Fix use after free during shutdown destruction

Closes GH-18834.
2026-03-24 00:02:20 +01:00 · 2025-06-11 13:22:02 +02:00
parent 5ff5ee0698
commit 5cf3c2663b
3 changed files with 30 additions and 1 deletions
--- a/3
+++ b/3
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.24

+- Core:
+  . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
+    order). (Daniil Gentili)

 03 Jul 2025, PHP 8.3.23

--- a/Zend/tests/gh18833.phpt
+++ b/Zend/tests/gh18833.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18833 (Use after free with weakmaps dependent on destruction order)
+--FILE--
+<?php
+
+class a {
+    public static WeakMap $map;
+    public static Generator $storage;
+}
+
+a::$map = new WeakMap;
+
+$closure = function () {
+    $obj = new a;
+    a::$map[$obj] = true;
+    yield $obj;
+};
+a::$storage = $closure();
+a::$storage->current();
+
+echo "ok\n";
+?>
+--EXPECT--
+ok
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -104,7 +104,9 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_free_object_storage(zend_objects_
 			if (IS_OBJ_VALID(obj)) {
 				if (!(OBJ_FLAGS(obj) & IS_OBJ_FREE_CALLED)) {
 					GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED);
-					if (obj->handlers->free_obj != zend_object_std_dtor) {
+					if (obj->handlers->free_obj != zend_object_std_dtor
+					 || (OBJ_FLAGS(obj) & IS_OBJ_WEAKLY_REFERENCED)
+					) {
 						GC_ADDREF(obj);
 						obj->handlers->free_obj(obj);
 					}