Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion failure zend_reference_destroy() #17736

Closed
YuanchengJiang opened this issue Feb 8, 2025 · 2 comments
Closed

Assertion failure zend_reference_destroy() #17736

YuanchengJiang opened this issue Feb 8, 2025 · 2 comments
Labels
Bug Extension: simplexml Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$xml = '<a><b></b></a>';
$o1 = new SimpleXMlElement($xml);
$o2 = clone $o1;
$r = current($o2->xpath('/a'));
$fusion = $r;
class C {
public int $a = 1;
}
function test(string $name, object $obj) {
$ref = &$obj->a;
}
$reflector = new ReflectionClass(C::class);
$obj = $reflector->newLazyGhost(function ($obj) {
});
test('Ghost', $obj);
test('Proxy', $fusion);

Resulted in this output:

php: /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_variables.c:73: void zend_reference_destroy(zend_reference *): Assertion `!((ref)->sources.ptr != ((void*)0))' failed.
Aborted (core dumped)

PHP Version

nightly

Operating System

No response
@nielsdos
Copy link
Member

nielsdos commented Feb 8, 2025
edited
Loading

Simplified:

<?php
$o1 = new SimpleXMlElement('<a/>');
class C {
    public int $a = 1;
}
function test($obj) {
    $ref =& $obj->a;
}
$obj = new C;
test($obj);
test($o1);

EDIT: this strongly looks like a cache slot issue

@nielsdos
Copy link
Member

nielsdos commented Feb 8, 2025

The call for zend_handle_fetch_obj_flags is not guarded by a CE check, which is what causes this issue.

@nielsdos nielsdos changed the title Assertion failure zend_reference_destroy() Zend/zend_variables.c Assertion failure zend_reference_destroy() Feb 8, 2025
nielsdos added a commit to nielsdos/php-src that referenced this issue Feb 8, 2025
@nielsdos
Fix phpGH-17736: Assertion failure zend_reference_destroy()
155df25 
The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.

This patch adds a check for the class entry. I placed the check as late
as possible to avoid as much overhead as possible.
An alternative solution is to write NULLs to the cache slot in the
get_property_ptr handlers of extensions that don't use the cache slot,
but that is not general: not only simplexml would need changes, maybe
even third party extensions would need changes as well.
@nielsdos nielsdos linked a pull request Feb 8, 2025 that will close this issue
Fix GH-17736: Assertion failure zend_reference_destroy() #17739
Closed
nielsdos added a commit to nielsdos/php-src that referenced this issue Feb 23, 2025
@nielsdos
Fix phpGH-17736: Assertion failure zend_reference_destroy()
de4f7df 
The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.

This patch adds a check for the class entry. I placed the check as late
as possible to avoid as much overhead as possible.
An alternative solution is to write NULLs to the cache slot in the
get_property_ptr handlers of extensions that don't use the cache slot,
but that is not general: not only simplexml would need changes, maybe
even third party extensions would need changes as well.
nielsdos added a commit that referenced this issue Mar 2, 2025
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
ee4a9a4 
* PHP-8.3:
  Fix GH-17736: Assertion failure zend_reference_destroy()
nielsdos added a commit that referenced this issue Mar 2, 2025
@nielsdos
Merge branch 'PHP-8.4'
d95b9d6 
* PHP-8.4:
  Fix GH-17736: Assertion failure zend_reference_destroy()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: simplexml Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17736: Assertion failure zend_reference_destroy() nielsdos/php-src
3 participants
@devnexen @nielsdos @YuanchengJiang