Edit report at https://bugs.php.net/bug.php?id=55305&edit=1

 ID:                 55305
 Patch added by:     cataphr...@php.net
 Reported by:        yaa...@php.net
 Summary:            ref lost: 1st ref instantiated in class def, 2nd ref
                     made w/o instantiating
 Status:             Open
 Type:               Bug
 Package:            *General Issues
 Operating System:   ALL
 PHP Version:        5.4SVN-2011-07-27 (SVN)
 Block user comment: N
 Private report:     N

 New Comment:

The following patch has been added/updated:

Patch Name: bug55305.patch
Revision:   1311813005
URL:        
https://bugs.php.net/patch-display.php?bug=55305&patch=bug55305.patch&revision=1311813005


Previous Comments:
------------------------------------------------------------------------
[2011-07-28 00:30:02] cataphr...@php.net

The following patch has been added/updated:

Patch Name: bug55305.patch
Revision:   1311813002
URL:        
https://bugs.php.net/patch-display.php?bug=55305&patch=bug55305.patch&revision=1311813002

------------------------------------------------------------------------
[2011-07-27 23:32:55] yaa...@php.net

Description:
------------
Reference is lost, causing segfault and/or oddities when primary reference is 
edited after secondary is edited.

Occurs only when the variable name is instantiated in the class definition, and 
the second reference is not instantiated before it is made. Possible 
workarounds 
include:

Instantiate neither variable name in the class definition
Instantiate both variable names in the class definition
Instantiate secondary variable name before making it a reference to the first:
  $this->bar = nil;
  $this->bar =& $this->foo;

The bug is new to 5.4.

Test script:
---------------
<?php
class Foo {
  var $foo; # bug present
  function __construct(){
    $this->foo = '';
    $this->bar =& $this->foo;
  }
  function dump(){
    echo 'foo: ';var_dump($this->foo);
    echo 'bar: ';var_dump($this->bar);
  }
}

$f = new Foo();
$f->dump();
$f->foo .= 'foo';
$f->dump();
$f->bar .= 'bar';
$f->dump();
$f->foo .= 'foo';
$f->dump();
?>

Expected result:
----------------
foo: string(0) ""
bar: string(0) ""
foo: string(3) "bar"
bar: string(3) "bar"
foo: string(6) "barfoo"
bar: string(6) "barfoo"


Actual result:
--------------
varies from platform to platform

On Windows:

foo: string(0) ""
bar: NULL
foo: string(3) "foo"
bar: NULL
foo: UNKNOWN:0
bar: string(3) "bar"
CRASH

On Linux (Ubuntu 11.04):

foo: string(0) ""
bar: NULL
foo: NULL
bar: string(3) "bar" 
foo: string(3) "foo"
bar: string(3) "???"

where ?? is 3 seemingly-random bytes.

OR, if an additional one-or-three-parameter method is defined in the class 
(even 
if it is not called):

string(0) ""
NULL
NULL
Segmentation fault

If the uncalled method has a different number of arguments, it generates a 
zend_mm_heap_corrupted instead


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55305&edit=1

Reply via email to