

global $test3;
$test3 = new test_class();
$test3->a->b();


Expected result:
----------------
Nothing output.

Actual result:
--------------
Segmentation fault. Backtrace:

#0  zend_object_store_get_object (zobject=0x8da185c) at /home/alex/tmp/php-5.2.17/Zend/zend_objects_API.c:258
#1  0x082b08ac in zend_std_get_method (object_ptr=0xbfceb5a4, method_name=0x8da37f0 "b", method_len=1) at /home/alex/tmp/php-5.2.17/Zend/zend_object_handlers.c:801
#2  0x082bcf01 in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER (execute_data=0xbfceb580) at /home/alex/tmp/php-5.2.17/Zend/zend_vm_execute.h:9488
#3  0x082fea90 in execute (op_array=0x8da1d64) at /home/alex/tmp/php-5.2.17/Zend/zend_vm_execute.h:92
#4  0x082974c7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/alex/tmp/php-5.2.17/Zend/zend.c:1134
#5  0x08256a94 in php_execute_script (primary_file=0xbfced940) at /home/alex/tmp/php-5.2.17/main/main.c:2036
#6  0x0830078c in main (argc=3, argv=0xbfceda74) at /home/alex/tmp/php-5.2.17/sapi/cli/php_cli.c:1165

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-03-24 17:14 UTC] atorkhov at gmail dot com

Crashes too with backtrace:

#0  zend_object_store_get_object (zobject=0x8e5621c) at /home/alex/tmp/php5.3-201103241530/Zend/zend_objects_API.c:269
#1  0x082b3ca1 in zend_std_get_method (object_ptr=0x8e85a78, method_name=0x8e581cc "b", method_len=1) at /home/alex/tmp/php5.3-201103241530/Zend/zend_object_handlers.c:842
#2  0x082d90c3 in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER (execute_data=0x8e85a60) at /home/alex/tmp/php5.3-201103241530/Zend/zend_vm_execute.h:10388
#3  0x082b7ab9 in execute (op_array=0x8e566a4) at /home/alex/tmp/php5.3-201103241530/Zend/zend_vm_execute.h:107
#4  0x082972b2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/alex/tmp/php5.3-201103241530/Zend/zend.c:1194
#5  0x08245dc0 in php_execute_script (primary_file=0xbfc959f0) at /home/alex/tmp/php5.3-201103241530/main/main.c:2270
#6  0x0831a318 in main (argc=3, argv=0xbfc95b64) at /home/alex/tmp/php5.3-201103241530/sapi/cli/php_cli.c:1193

[2011-03-24 17:21 UTC] atorkhov at gmail dot com

-Status: Feedback +Status: Open -PHP Version: 5.2.17 +PHP Version: 5.3SVN-2011-03-24 (snap)

[2011-03-24 17:21 UTC] atorkhov at gmail dot com

(changing version in header)

[2011-03-24 22:25 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2011-03-24 22:25 UTC] felipe@php.net

I can reproduce the issue using:
<?php
class test_class
{
    public function __get($name)
    {
        return $this;
    }
}

global $test3;
$test3 = new test_class();
var_dump($test3->a);
?>

Your test gives me 'Fatal error: Call to a member function b() on a non-object'.

[2011-03-25 14:32 UTC] atorkhov at gmail dot com

'Fatal error: Call to a member function b() on a non-object' is wrong behaviour either. Test should return nothing.

[2011-04-07 15:39 UTC] dmitry@php.net

-Status: Assigned +Status: Closed