php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79816 Assertion `0' failed. in _zend_is_inconsistent
Submitted: 2020-07-09 05:32 UTC Modified: 2020-07-10 12:25 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: changochen1 at gmail dot com Assigned:
Status: Verified Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-09 (Git) OS:
Private report: No CVE-ID: None
 [2020-07-09 05:32 UTC] changochen1 at gmail dot com
Description:
------------
LOG:
php: /home/yongheng/php_clean/Zend/zend_hash.c:71: void _zend_is_inconsistent(const HashTable *, const char *, int): Assertion `0' failed.

Test script:
---------------
<?
for (;;)
    switch ( 1 ) {
    case 1 :
        switch ( $a ) {
        default :
            try {
                for ( ;[ 'x' , ob_start ( function () use ( $b ) {}, 20 ) > c] ;                ) ;
            }
            catch ( Throwable ) {     }
                foreach( array ( array_merge ( $GLOBALS ) )as $d) ;
        }
    }


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-10 12:25 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-07-10 12:25 UTC] nikic@php.net
Slightly reduced:

<?
for (;;) {
    ob_start(function () use ( $b ) {}, 20 );
    try {
        c;
    }
    catch ( Throwable ) {     }
    foreach ( array ( array_merge ($GLOBALS) ) as $d) ;
}

==295061== Invalid read of size 4
==295061==    at 0x9D3619: zend_gc_delref (zend_types.h:1162)
==295061==    by 0x9D4E9B: zend_assign_to_variable (zend_execute.h:142)
==295061==    by 0xA10B12: ZEND_FE_FETCH_R_SPEC_VAR_HANDLER (zend_vm_execute.h:20734)
==295061==    by 0xA4F624: execute_ex (zend_vm_execute.h:54324)
==295061==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295061==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295061==    by 0x9127DB: php_execute_script (main.c:2537)
==295061==    by 0xA90DD3: do_cli (php_cli.c:951)
==295061==    by 0xA91ECB: main (php_cli.c:1349)
==295061==  Address 0xa45c430 is 0 bytes inside a block of size 56 free'd
==295061==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==295061==    by 0x9712D8: _efree_custom (zend_alloc.c:2426)
==295061==    by 0x97142F: _efree (zend_alloc.c:2546)
==295061==    by 0xA65D1E: zend_gc_collect_cycles (zend_gc.c:1612)
==295061==    by 0xA6367F: gc_possible_root_when_full (zend_gc.c:592)
==295061==    by 0xA63803: gc_possible_root (zend_gc.c:642)
==295061==    by 0x9D49FE: zend_object_release (zend_objects_API.h:77)
==295061==    by 0xA4CD22: execute_ex (zend_vm_execute.h:52172)
==295061==    by 0x9942AF: zend_call_function (zend_execute_API.c:785)
==295061==    by 0x9B9E2B: zend_fcall_info_call (zend_API.c:3495)
==295061==    by 0x92C2AD: php_output_handler_op (output.c:960)
==295061==    by 0x92C766: php_output_stack_apply_op (output.c:1098)
==295061==    by 0x9A723F: zend_stack_apply_with_argument (zend_stack.c:133)
==295061==    by 0x92C62B: php_output_op (output.c:1055)
==295061==    by 0x92A956: php_output_write (output.c:252)
==295061==    by 0x90EE7D: php_printf (main.c:882)
==295061==    by 0x910368: php_error_cb (main.c:1328)
==295061==    by 0x6E9AF7: soap_error_handler (soap.c:1934)
==295061==    by 0x9AA70E: zend_error_impl (zend.c:1324)
==295061==    by 0x9AACF9: zend_error_va_list (zend.c:1413)
==295061==    by 0x9AB0F4: zend_error (zend.c:1485)
==295061==    by 0x9D583D: zval_undefined_cv (zend_execute.c:266)
==295061==    by 0x9D5878: _zval_undefined_op2 (zend_execute.c:278)
==295061==    by 0xA0D2DF: ZEND_BIND_LEXICAL_SPEC_TMP_CV_HANDLER (zend_vm_execute.h:19621)
==295061==    by 0xA4F2B4: execute_ex (zend_vm_execute.h:54167)
==295061==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295061==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295061==    by 0x9127DB: php_execute_script (main.c:2537)
==295061==    by 0xA90DD3: do_cli (php_cli.c:951)
==295061==    by 0xA91ECB: main (php_cli.c:1349)
==295061==  Block was alloc'd at
==295061==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==295061==    by 0x97241D: __zend_malloc (zend_alloc.c:2992)
==295061==    by 0x971267: _malloc_custom (zend_alloc.c:2417)
==295061==    by 0x9713B1: _emalloc (zend_alloc.c:2536)
==295061==    by 0x9BE9DB: _zend_new_array (zend_hash.c:278)
==295061==    by 0x79BC52: php_array_merge_wrapper (array.c:3874)
==295061==    by 0x79C0FA: zif_array_merge (array.c:3921)
==295061==    by 0x9E3553: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1278)
==295061==    by 0xA4CDF5: execute_ex (zend_vm_execute.h:52205)
==295061==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295061==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295061==    by 0x9127DB: php_execute_script (main.c:2537)
==295061==    by 0xA90DD3: do_cli (php_cli.c:951)
==295061==    by 0xA91ECB: main (php_cli.c:1349)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC