Segmentation fault in Zend/zend_types.h

[YuanchengJiang]

Description

The following code:

<?php
class C {
public int $b {
set(int $value) { $this->b = $value; }
}
}
$reflector = new ReflectionClass(C::class);
$obj = $reflector->newLazyGhost(function ($obj) {
return new C();
});
foreach ($obj as $prop => $value) {
}

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2370325==ERROR: AddressSanitizer: SEGV on unknown address 0x5653d6bf6c00 (pc 0x5653d56874d5 bp 0x7ffcdcb7fc20 sp 0x7ffcdcb7fbf0 T0)
==2370325==The signal is caused by a WRITE memory access.
    #0 0x5653d56874d5 in zend_gc_delref /php-src/Zend/zend_types.h:1348:9
    #1 0x5653d5686abc in i_zval_ptr_dtor /php-src/Zend/zend_variables.h:44:8
    #2 0x5653d56868a4 in zval_ptr_dtor /php-src/Zend/zend_variables.c:84:2
    #3 0x5653d5636485 in zho_it_dtor /php-src/Zend/zend_property_hooks.c:211:2
    #4 0x5653d5432c3f in iter_wrapper_free /php-src/Zend/zend_iterators.c:66:2
    #5 0x5653d558fe53 in zend_objects_store_del /php-src/Zend/zend_objects_API.c:194:4
    #6 0x5653d51f9bea in zend_object_release /php-src/Zend/zend_objects_API.h:77:3
    #7 0x5653d523bfac in zend_fe_reset_iterator /php-src/Zend/zend_execute.c:5182:4
    #8 0x5653d4ec8eba in ZEND_FE_RESET_R_SPEC_CV_HANDLER /php-src/Zend/zend_vm_execute.h:41164:20
    #9 0x5653d4ba8f47 in execute_ex /php-src/Zend/zend_vm_execute.h:58585:7
    #10 0x5653d4baa382 in zend_execute /php-src/Zend/zend_vm_execute.h:64237:2
    #11 0x5653d56c74f8 in zend_execute_script /php-src/Zend/zend.c:1926:3
    #12 0x5653d4277e26 in php_execute_script_ex /php-src/main/main.c:2578:13
    #13 0x5653d42786c8 in php_execute_script /php-src/main/main.c:2618:9
    #14 0x5653d56d5ad3 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #15 0x5653d56d14f2 in main /php-src/sapi/cli/php_cli.c:1309:18
    #16 0x7f15866d7d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #17 0x7f15866d7e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #18 0x5653d2403244 in _start (/php-src/sapi/cli/php+0x1c03244) (BuildId: ee1f743275c2fdd0ccef8e16c7fa1c0bff43bbe8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/Zend/zend_types.h:1348:9 in zend_gc_delref

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[cmb69]

php-src/Zend/zend_property_hooks.c

Line 211 in c65e042

zval_ptr_dtor(&hooked_iter->declared_props);

hooked_iter->declared_props is zend_empty_array, and trying to decrease its refcount is bad.

Possible fix:

 Zend/zend_property_hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Zend/zend_property_hooks.c b/Zend/zend_property_hooks.c
index 9cfa15ecaf..523584de94 100644
--- a/Zend/zend_property_hooks.c
+++ b/Zend/zend_property_hooks.c
@@ -54,7 +54,7 @@ static zend_array *zho_build_properties_ex(zend_object *zobj, bool check_access,
 	if (UNEXPECTED(zend_lazy_object_must_init(zobj))) {
 		zobj = zend_lazy_object_init(zobj);
 		if (UNEXPECTED(!zobj)) {
-			return (zend_array*) &zend_empty_array;
+			return zend_new_array(0);
 		}
 	}

@iluuu1994, thoughts?

[nielsdos]

This is a duplicate of PR #15854

[iluuu1994]

@cmb69 Indeed, your solution looks correct and matches the one Arnaud came up with. Thanks!

[cmb69]

Not sure: should we close this ticket, or link Arnaud's PR to it?

[iluuu1994]

#15854 was now merged.