php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79816 Assertion `0' failed. in _zend_is_inconsistent
Submitted: 2020-07-09 05:32 UTC Modified: 2020-07-10 12:25 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: changochen1 at gmail dot com Assigned:
Status: Verified Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-09 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: changochen1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-09 05:32 UTC] changochen1 at gmail dot com
Description:
------------
LOG:
php: /home/yongheng/php_clean/Zend/zend_hash.c:71: void _zend_is_inconsistent(const HashTable *, const char *, int): Assertion `0' failed.

Test script:
---------------
<?
for (;;)
    switch ( 1 ) {
    case 1 :
        switch ( $a ) {
        default :
            try {
                for ( ;[ 'x' , ob_start ( function () use ( $b ) {}, 20 ) > c] ;                ) ;
            }
            catch ( Throwable ) {     }
                foreach( array ( array_merge ( $GLOBALS ) )as $d) ;
        }
    }


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-10 12:25 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-07-10 12:25 UTC] nikic@php.net
Slightly reduced:

<?
for (;;) {
    ob_start(function () use ( $b ) {}, 20 );
    try {
        c;
    }
    catch ( Throwable ) {     }
    foreach ( array ( array_merge ($GLOBALS) ) as $d) ;
}

==295061== Invalid read of size 4
==295061==    at 0x9D3619: zend_gc_delref (zend_types.h:1162)
==295061==    by 0x9D4E9B: zend_assign_to_variable (zend_execute.h:142)
==295061==    by 0xA10B12: ZEND_FE_FETCH_R_SPEC_VAR_HANDLER (zend_vm_execute.h:20734)
==295061==    by 0xA4F624: execute_ex (zend_vm_execute.h:54324)
==295061==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295061==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295061==    by 0x9127DB: php_execute_script (main.c:2537)
==295061==    by 0xA90DD3: do_cli (php_cli.c:951)
==295061==    by 0xA91ECB: main (php_cli.c:1349)
==295061==  Address 0xa45c430 is 0 bytes inside a block of size 56 free'd
==295061==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==295061==    by 0x9712D8: _efree_custom (zend_alloc.c:2426)
==295061==    by 0x97142F: _efree (zend_alloc.c:2546)
==295061==    by 0xA65D1E: zend_gc_collect_cycles (zend_gc.c:1612)
==295061==    by 0xA6367F: gc_possible_root_when_full (zend_gc.c:592)
==295061==    by 0xA63803: gc_possible_root (zend_gc.c:642)
==295061==    by 0x9D49FE: zend_object_release (zend_objects_API.h:77)
==295061==    by 0xA4CD22: execute_ex (zend_vm_execute.h:52172)
==295061==    by 0x9942AF: zend_call_function (zend_execute_API.c:785)
==295061==    by 0x9B9E2B: zend_fcall_info_call (zend_API.c:3495)
==295061==    by 0x92C2AD: php_output_handler_op (output.c:960)
==295061==    by 0x92C766: php_output_stack_apply_op (output.c:1098)
==295061==    by 0x9A723F: zend_stack_apply_with_argument (zend_stack.c:133)
==295061==    by 0x92C62B: php_output_op (output.c:1055)
==295061==    by 0x92A956: php_output_write (output.c:252)
==295061==    by 0x90EE7D: php_printf (main.c:882)
==295061==    by 0x910368: php_error_cb (main.c:1328)
==295061==    by 0x6E9AF7: soap_error_handler (soap.c:1934)
==295061==    by 0x9AA70E: zend_error_impl (zend.c:1324)
==295061==    by 0x9AACF9: zend_error_va_list (zend.c:1413)
==295061==    by 0x9AB0F4: zend_error (zend.c:1485)
==295061==    by 0x9D583D: zval_undefined_cv (zend_execute.c:266)
==295061==    by 0x9D5878: _zval_undefined_op2 (zend_execute.c:278)
==295061==    by 0xA0D2DF: ZEND_BIND_LEXICAL_SPEC_TMP_CV_HANDLER (zend_vm_execute.h:19621)
==295061==    by 0xA4F2B4: execute_ex (zend_vm_execute.h:54167)
==295061==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295061==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295061==    by 0x9127DB: php_execute_script (main.c:2537)
==295061==    by 0xA90DD3: do_cli (php_cli.c:951)
==295061==    by 0xA91ECB: main (php_cli.c:1349)
==295061==  Block was alloc'd at
==295061==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==295061==    by 0x97241D: __zend_malloc (zend_alloc.c:2992)
==295061==    by 0x971267: _malloc_custom (zend_alloc.c:2417)
==295061==    by 0x9713B1: _emalloc (zend_alloc.c:2536)
==295061==    by 0x9BE9DB: _zend_new_array (zend_hash.c:278)
==295061==    by 0x79BC52: php_array_merge_wrapper (array.c:3874)
==295061==    by 0x79C0FA: zif_array_merge (array.c:3921)
==295061==    by 0x9E3553: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1278)
==295061==    by 0xA4CDF5: execute_ex (zend_vm_execute.h:52205)
==295061==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295061==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295061==    by 0x9127DB: php_execute_script (main.c:2537)
==295061==    by 0xA90DD3: do_cli (php_cli.c:951)
==295061==    by 0xA91ECB: main (php_cli.c:1349)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 04 18:01:28 2024 UTC