GC Assertion Failure: Unaligned Reference Pointer in gc_collect_roots()

[vi3tL0u1s]

Description

The following fuzzer-generated input:

https://github.com/vi3tL0u1s/poc/blob/master/php-src-assertion-gc-collect-roots

Resulted in this output:

php: /path/to/php-src/Zend/zend_gc.c:1712: int gc_collect_roots(uint32_t *, gc_stack *): Assertion `((((uintptr_t)(ref)) & 0x3) == 0x0)' failed.
Aborted

To reproduce:

curl -s https://raw.githubusercontent.com/vi3tL0u1s/poc/master/php-src-assertion-gc-collect-roots | ./php-src/sapi/cli/php

Commit:

ee2da6d9e9745ec83b02b1e5c5a07e8dbd5f9f98

Configurations:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.5.0-dev (cli) (built: Sep 28 2025 16:08:25) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[ndossche]

Heavily reduced from the complete garbage that the original was:

<?php
class a
{
    function __destruct()
    {
        $gen = (function () {
            $from = (function () {
                $cv = [new a];
                Fiber::suspend();
            })();
            yield from $from;
        })();
        $fiber = new Fiber(function () use ($gen, &$fiber) {
            $gen->current();
        });
        $fiber->start();
    }
}
new a;