Heap-buffer-overflow in zval_ptr_dtor_nogc during Fiber/Generator execution in destructor #20894
Closed as duplicate of#19983
Description
Description
The following code:
<?php
class a {
function __destruct() {
static $gen = (function() {
$from = (function () {
!$v =& min(0, $x);
x:$n[] = new a;
y;
yield;
})();
try { yield from $from; } finally { $y>next(); }
})();
$fiber = new Fiber(function () use ($gen) {
$gen->current();
$gen->next();
});
$fiber->start();
}
}
new a;Crash Output (with USE_ZEND_ALLOC=0)
==PID==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000002ce9
READ of size 1 at 0x511000002ce9 thread T0
#0 in zval_ptr_dtor_nogc /path/to/php-src/Zend/zend_variables.h:35
#1 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:3450
#2 in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:116576
#3 in zend_generator_resume /path/to/php-src/Zend/zend_generators.c:844
#4 in zend_generator_ensure_initialized /path/to/php-src/Zend/zend_generators.c:900
#5 in zim_Generator_current /path/to/php-src/Zend/zend_generators.c:955
...
0x511000002ce9 is located 9 bytes to the right of 224-byte region
allocated by thread T0 here:
#0 in __interceptor_malloc
#1 in __zend_malloc /path/to/php-src/Zend/zend_alloc.c:3543
#2 in _emalloc /path/to/php-src/Zend/zend_alloc.c:2780
#3 in ZEND_GENERATOR_CREATE_SPEC_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:2354
...
SUMMARY: AddressSanitizer: heap-buffer-overflow /path/to/php-src/Zend/zend_variables.h:35 in zval_ptr_dtor_nogc
Commit
c518a6ba8bf7a3eb6551424c7ca90dfa06b01b15
Configurations
./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib
PHP Version
PHP 8.6.0-dev (cli) (built: Jan 9 2026 14:43:36) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
Operating System
Ubuntu 22.04