diff --git a/NEWS b/NEWS index dc464b1abec..b1f7dbf8e30 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,9 @@ PHP NEWS . Fixed bug GH-17913 (ReflectionFunction::isDeprecated() returns incorrect results for closures created from magic __call()). (timwolla) +- Treewide: + . Fixed bug GH-17736 (Assertion failure zend_reference_destroy()). (nielsdos) + 27 Feb 2025, PHP 8.4.5 - BCMath: diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 0f8b062e3f0..f5399ad28dc 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -3424,6 +3424,9 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c return; } } + } else if (prop_op_type == IS_CONST) { + /* CE mismatch, make cache slot consistent */ + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; } /* Pointer on property callback is required */ diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 33663c01aae..4093f7a444c 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -4618,6 +4618,7 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string zend_string_equals_literal(name, "days") || zend_string_equals_literal(name, "invert") ) { /* Fallback to read_property. */ + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; ret = NULL; } else { ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c index 6f9d87feebf..f84f17fee2e 100644 --- a/ext/dom/php_dom.c +++ b/ext/dom/php_dom.c @@ -362,6 +362,7 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in return zend_std_get_property_ptr_ptr(object, name, type, cache_slot); } + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; return NULL; } diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c index 94106b715ef..fce9901ab82 100644 --- a/ext/pdo/pdo_stmt.c +++ b/ext/pdo/pdo_stmt.c @@ -2491,6 +2491,7 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name ZEND_IGNORE_VALUE(type); ZEND_IGNORE_VALUE(cache_slot); + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; return NULL; } diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index df4640e59dd..d119063502c 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -639,6 +639,8 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f SXE_ITER type; zval member; + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + sxe = php_sxe_fetch_object(object); GET_NODE(sxe, node); if (UNEXPECTED(!node)) { diff --git a/ext/simplexml/tests/gh17736.phpt b/ext/simplexml/tests/gh17736.phpt new file mode 100644 index 00000000000..78561f6ab02 --- /dev/null +++ b/ext/simplexml/tests/gh17736.phpt @@ -0,0 +1,20 @@ +--TEST-- +GH-17736 (Assertion failure zend_reference_destroy()) +--EXTENSIONS-- +simplexml +--FILE-- +'); +class C { + public int $a = 1; +} +function test($obj) { + $ref =& $obj->a; +} +$obj = new C; +test($obj); +test($o1); +echo "Done\n"; +?> +--EXPECT-- +Done diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c index 91b530f3b39..354ac2e5178 100644 --- a/ext/snmp/snmp.c +++ b/ext/snmp/snmp.c @@ -1861,6 +1861,7 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam return zend_std_get_property_ptr_ptr(object, name, type, cache_slot); } + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; return NULL; } diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index db7f4fff9bb..14c31bd42ab 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -861,6 +861,8 @@ static zval *spl_array_get_property_ptr_ptr(zend_object *object, zend_string *na if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0 && !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + /* If object has offsetGet() overridden, then fallback to read_property, * which will call offsetGet(). */ zval member; diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c index 083cd33cc6c..d0a3673c894 100644 --- a/ext/xmlreader/php_xmlreader.c +++ b/ext/xmlreader/php_xmlreader.c @@ -113,10 +113,12 @@ static int xmlreader_property_reader(xmlreader_object *obj, xmlreader_prop_handl zval *xmlreader_get_property_ptr_ptr(zend_object *object, zend_string *name, int type, void **cache_slot) { zval *retval = NULL; - xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name); + xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name); if (hnd == NULL) { retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); + } else { + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; } return retval; diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index e9b560ab1df..3b2fe0bc366 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -889,6 +889,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name zval *retval = NULL; zip_prop_handler *hnd = NULL; + cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; + obj = php_zip_fetch_object(object); if (obj->prop_handler != NULL) {