Assertion `(key)->h != 0 && "Hash must be known"' failed.

[Changochen]

Description

The following code:

<?php
$$P = new stdClass();
for (; ; ) {
    $$a->{90};
    $$a->{0} = 0;
}
?>

Resulted in this output:

php-src/Zend/zend_hash.c:673: zend_hash_find_bucket: Assertion `(key)->h != 0 && "Hash must be known"' failed.

PHP Version

PHP 8.3.0-dev

Operating System

No response

[nielsdos]

Can confirm on >=8.1. Simpler reproducer (without variable-variables):

<?php
$a = new stdClass();
for (; ; ) {
    $a->{90};
    $a->{0} = 0;
}

[nielsdos]

This is what happens:
The problem is the $a->{90} line. At the first iteration there is no cache slot set yet, so the following code is executed:

php-src/Zend/zend_vm_def.h

Line 2113 in 18b611d

name = Z_STR_P(GET_OP2_ZVAL_PTR(BP_VAR_R));

Note that the hash is not computed here.

Then in the second iteration there is a cache slot, but still the hash of name is not computed yet. The lookup in the zobj->properties table is done with zend_hash_find_known_hash which assumes name has a hash and therefore it crashes with an assertion failure.

While changing zend_hash_find_known_hash to zend_hash_find would fix this particular issue, I don't think that's entirely right because the hash is already used prior to that function call:

php-src/Zend/zend_vm_def.h

Line 2088 in 18b611d

(EXPECTED(p->h == ZSTR_H(name)) &&

While we could add a zend_string_hash_val at the start of that branch, that would slow down the case where we do have a hash and a cache slot already because of the extra check. So I propose to add a zend_string_hash_val when the name string is assigned the first time instead.