From c2115a43e37e2a0998fbfd10d2541cd2789c22e3 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Thu, 3 Oct 2024 13:18:16 +0200
Subject: [PATCH 1/3] Handle references properties of the Exception class

Fixes GH-16188
Closes GH-16196
---
 Zend/tests/gh16188.phpt | 34 ++++++++++++++++++++++++++++++++++
 Zend/zend_exceptions.c  | 12 +++++++++---
 2 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/gh16188.phpt

diff --git a/Zend/tests/gh16188.phpt b/Zend/tests/gh16188.phpt
new file mode 100644
index 00000000000..4516f7cade9
--- /dev/null
+++ b/Zend/tests/gh16188.phpt
@@ -0,0 +1,34 @@
+--TEST--
+GH-16188 (Assertion failure in Zend/zend_exceptions.c)
+--FILE--
+<?php
+
+$re = new TypeError();
+array_walk($re, function (&$item, $key) use (&$re) {
+    if ($key === "\x00Error\x00previous") {
+        $item = new Exception();
+    }
+});
+printf("getTraceAsString:\n%s\n\n", $re->getTraceAsString());
+printf("getPrevious:\n%s\n\n", get_class($re->getPrevious()));
+printf("__toString:\n%s\n\n", $re);
+
+?>
+==DONE==
+--EXPECTF--
+getTraceAsString:
+#0 {main}
+
+getPrevious:
+Exception
+
+__toString:
+Exception in %s:%d
+Stack trace:%A
+#%d {main}
+
+Next TypeError in %s:%d
+Stack trace:%A
+#%d {main}
+
+==DONE==
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index 8ad603e51e7..d2547ced6f7 100644
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -115,15 +115,18 @@ void zend_exception_set_previous(zend_object *exception, zend_object *add_previo
 	ex = &zv;
 	do {
 		ancestor = zend_read_property_ex(i_get_exception_base(add_previous), add_previous, ZSTR_KNOWN(ZEND_STR_PREVIOUS), 1, &rv);
+		ZVAL_DEREF(ancestor);
 		while (Z_TYPE_P(ancestor) == IS_OBJECT) {
 			if (Z_OBJ_P(ancestor) == Z_OBJ_P(ex)) {
 				OBJ_RELEASE(add_previous);
 				return;
 			}
 			ancestor = zend_read_property_ex(i_get_exception_base(Z_OBJ_P(ancestor)), Z_OBJ_P(ancestor), ZSTR_KNOWN(ZEND_STR_PREVIOUS), 1, &rv);
+			ZVAL_DEREF(ancestor);
 		}
 		base_ce = i_get_exception_base(Z_OBJ_P(ex));
 		previous = zend_read_property_ex(base_ce, Z_OBJ_P(ex), ZSTR_KNOWN(ZEND_STR_PREVIOUS), 1, &rv);
+		ZVAL_DEREF(previous);
 		if (Z_TYPE_P(previous) == IS_NULL) {
 			zend_update_property_ex(base_ce, Z_OBJ_P(ex), ZSTR_KNOWN(ZEND_STR_PREVIOUS), &pv);
 			GC_DELREF(add_previous);
@@ -630,6 +633,7 @@ ZEND_METHOD(Exception, getTraceAsString)
 		RETURN_THROWS();
 	}
 
+	ZVAL_DEREF(trace);
 	/* Type should be guaranteed by property type. */
 	ZEND_ASSERT(Z_TYPE_P(trace) == IS_ARRAY);
 	RETURN_NEW_STR(zend_trace_to_string(Z_ARRVAL_P(trace), /* include_main */ true));
@@ -643,7 +647,7 @@ ZEND_METHOD(Exception, getPrevious)
 
 	ZEND_PARSE_PARAMETERS_NONE();
 
-	ZVAL_COPY(return_value, GET_PROPERTY_SILENT(ZEND_THIS, ZEND_STR_PREVIOUS));
+	ZVAL_COPY_DEREF(return_value, GET_PROPERTY_SILENT(ZEND_THIS, ZEND_STR_PREVIOUS));
 } /* }}} */
 
 /* {{{ Obtain the string representation of the Exception object */
@@ -723,7 +727,8 @@ ZEND_METHOD(Exception, __toString)
 
 		Z_PROTECT_RECURSION_P(exception);
 		exception = GET_PROPERTY(exception, ZEND_STR_PREVIOUS);
-		if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_IS_RECURSIVE_P(exception)) {
+		ZVAL_DEREF(exception);
+		if (Z_TYPE_P(exception) == IS_OBJECT && Z_IS_RECURSIVE_P(exception)) {
 			break;
 		}
 	}
@@ -731,13 +736,14 @@ ZEND_METHOD(Exception, __toString)
 
 	exception = ZEND_THIS;
 	/* Reset apply counts */
-	while (exception && Z_TYPE_P(exception) == IS_OBJECT && (base_ce = i_get_exception_base(Z_OBJ_P(exception))) && instanceof_function(Z_OBJCE_P(exception), base_ce)) {
+	while (Z_TYPE_P(exception) == IS_OBJECT && (base_ce = i_get_exception_base(Z_OBJ_P(exception))) && instanceof_function(Z_OBJCE_P(exception), base_ce)) {
 		if (Z_IS_RECURSIVE_P(exception)) {
 			Z_UNPROTECT_RECURSION_P(exception);
 		} else {
 			break;
 		}
 		exception = GET_PROPERTY(exception, ZEND_STR_PREVIOUS);
+		ZVAL_DEREF(exception);
 	}
 
 	exception = ZEND_THIS;

From df4db5c1b4786dbcb36c2a413bbb99c5f62db7e6 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Mon, 7 Oct 2024 15:02:44 +0200
Subject: [PATCH 2/3] NEWS for GH-16196

---
 NEWS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NEWS b/NEWS
index 83b36ef3f03..9267af608b4 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of
     nested generator frame). (ilutov)
   . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
+  . Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c). (Arnaud)
 
 - Date:
   . Fixed bug GH-15582: Crash when not calling parent constructor of

From a774704aaf66d39fa68b69df8d5bfd956b1422e9 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Mon, 7 Oct 2024 15:04:13 +0200
Subject: [PATCH 3/3] NEWS for GH-16196

---
 NEWS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NEWS b/NEWS
index 902f6017196..0627e2ec0d6 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of
     nested generator frame). (ilutov)
   . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
+  . Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c). (Arnaud)
 
 - DOM:
   . Fixed bug GH-16039 (Segmentation fault (access null pointer) in