#42976 [Opn->Asn]: ReflectionClass::newInstance[Args]() crashes if ctor takes arg by reference

helly Tue, 16 Oct 2007 11:24:37 -0700

 ID:               42976
 Updated by:       [EMAIL PROTECTED]
 Reported By:      robin_fernandes at uk dot ibm dot com
-Status:           Open
+Status:           Assigned
 Bug Type:         Reproducible crash
-Operating System: Windows
+Operating System: *
-PHP Version:      5CVS-2007-10-15 (snap)
+PHP Version:      5.2.4
-Assigned To:      
+Assigned To:      chinstrap



Previous Comments:
------------------------------------------------------------------------

[2007-10-15 18:03:58] felipensp at gmail dot com

GDB:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211603264 (LWP 6092)]
0x0826a03c in _zval_ptr_dtor (zval_ptr=0xbfae34c8)
    at /home/felipe/php5.2-200710131830/Zend/zend_execute_API.c:412
412             (*zval_ptr)->refcount--;

---------------------

Backtrace:
#0  0x0826a03c in _zval_ptr_dtor (zval_ptr=0xbfae34c8)
    at /home/felipe/php5.2-200710131830/Zend/zend_execute_API.c:412
#1  0x08156d72 in zim_reflection_class_newInstance (ht=1, 
    return_value=0x847ef88, return_value_ptr=0x0, this_ptr=0x847eee0, 
    return_value_used=0)
    at
/home/felipe/php5.2-200710131830/ext/reflection/php_reflection.c:3452
#2  0x08294748 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfae375c)
    at /home/felipe/php5.2-200710131830/Zend/zend_vm_execute.h:200
#3  0x082937b9 in execute (op_array=0x847e540)
    at /home/felipe/php5.2-200710131830/Zend/zend_vm_execute.h:92
#4  0x082761f2 in zend_execute_scripts (type=8, retval=<value optimized
out>, 
    file_count=3) at /home/felipe/php5.2-200710131830/Zend/zend.c:1134
#5  0x08235251 in php_execute_script (primary_file=0xbfae5b1c)
    at /home/felipe/php5.2-200710131830/main/main.c:2003
#6  0x082eecf5 in main (argc=2, argv=0xbfae5c34)
    at /home/felipe/php5.2-200710131830/sapi/cli/php_cli.c:1140

------------------------------------------------------------------------

[2007-10-15 17:13:11] robin_fernandes at uk dot ibm dot com

Description:
------------
In some cases, ReflectionClass::newInstance() and
ReflectionClass::newInstanceArgs() can trigger a segmentation fault when
the constructor of the reflected class takes arguments by reference.

Tested on PHP 5.2.5-dev (cli) (built: Oct 15 2007 12:04:27) on Win XP.

Reproduce code:
---------------
<?php
Class C {
        function __construct(&$x) {
                $x = "x.changed";
        }
}

$x = "x.original";
new C($x); // OK
var_dump($x);

$rc = new ReflectionClass('C');
$x = "x.original";
$rc->newInstance($x); // causes crash
var_dump($x);
$x = "x.original";
$rc->newInstanceArgs(array($x)); // causes crash        
var_dump($x);
?>

Expected result:
----------------
string(9) "x.changed"
string(9) "x.changed"
string(10) "x.original"

Actual result:
--------------
string(9) "x.changed"
*CRASH*


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=42976&edit=1

#42976 [Opn->Asn]: ReflectionClass::newInstance[Args]() crashes if ctor takes arg by reference

Reply via email to