Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.

[Changochen]

Description

The following code:

<?[$i]=$i[]=$i=&$Yhh;$i[$m==$i[]=$i];$h=$i[$m==$i[]=0]+=$Yhh;

Resulted in this output:

Zend/zend_hash.c:1007: zval *_zend_hash_index_add_or_update_i(HashTable *, zend_ulong, zval *, uint32_t): Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.

Reproduce steps:

./configure --disable-all --enable-address-sanitizer --disable-phpdbg --disable-cgi --with-pic --enable-debug-assertions
make -j
./sapi/cli/php -f poc.php

Git commit: b96b88b

PS: Without the debug assertions, the poc doesn't trigger a crash or abort by sanitizer.

PHP Version

PHP 8.3.0-dev

Operating System

Ubuntu 20.04

[cmb69]

I can confirm this (happens at least with PHP-8.1); I'm not sure, though, whether that's worth fixing, since the code is pathologic.

[Changochen]

Running git bitsect and found the first bad commit was edc7c8c. By checking the commit message, maybe this can be also triggerred by normal code? The PoC is found by fuzzing so the code is mal-formed.

[nielsdos]

I played with it a bit and found a slightly easier reproducer:

<?php
$i = &$new_array;
$i[] = $i;
$i[] = $i;
$i[] = 0;
$i[true] += $new_array; // I can only reproduce it with the key true here

[cmb69]

$i[true] += $new_array; // I can only reproduce it with the key true here

$i[1] exhibits the same behavior (expectedly).

[iluuu1994]

See #10975 (comment). I had to revert this change. Maybe we can find a different solution.