Assertion failure in gc with invalid variable (OOM)

YuanchengJiang commented 1 week ago

Description

The following code:

<?php
$cls = new finfo();
class foo {
    public $x;
    static public $y;
    public function a() {
        return $this->x;
    }
    static public function b() {
        return self::$y;
    }
}
$foo = new foo;
$h = $foo->a()[0]->a;
$h = foo::b()[1]->b;
var_dump($h);
$fusion = $h;
$base = curl_init('http://www.google.com/');
curl_setopt($base, CURLOPT_RETURNTRANSFER, true);
$mh = curl_multi_init();
for ($i = 0; $fusion < 2; ++$i) {
    $ch = curl_copy_handle($base);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Foo: Bar']);
    curl_multi_add_handle($mh, $ch);
}
?>

Resulted in this output:

php: Zend/zend_types.h:1346: uint32_t zend_gc_delref(zend_refcounted_h *): Assertion `p->refcount > 0' failed.
Aborted (core dumped)

PHP Version

nightly

Operating System

ubuntu 22.04

devnexen commented 6 days ago

can't reproduce this one, is there any forgotten detail ?

YuanchengJiang commented 6 days ago

@devnexen update a new repro

nielsdos commented 6 days ago

Right, this is another OOM bug; we're likely ending up with a general solution in the future for these kinds of issues.

php / php-src

Assertion failure in gc with invalid variable (OOM) #16835

Description

PHP Version

Operating System