GC Reference Counting Assertion Failure via Object Destruction and Invalid Assignment

[vi3tL0u1s]

Description

The following php input triggers a reference counting bug in PHP's Zend garbage collector:

<?php
for ($i = 0; $a== 0; $h++) { 
    $a +=  $i<6;
    
    class Test {
        static ?Test $test;

        function __destruct() {
            $GLOBALS['a'] = null;
        }
    }

    $a = [new Test];
    
    Test::$test = $a<> 123^0-#x
    
    $a .= $a;
}
?>

Resulted in this output:

Warning: Undefined variable $a in  poc.php on line 2

Warning: Undefined variable $a in  poc.php on line 3

Warning: Array to string conversion in poc.php on line 17
php: Zend/zend_types.h:1383: uint32_t zend_gc_delref(zend_refcounted_h *): Assertion `p->refcount > 0' failed.
Aborted

To reproduce:

./php-src/sapi/cli/php poc.php

PHP Version

PHP 8.5.0-dev (cli) (built: Sep 30 2025 15:04:00) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[arnaud-lb]

Thank you @vi3tL0u1s

Smaller reproducer:

class Test {
    function __destruct() {
        $GLOBALS['a'] = null;
    }
}

$a = [new Test];
$a .= $a;

In Test::__destruct(), $GLOBALS['a'] already has refcount=0. The assertion failure occurs when trying to free the old value of $GLOBALS['a'] after the assignment.

[alexandre-daubois]

I have a working fix locally. Is it worth proposing or should we wait for a proper fix for #20001 ?

[arnaud-lb]

It's worth it, to fix release branches :) #20001 will only fix master.