Assertion failure Zend/zend_hash.c (Numeric Array Operations)

[vi3tL0u1s]

Description

The following fuzzer-generated input:

https://github.com/vi3tL0u1s/poc/blob/master/php-src-assertion-bug

Resulted in this output:

php: /path/to/php-src/Zend/zend_hash.c:1090: zval *_zend_hash_index_add_or_update_i(HashTable *, zend_ulong, zval *, uint32_t): Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.
Aborted (core dumped)

To reproduce:

curl -s https://raw.githubusercontent.com/vi3tL0u1s/poc/master/php-src-assertion-bug | ./php-src/sapi/cli/php

Commit:

e844e68af8d

Configurations:

CC="clang" CXX="clang++" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --disable-all --enable-cli

Additional Notes

This appears to be related to issue #17935 but triggers through a different code path:

• This issue: _zend_hash_index_add_or_update_i (line 1090) - numeric array operations
• Issue Assertion failure Zend/zend_hash.c #17935: _zend_hash_add_or_update_i (line 825) - string array operations

PHP Version

PHP 8.5.0-dev (cli) (built: Aug 27 2025 15:01:35) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.5.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 20.04

[vi3tL0u1s]

Minimized the POC (4,986 to 1,439 bytes)

https://github.com/vi3tL0u1s/poc/blob/master/php-src-assertion-bug-minimized

curl -s https://raw.githubusercontent.com/vi3tL0u1s/poc/master/php-src-assertion-bug-minimized -o php-src-assertion-bug-minimized