php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79792 HT iterators not removed if empty array is destroyed
Submitted: 2020-07-04 18:41 UTC Modified: 2020-07-07 09:55 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
 [2020-07-04 18:41 UTC] changochen1 at gmail dot com
Description:
------------
LOG:
---
php: /home/yongheng/php_clean/Zend/zend_hash.c:563: void zend_hash_iterator_del(uint32_t): Assertion `(iter->ht)->u.v.nIteratorsCount != 0' failed.
---

Test script:
---------------
<?
define ( "THE_CONST" , 3 ) ;
function b ( $a = array ( THE_CONST ) ) {
    foreach ( $a as & $c ) {
        array_shift ( $a ) ;
        list ( $a  ) = $b ;
        d   ;
    }
}
b () ;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-07 09:39 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-07-07 09:39 UTC] nikic@php.net
Reduced:

<?php 
$a = [42];
foreach ($a as &$c) {
    array_shift($a);
    $a = null;
}

Valgrind:

==931749== Invalid read of size 1
==931749==    at 0x9D84AC: zend_hash_iterator_del (zend_hash.c:562)
==931749==    by 0xA16268: ZEND_FE_FREE_SPEC_TMPVAR_HANDLER (zend_vm_execute.h:12928)
==931749==    by 0xA66AEF: execute_ex (zend_vm_execute.h:53339)
==931749==    by 0xA6A0DE: zend_execute (zend_vm_execute.h:56094)
==931749==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==931749==    by 0x92BF71: php_execute_script (main.c:2537)
==931749==    by 0xAA9077: do_cli (php_cli.c:955)
==931749==    by 0xAAA16F: main (php_cli.c:1353)
==931749==  Address 0x8ebc9aa is 10 bytes inside a block of size 56 free'd
==931749==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==931749==    by 0x98A6FA: _efree_custom (zend_alloc.c:2426)
==931749==    by 0x98A851: _efree (zend_alloc.c:2546)
==931749==    by 0x9DBCF8: zend_array_destroy (zend_hash.c:1662)
==931749==    by 0x9BFF72: rc_dtor_func (zend_variables.c:57)
==931749==    by 0x9EE297: zend_assign_to_variable (zend_execute.h:141)
==931749==    by 0xA50B89: ZEND_ASSIGN_SPEC_CV_CONST_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:39272)
==931749==    by 0xA69304: execute_ex (zend_vm_execute.h:55374)
==931749==    by 0xA6A0DE: zend_execute (zend_vm_execute.h:56094)
==931749==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==931749==    by 0x92BF71: php_execute_script (main.c:2537)
==931749==    by 0xAA9077: do_cli (php_cli.c:955)
==931749==  Block was alloc'd at
==931749==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==931749==    by 0x98B83F: __zend_malloc (zend_alloc.c:2992)
==931749==    by 0x98A689: _malloc_custom (zend_alloc.c:2417)
==931749==    by 0x98A7D3: _emalloc (zend_alloc.c:2536)
==931749==    by 0x9DD2F0: zend_array_dup (zend_hash.c:2072)
==931749==    by 0xA492FA: ZEND_FE_RESET_RW_SPEC_CV_HANDLER (zend_vm_execute.h:36337)
==931749==    by 0xA68E54: execute_ex (zend_vm_execute.h:55134)
==931749==    by 0xA6A0DE: zend_execute (zend_vm_execute.h:56094)
==931749==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==931749==    by 0x92BF71: php_execute_script (main.c:2537)
==931749==    by 0xAA9077: do_cli (php_cli.c:955)
==931749==    by 0xAAA16F: main (php_cli.c:1353)
 [2020-07-07 09:55 UTC] nikic@php.net
-Summary: Assertion `(iter->ht)->u.v.nIteratorsCount != 0' failed. +Summary: HT iterators not removed if empty array is destroyed
 [2020-07-07 10:00 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64931fd3c4c7c3d217f2f19c997a8f89779727c5
Log: Fixed bug #79792
 [2020-07-07 10:00 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 16:01:23 2020 UTC