Closed
Description
Description
The following code:
<?php
class Test
{
function __construct()
{
$GLOBALS["a"] = &$this > var_dump($S);
}
function __destruct()
{
unset($GLOBALS["a"]);
}
}
new Test();
new Test();
Resulted in this output:
USE_TRACKED_ALLOC=1 USE_ZEND_ALLOC=0 ../php-src/asan/sapi/cli/php -f ./poc.php
=================================================================
==26946==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000002230 at pc 0x5555557e07fc bp 0x7fffffff9cc0 sp 0x7fffffff9cb0
READ of size 8 at 0x602000002230 thread T0
#0 0x5555557e07fb in zval_undefined_cv php-src/Zend/zend_execute.c:271
#1 0x555555e61284 in zend_is_smaller_helper_SPEC php-src/Zend/zend_vm_execute.h:625
#2 0x555555f5eccb in execute_ex php-src/Zend/zend_vm_execute.h:57996
#3 0x555555f91637 in zend_execute php-src/Zend/zend_vm_execute.h:61087
#4 0x555555d85b89 in zend_execute_scripts php-src/Zend/zend.c:1845
#5 0x555555c56db8 in php_execute_script php-src/main/main.c:2481
#6 0x5555561111b0 in do_cli php-src/sapi/cli/php_cli.c:964
#7 0x555555811756 in main php-src/sapi/cli/php_cli.c:1333
#8 0x7ffff6089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#9 0x555555811f49 in _start ( php-src/asan/sapi/cli/php+0x2bdf49)
Without USE_TRACKED_ALLOC=1 USE_ZEND_ALLOC=0
php won't crash.
Additionally, if we remove the last line and run again, we will see a memory leak:
<?php
class Test
{
function __construct()
{
$GLOBALS["a"] = &$this > var_dump($S);
}
function __destruct()
{
unset($GLOBALS["a"]);
}
}
new Test();
=================================================================
==27616==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555555cf5965 in tracked_malloc php-src/Zend/zend_alloc.c:2827
#2 0x555555fec6e8 in zend_objects_new php-src/Zend/zend_objects.c:187
#3 0x555555d8e280 in _object_and_properties_init php-src/Zend/zend_API.c:1723
#4 0x555555d8e280 in object_init_ex php-src/Zend/zend_API.c:1746
#5 0x555555e92d78 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:10472
#6 0x555555f6376a in execute_ex php-src/Zend/zend_vm_execute.h:57620
#7 0x555555f91637 in zend_execute php-src/Zend/zend_vm_execute.h:61087
#8 0x555555d85b89 in zend_execute_scripts php-src/Zend/zend.c:1845
#9 0x555555c56db8 in php_execute_script php-src/main/main.c:2481
#10 0x5555561111b0 in do_cli php-src/sapi/cli/php_cli.c:964
#11 0x555555811756 in main php-src/sapi/cli/php_cli.c:1333
#12 0x7ffff6089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
PHP Version
PHP 8.3.0-dev
Operating System
No response