Use-after-free with extract() and EXTR_REFS

[iluuu1994]

Description

Originally reported by @nrathaus.

The following code:

<?php

class GetFree {
  public function __destruct() {
    unset($GLOBALS['b']);
  }
}

$b = new GetFree;
$array = array("b" => "AB");
extract($array, EXTR_REFS);

Resulted in this output:

=================================================================
==2221828==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400002a690 at pc 0x000001a62bfb bp 0x7ffe743dd560 sp 0x7ffe743dd558
READ of size 4 at 0x60400002a690 thread T0
    #0 0x1a62bfa in zend_gc_delref /home/ilutov/Developer/php-src/Zend/zend_types.h:1351
    #1 0x1a650a6 in zend_objects_store_del /home/ilutov/Developer/php-src/Zend/zend_objects_API.c:180
    #2 0x1aeef47 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #3 0x1aeed67 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:45
    #4 0x1aef38d in zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.c:84
    #5 0xd76be4 in php_extract_ref_overwrite /home/ilutov/Developer/php-src/ext/standard/array.c:1960
    #6 0xd859bf in zif_extract /home/ilutov/Developer/php-src/ext/standard/array.c:2626
    #7 0x15fbce8 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:1299
    #8 0x18a0edc in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:58827
    #9 0x18be62e in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:64259
    #10 0x1b16be0 in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1943
    #11 0x10d9a89 in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2594
    #12 0x10d9fb8 in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2634
    #13 0x1b1ee50 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:952
    #14 0x1b22638 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1355
    #15 0x7fc08603227d in __libc_start_call_main (/nix/store/maxa3xhmxggrc5v2vc0c3pjb79hjlkp9-glibc-2.40-66/lib/libc.so.6+0x2a27d) (BuildId: ff927b1b82bf859074854af941360cb428b4c739)
    #16 0x7fc086032338 in __libc_start_main_alias_1 (/nix/store/maxa3xhmxggrc5v2vc0c3pjb79hjlkp9-glibc-2.40-66/lib/libc.so.6+0x2a338) (BuildId: ff927b1b82bf859074854af941360cb428b4c739)
    #17 0x6025f4 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x6025f4)

But I expected this output instead:

PHP Version

PHP 8.3+

Operating System

No response