Assertion Failure Zend_reference_destroy

Introduction

In this article, we will delve into an assertion failure that occurs in the Zend_Reference_Destroy function. This failure is triggered by a specific code snippet that utilizes the ReflectionClass and ArrayObject classes. We will explore the code, the resulting error, and the steps to reproduce the issue.

Code Snippet

The following code snippet is responsible for triggering the assertion failure:

<?php
class C {
    public int $a = 1;
}
$reflector = new ReflectionClass(C::class);
$obj = $reflector->newLazyProxy(function () {
    return new C();
});
array_walk($obj, function (&$value, $key) {
});
$ao = new ArrayObject($obj);
$ao['a'] = 42;

Error Output

When running the above code snippet, the following error output is generated:

php: /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_variables.c:73: void zend_reference_destroy(zend_reference *): Assertion `!((ref)->sources.ptr != ((void*)0))' failed.
Aborted (core dumped)

Reproducing the Issue

To reproduce the issue, follow these steps:

1. Clone the PHP source code repository using the following command:

git clone https://github.com/php/php-src.git

2. Navigate to the PHP source code directory:

cd php-src

3. Apply the commit hash 2b0cb760d41c1a531449b5df0733e32b1fa4c82b using the following command:

git checkout 2b0cb760d41c1a531449b5df0733e32b1fa4c82b

4. Configure the PHP build using the following command:

./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

5. Build the PHP source code using the following command:

make

6. Run the test script using the following command:

./sapi/cli/php ./test.php

Commit Hash

The commit hash responsible for the assertion failure is 2b0cb760d41ca531449b5df0733e32b1fa4c82b.

Configurations

The configurations used to build the PHP source code are as follows:

• CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE"
• ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System

The operating system used to build the PHP source code is Ubuntu 20.04 Host, with Docker 0599jiangyc/flowfusion:latest.

Conclusion

Q: What is an assertion failure in Zend_Reference_Destroy?

A: An assertion failure in Zend_Reference_Destroy is an error that occurs when the Zend engine attempts to destroy a reference that is not valid. This can happen when the reference is not properly initialized or when it is accessed in an invalid way.

Q: What is the cause of the assertion failure in Zend_Reference_Destroy?

A: The cause of the assertion failure in Zend_Reference_Destroy is a bug in the PHP source code. The bug is related to the way the Zend engine handles references and can be triggered by specific code snippets.

Q: What is the code snippet that triggers the assertion failure in Zend_Reference_Destroy?

A: The code snippet that triggers the assertion failure in Zend_Reference_Destroy is:

<?php
class C {
    public int $a = 1;
}
$reflector = new ReflectionClass(C::class);
$obj = $reflector->newLazyProxy(function () {
    return new C();
});
array_walk($obj, function (&$value, $key) {
});
$ao = new ArrayObject($obj);
$ao['a'] = 42;

Q: What is the error output of the assertion failure in Zend_Reference_Destroy?

A: The error output of the assertion failure in Zend_Reference_Destroy is:

php: /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_variables.c:73: void zend_reference_destroy(zend_reference *): Assertion `!((ref)->sources.ptr != ((void*)0))' failed.
Aborted (core dumped)

Q: How can I reproduce the assertion failure in Zend_Reference_Destroy?

A: To reproduce the assertion failure in Zend_Reference_Destroy, follow these steps:

1. Clone the PHP source code repository using the following command:

git clone https://github.com/php/php-src.git

2. Navigate to the PHP source code directory:

cd php-src

3. Apply the commit hash 2b0cb760d41c1a531449b5df0733e32b1fa4c82b using the following command:

git checkout 2b0cb760d41c1a531449b5df0733e32b1fa4c82b

4. Configure the PHP build using the following command:

./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqliwith-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

5. Build the PHP source code using the following command:

make

6. Run the test script using the following command:

./sapi/cli/php ./test.php

Q: What is the commit hash responsible for the assertion failure in Zend_Reference_Destroy?

A: The commit hash responsible for the assertion failure in Zend_Reference_Destroy is 2b0cb760d41c1a531449b5df0733e32b1fa4c82b.

Q: What are the configurations used to build the PHP source code that triggers the assertion failure in Zend_Reference_Destroy?

A: The configurations used to build the PHP source code that triggers the assertion failure in Zend_Reference_Destroy are:

• CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE"
• ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Q: What is the operating system used to build the PHP source code that triggers the assertion failure in Zend_Reference_Destroy?

A: The operating system used to build the PHP source code that triggers the assertion failure in Zend_Reference_Destroy is Ubuntu 20.04 Host, with Docker 0599jiangyc/flowfusion:latest.