From 87d59d7fddf995410d70672e5a172a8be6479e5f Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 17 Sep 2024 01:16:54 +0200
Subject: [PATCH] Fix GH-15905: Assertion failure for TRACK_VARS_SERVER

When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empty array
with refcount > 1.  Since this hash table may later be modified, a flag
is set which allows such COW violations for assertions.  However, when
`register_argc_argv` is on, the so far uninitialized hash table is
updated with `argv`, what causes the hash table to be initialized, what
drops the allow-COW-violations flag.  The following update with `argc`
then triggers a refcount violation assertion.

Since we consider `HT_ALLOW_COW_VIOLATION` a hack, we do not want to
keep the flag during hash table initialization, so we initialize the
hash table right away after creation for this code path.

Closes GH-15930.
---
 NEWS                     |  1 +
 main/php_variables.c     |  1 +
 tests/basic/gh15905.phpt | 12 ++++++++++++
 3 files changed, 14 insertions(+)
 create mode 100644 tests/basic/gh15905.phpt

diff --git a/NEWS b/NEWS
index d41711a82e0..533617e7995 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-15712: zend_strtod overflow with precision INI set on
     large value. (David Carlier)
+  . Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER). (cmb)
 
 - Date:
   . Fixed bug GH-15582: Crash when not calling parent constructor of
diff --git a/main/php_variables.c b/main/php_variables.c
index eb442c3d2f9..bac5b1b673b 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -897,6 +897,7 @@ static bool php_auto_globals_create_server(zend_string *name)
 	} else {
 		zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_SERVER]);
 		array_init(&PG(http_globals)[TRACK_VARS_SERVER]);
+		zend_hash_real_init_mixed(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));
 	}
 
 	check_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));
diff --git a/tests/basic/gh15905.phpt b/tests/basic/gh15905.phpt
new file mode 100644
index 00000000000..6636b970242
--- /dev/null
+++ b/tests/basic/gh15905.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-15905 (Assertion failure for TRACK_VARS_SERVER)
+--INI--
+variables_order=E
+auto_globals_jit=0
+register_argc_argv=1
+--FILE--
+<?php
+echo "okay\n";
+?>
+--EXPECT--
+okay