Description
Summary
A PHP debug build aborts with zend_gc_delref(): Assertion p->refcount > 0 failed, and a non-debug ASan build reports heap-use-after-free, when an error handler mutates by-reference the array currently used as the LHS of an array-offset concat assignment.
Reproducer
<?php for($i=0;$i<2;$i++){$a=[[1],[2]];set_error_handler(function()use(&$a){$a="changed";});try{$a[1].=1234;}catch(Throwable $e){}restore_error_handler();}Non-debug ASan evidence
USE_ZEND_ALLOC=0 ASAN_OPTIONS=detect_leaks=1:halt_on_error=1:abort_on_error=1 builds/php-release-asan/sapi/cli/php repro_leak_once.php
Reports:
ERROR: AddressSanitizer: heap-use-after-free
SUMMARY: AddressSanitizer: heap-use-after-free .../Zend/zend_variables.h:41 in i_zval_ptr_dtor
Environment
- PHP -8.5
- php-src commit: t 403bf75
- Debug repro configure:
--disable-all --enable-cli --disable-cgi --enable-debug --without-pear
- Non-debug ASan configure:
CFLAGS='-fsanitize=address -fno-omit-frame-pointer -g -O1' LDFLAGS='-fsanitize=address' ../../php-src/configure --disable-all --enable-cli --disable-cgi --without-pear
PHP Version
PHP-8.5 at commit 403bf75d83265e535bef19bfda72915132f5707
Operating System
No response
Description
Summary
A PHP debug build aborts with
zend_gc_delref(): Assertion p->refcount > 0 failed, and a non-debug ASan build reports heap-use-after-free, when an error handler mutates by-reference the array currently used as the LHS of an array-offset concat assignment.Reproducer
Non-debug ASan evidence
USE_ZEND_ALLOC=0 ASAN_OPTIONS=detect_leaks=1:halt_on_error=1:abort_on_error=1 builds/php-release-asan/sapi/cli/php repro_leak_once.phpReports:
Environment
--disable-all --enable-cli --disable-cgi --enable-debug --without-pearCFLAGS='-fsanitize=address -fno-omit-frame-pointer -g -O1' LDFLAGS='-fsanitize=address' ../../php-src/configure --disable-all --enable-cli --disable-cgi --without-pearPHP Version
Operating System
No response