Bug #60701 [Dup->Csd]: __toString() which stores $this reference triggers segfault (with fix!)

Thu, 26 Apr 2012 05:35:28 -0700 

Edit report at https://bugs.php.net/bug.php?id=60701&edit=1

 ID:                 60701
 Updated by:         maar...@php.net
 Reported by:        daan at react dot com
 Summary:            __toString() which stores $this reference triggers
                     segfault (with fix!)
-Status:             Duplicate
+Status:             Closed
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   CentOS
 PHP Version:        5.3.8
 Assigned To:        dmitry
 Block user comment: N
 Private report:     N

 New Comment:

Fixed in 5.3.11 / 5.4.1 (see #61165 for revisions and tests)


Previous Comments:
------------------------------------------------------------------------
[2012-04-26 12:34:40] paj...@php.net

Duplicate of #61165

------------------------------------------------------------------------
[2012-04-26 12:33:03] maar...@php.net

So this issue is apparently fixed thanks to 
https://bugs.php.net/bug.php?id=61165 (which is actually a dupe of 60701 all 
along) ?

------------------------------------------------------------------------
[2012-04-26 12:18:10] arjen at react dot com

5.3.10/5.4.0 fixed original testcase; see http://3v4l.org/sc0mQ
5.3.11/5.4.1 fixed modified testcase; see http://3v4l.org/iYBMZ

Please close this issue and mark as fixed!

------------------------------------------------------------------------
[2012-04-02 09:53:08] arjen at react dot com

5.3.10 fixed the attached testcase, a more simple test now fails.

<?php

class A {
        public $a;
        public function __toString()
        {
                $this->a = $this;
                return 'waa?';
        }
}

$a = new A;
echo trim($a);
echo trim($a->a);

Results:
5.3.0 - 5.3.9   waa?1
5.3.10 waa? Warning: trim() expects parameter 1 to be string, unknown given in 
/home/deployer/public_html/php/tmp/ba8096acaf18c52bc12e38619634c25b on line 14
5.4.0 Segmentationfault

------------------------------------------------------------------------
[2012-03-26 09:05:57] s...@php.net

OK, I think I know what may be going on here. What you're getting as $this in 
toString() is not a real $object but a copy what was generated by 
SEPARATE_ZVAL_IF_NOT_REF() in parse_arg_object_to_string(). If you save this 
copy, there might be trouble since it'd be destroyed by writeobj and later 
cleanup of the function arguments. However, the patch proposed doesn't seem to 
solve the problem completely since $this->test variable is still corrupted in 
this scenario...

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=60701


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60701&edit=1

Reply via email to