From 8fc137b78ddf8c9b315289148db0b4574b0f265e Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 7 Jan 2023 13:49:24 +0100 Subject: [PATCH 1/2] Fix GH-10251: Assertion `(flag & (1<<3)) == 0' failed. zend_get_property_guard previously assumed that at least "str" has a pre-computed hash. This is not always the case, for example when a string is created by bitwise operations, its hash is not set. Instead of forcing a computation of the hashes, drop the hash comparison. --- Zend/zend_object_handlers.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 5fa80c1adc5e5..e4ae4450b534f 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -535,9 +535,8 @@ ZEND_API uint32_t *zend_get_property_guard(zend_object *zobj, zend_string *membe if (EXPECTED(Z_TYPE_P(zv) == IS_STRING)) { zend_string *str = Z_STR_P(zv); if (EXPECTED(str == member) || - /* "str" always has a pre-calculated hash value here */ - (EXPECTED(ZSTR_H(str) == zend_string_hash_val(member)) && - EXPECTED(zend_string_equal_content(str, member)))) { + /* str and member don't necessarily have a pre-calculated hash value here */ + EXPECTED(zend_string_equal_content(str, member))) { return &Z_PROPERTY_GUARD_P(zv); } else if (EXPECTED(Z_PROPERTY_GUARD_P(zv) == 0)) { zval_ptr_dtor_str(zv); From 16a3ba813a351c1fe0bdff4bd0ba299a8c178e75 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 7 Jan 2023 13:51:00 +0100 Subject: [PATCH 2/2] Add a regression test for GH-10251 Co-authored-by: Changochen --- Zend/tests/gh10251.phpt | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 Zend/tests/gh10251.phpt diff --git a/Zend/tests/gh10251.phpt b/Zend/tests/gh10251.phpt new file mode 100644 index 0000000000000..eb942824802ac --- /dev/null +++ b/Zend/tests/gh10251.phpt @@ -0,0 +1,24 @@ +--TEST-- +GH-10251 (Assertion `(flag & (1<<3)) == 0' failed.) +--FILE-- +$p = $v; + } +} +$a = new A(); +$pp = ""; +$op = $pp & ""; +// Bitwise operators on strings don't compute the hash. +// The code below previously assumed a hash was actually computed, leading to a crash. +$a->$op = 0; +echo "Done\n"; +?> +--EXPECTF-- +Warning: Undefined variable $v in %s on line %d + +Warning: Undefined variable $p in %s on line %d +Done