Just checking something before posting a bug report

17 years ago by Martin Alterisio — view source

unread

I did as much as possible from the steps asked in the php bugs page, but
still I want to check with you folks before submitting a bug report.

I found a strange behavior in PHP 5.2.4. Try running the following code:

<?php
class Foo {
static public $foo;

function __toString() {
    self::$foo = $this;
    return 'foo';
}

}

$foo = (string) new Foo();
var_dump(Foo::$foo);
?>

At the end of the script, the static var stores not the object but the
string returned by toString.

17 years ago by pstradomski@gmail.com — view source

unread

Martin Alterisio wrote

<?php
class Foo {
static public $foo;

function __toString() {
self::$foo = $this;
return 'foo';
}
}

$foo = (string) new Foo();
var_dump(Foo::$foo);
?>

Got even stranger result here:
string(3) "foo"
ALERT - canary mismatch on efree() - heap overflow detected
(attacker 'REMOTE_ADDR not set', file 'unknown')

So I confirm your problem (var_dump should report object, not string).

--
Paweł Stradomski

17 years ago by Moritz Bechler — view source

unread

Hi,

I can confirm that behaviour (older CVS build) and it seems that you can
get that thingy to segfault if you var_dump twice. That might be helpful
for investigating that "interesting" behaviour. Backtrace follows...

#0 0x000000000087a3b9 in zend_mm_check_ptr (heap=0xe20710,
ptr=0x7fffa5cd22c8, silent=0x1, __zend_filename=0xbf3e40
"/usr/src/php5/Zend/zend_variables.c", __zend_lineno=0xaf,
__zend_orig_filename=0xbf2830 "/usr/src/php5/Zend/zend_execute.h",
__zend_orig_lineno=0x46) at /usr/src/php5/Zend/zend_alloc.c:1264
#1 0x000000000087bdc8 in _zend_mm_free_int (heap=0xe20710,
p=0x7fffa5cd22c8, __zend_filename=0xbf3e40
"/usr/src/php5/Zend/zend_variables.c", __zend_lineno=0xaf,
__zend_orig_filename=0xbf2830 "/usr/src/php5/Zend/zend_execute.h",
__zend_orig_lineno=0x46) at /usr/src/php5/Zend/zend_alloc.c:1895
#2 0x000000000087d4b5 in _efree (ptr=0x7fffa5cd22c8,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf, __zend_orig_filename=0xbf2830
"/usr/src/php5/Zend/zend_execute.h", __zend_orig_lineno=0x46) at
/usr/src/php5/Zend/zend_alloc.c:2263
#3 0x000000000088c248 in safe_free_zval_ptr_rel (p=0x7fffa5cd22c8,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf, __zend_orig_filename=0xbf2798
"/usr/src/php5/Zend/zend_execute_API.c", __zend_orig_lineno=0x19f) at
zend_execute.h:70
#4 0x000000000088c1cd in _zval_ptr_dtor (zval_ptr=0x10d04d0,
__zend_filename=0xbf3e40 "/usr/src/php5/Zend/zend_variables.c",
__zend_lineno=0xaf) at /usr/src/php5/Zend/zend_execute_API.c:415
#5 0x000000000089b0e1 in _zval_ptr_dtor_wrapper (zval_ptr=0x10d04d0) at
/usr/src/php5/Zend/zend_variables.c:175
#6 0x00000000008aa9fa in zend_hash_destroy (ht=0x10cfed8) at
/usr/src/php5/Zend/zend_hash.c:526
#7 0x0000000000891865 in destroy_zend_class (pce=0x10f9cb8) at
/usr/src/php5/Zend/zend_opcode.c:182
#8 0x00000000008aada8 in zend_hash_apply_deleter (ht=0xe21040,
p=0x10f9ca0) at /usr/src/php5/Zend/zend_hash.c:611
#9 0x00000000008ab3de in zend_hash_reverse_apply (ht=0xe21040,
apply_func=0x88b75b <clean_non_persistent_class>) at
/usr/src/php5/Zend/zend_hash.c:760
#10 0x000000000088be10 in shutdown_executor () at
/usr/src/php5/Zend/zend_execute_API.c:291
#11 0x000000000089c755 in zend_deactivate () at
/usr/src/php5/Zend/zend.c:860
#12 0x0000000000843392 in php_request_shutdown (dummy=0x0) at
/usr/src/php5/main/main.c:1463
#13 0x00000000009206de in main (argc=0x2, argv=0x7fffa5cd4cd8) at
/usr/src/php5/sapi/cli/php_cli.c:1332

best regards

Moritz Bechler

17 years ago by Martin Alterisio — view source

unread

Thanks everyone!

I've just submitted the report, adding the info you provided.

Regards,

Martin Alterisio