zend_objects_destroy_object crashes on NULL EG(current_execute_data) during exception in destructor (zend_objects.c)

[vi3tL0u1s]

Description

The following code:

<?php
class a {
    function __destruct() {
        ob_start(function () use (&$c) {
            $c = new A;
            !self::$b =$ $x;
        }, 1);
        $c = new A;
        $array = array($c);
        header(' ');
        print_r($array);
    }
}
new a;

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==472987==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55a23e17393a bp 0x7ffd7eb42480 sp 0x7ffd7eb42360 T0)
==472987==The signal is caused by a WRITE memory access.
==472987==Hint: address points to the zero page.

Commit:

336fbf09d77

Configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.6.0-dev (cli) (built: Oct 29 2025 14:18:41) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[devnexen]

Hi, are you using opcache or anything ? cannot reproduce, I get stack recursion protection exception thrown only.

[vi3tL0u1s]

Hi @devnexen,

I am not using any configuration beyond the debug ASAN build-from-source setup described in this report. I'm not sure why the issue isn't reproducible on your side.

I also tested the PoC using the system PHP package installed via sudo apt install.
It segfaults on PHP 8.1.2, while it does not segfault on 8.3 or 8.4 on my machine:

$ sudo apt update && sudo apt install -y php-cli
$ php -v
PHP 8.1.2-1ubuntu2.22 (cli) (built: Jul 15 2025 12:11:22) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2-1ubuntu2.22, Copyright (c), by Zend Technologies
$ php poc.php
Segmentation fault

$ sudo add-apt-repository ppa:ondrej/php -y
$ sudo apt update

$ sudo apt install -y php8.3-cli
$ sudo apt install -y php8.4-cli
$ php8.3 poc.php
No Segmentation fault
$ php8.4 poc.php
No Segmentation fault

[vi3tL0u1s]

These are the clang and clang++ versions I used when building from source:

$ clang --version
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

$ clang++ --version
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

[vi3tL0u1s]

Here are the full reproducible steps on Ubuntu 22.04:

git clone https://github.com/php/php-src.git php-src-triage
cd php-src-triage

# Install clang (if not already installed)
sudo apt install clang

# Generate the configure script
./buildconf

# Configure PHP with clang, debug mode, and AddressSanitizer
CC="clang" CXX="clang++" \
CFLAGS="-fsanitize=address -g -O0" \
CXXFLAGS="-fsanitize=address -g -O0" \
./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

# Build PHP using all available CPU cores
make -j"$(nproc)"

# Verify the build and run the PoC
sapi/cli/php -v
sapi/cli/php poc.php

AddressSanitizer:DEADLYSIGNAL
=================================================================
==472987==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55a23e17393a bp 0x7ffd7eb42480 sp 0x7ffd7eb42360 T0)
==472987==The signal is caused by a WRITE memory access.
==472987==Hint: address points to the zero page.

git log -1
commit 336fbf09d77ecbf0dddf47c32e91989b6c3e3216 (HEAD -> master, origin/master, origin/HEAD)
Author: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date:   Tue Oct 28 22:23:51 2025 +0100

    [ci skip] Remove very outdated comment

[devnexen]

ok gonna try via docker can t reproduce on ubuntu 25.10

[devnexen]

AddressSanitizer:DEADLYSIGNAL
=================================================================
==7==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x58bdcbb7704a bp 0x7ffd53e7d080 sp 0x7ffd53e7cf60 T0)
==7==The signal is caused by a WRITE memory access.
==7==Hint: address points to the zero page.
    #0 0x58bdcbb7704a in zend_objects_destroy_object /php-src-triage/Zend/zend_objects.c:164:38
    #1 0x58bdcbb74c32 in zend_objects_store_del /php-src-triage/Zend/zend_objects_API.c:181:4
    #2 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #3 0x58bdcba6e764 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #4 0x58bdcba6e0b0 in zend_array_destroy /php-src-triage/Zend/zend_hash.c:1837:5
    #5 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #6 0x58bdcb9fc494 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #7 0x58bdcb7c14cf in i_free_compiled_variables /php-src-triage/Zend/zend_execute.c:4277:3
    #8 0x58bdcba12d68 in zend_leave_helper_SPEC /php-src-triage/Zend/zend_vm_execute.h:1280:4
    #9 0x58bdcba27987 in zend_dispatch_try_catch_finally_helper_SPEC /php-src-triage/Zend/zend_vm_execute.h:3381:3
    #10 0x58bdcb97d586 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER /php-src-triage/Zend/zend_vm_execute.h:3455:2
    #11 0x58bdcb7ca2f2 in execute_ex /php-src-triage/Zend/zend_vm_execute.h:116212:12
    #12 0x58bdcb7a4921 in zend_call_function /php-src-triage/Zend/zend_execute_API.c:1014:3
    #13 0x58bdcb7a6b32 in zend_call_known_function /php-src-triage/Zend/zend_execute_API.c:1108:23
    #14 0x58bdcbb79e2a in zend_call_known_instance_method /php-src-triage/Zend/zend_API.h:862:2
    #15 0x58bdcbb7768b in zend_call_known_instance_method_with_0_params /php-src-triage/Zend/zend_API.h:868:2
    #16 0x58bdcbb770c9 in zend_objects_destroy_object /php-src-triage/Zend/zend_objects.c:171:3
    #17 0x58bdcbb74c32 in zend_objects_store_del /php-src-triage/Zend/zend_objects_API.c:181:4
    #18 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #19 0x58bdcba6e764 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #20 0x58bdcba6e0b0 in zend_array_destroy /php-src-triage/Zend/zend_hash.c:1837:5
    #21 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #22 0x58bdcba6e764 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #23 0x58bdcba6e0b0 in zend_array_destroy /php-src-triage/Zend/zend_hash.c:1837:5
    #24 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #25 0x58bdcba6e764 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #26 0x58bdcba6e1ee in zend_array_destroy /php-src-triage/Zend/zend_hash.c:1845:6
    #27 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #28 0x58bdcba6e764 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #29 0x58bdcba6e0b0 in zend_array_destroy /php-src-triage/Zend/zend_hash.c:1837:5
    #30 0x58bdcbbde5a6 in rc_dtor_func /php-src-triage/Zend/zend_variables.c:57:2
    #31 0x58bdcbb76254 in i_zval_ptr_dtor /php-src-triage/Zend/zend_variables.h:45:4
    #32 0x58bdcbb75f60 in zend_object_dtor_property /php-src-triage/Zend/zend_objects.c:73:3
    #33 0x58bdcbb7644d in zend_object_std_dtor /php-src-triage/Zend/zend_objects.c:95:4
    #34 0x58bdcbb74fab in zend_objects_store_del /php-src-triage/Zend/zend_objects_API.c:196:4
    #35 0x58bdcb785376 in zend_object_release /php-src-triage/Zend/zend_objects_API.h:77:3
    #36 0x58bdcb787200 in zend_exception_error /php-src-triage/Zend/zend_exceptions.c:1012:2
    #37 0x58bdcbbfe4b0 in zend_execute_script /php-src-triage/Zend/zend.c:1982:11
    #38 0x58bdcb3fed9b in php_execute_script_ex /php-src-triage/main/main.c:2640:13
    #39 0x58bdcb3ff298 in php_execute_script /php-src-triage/main/main.c:2680:9
    #40 0x58bdcbc062a2 in do_cli /php-src-triage/sapi/cli/php_cli.c:951:5
    #41 0x58bdcbc031fc in main /php-src-triage/sapi/cli/php_cli.c:1362:18
    #42 0x7773e0d5ed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #43 0x7773e0d5ee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    #44 0x58bdca0032f4 in _start (/php-src-triage/sapi/cli/php+0x6032f4) (BuildId: 151eb321696860103ff474673aa840f34423c044)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src-triage/Zend/zend_objects.c:164:38 in zend_objects_destroy_object
==7==ABORTING

with master

[devnexen]

I recall it would be damaging to check recursion in this case (perf wise) but I might confuse. cc @arnaud-lb

[arnaud-lb]

This will be fixed by #20339