Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed

### Description

The following code:

```php
<?php
class A
{
    public string $prop = "";

}
class B
{
    public function __toString()
    {
        global $a;
        $a = $a = "";
        $a->p = "";
        return "";

    }

}
$a = new A();
$a = $a->prop .= new B();

?>
```

Resulted in this output:
```
php-src/Zend/zend_execute.c:1582: zend_binary_assign_op_typed_prop: Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed.
```

With asan, the output is:
```
==5503==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x555555ef095f bp 0x7fffffff9b00 sp 0x7fffffff9ad0 T0)
==5503==The signal is caused by a WRITE memory access.
==5503==Hint: address points to the zero page.
    #0 0x555555ef095e in zend_gc_addref /php-src/Zend/zend_types.h:1210
    #1 0x555555ef095e in ZEND_ASSIGN_OBJ_OP_SPEC_CV_CONST_HANDLER /php-src/Zend/zend_vm_execute.h:40931
    #2 0x555555f5c7cf in execute_ex /php-src/Zend/zend_vm_execute.h:60234
    #3 0x555555f91637 in zend_execute /php-src/Zend/zend_vm_execute.h:61087
...)
```

It seems a use-after-free bug.


### PHP Version

PHP 8.3.0-dev

### Operating System

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed #10571

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed #10571

Description

Description

PHP Version

Operating System

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions