HashTable use-after-destroy in function table via stream wrapper magic __call() with nested redeclaration

[vi3tL0u1s]

Description

The following code:

<?php
class Loader {
    function stream_open() {
        return true;
    }
    function __call($m, $a) {
        $map[$obj] = putenv("LA=Gx$g_lang");
        function __call($m, $a) {}
    }
}
stream_wrapper_register('abc', 'Loader');
require 'abc://';

Resulted in this output:

/path/to/php-src/Zend/zend_hash.c(1555) : ht=0x5589df607568 is already destroyed
php: /path/to/php-src/Zend/zend_hash.c:73: _zend_is_inconsistent: Assertion `0' failed.
Aborted

Commit:

824c3891281bb4deb5a1aa245313a6c6b0ea786f

Build configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./buildconf --force && ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib

PHP Version

PHP 8.6.0-dev (cli) (built: Dec  6 2025 16:29:29) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[devnexen]

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:89
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:100
#3  0x00007ffff6845e2e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff6828888 in __GI_abort () at ./stdlib/abort.c:77
#5  0x00007ffff68287f0 in __assert_fail_base (fmt=<optimized out>, assertion=<optimized out>, file=<optimized out>, line=<optimized out>, function=<optimized out>) at ./assert/assert.c:118
#6  0x000055555e1ad5fd in _zend_is_inconsistent (ht=0x7d9ff4dea288, file=0x55555eae72b1 "/home/dcarlier/Contribs/php-src/Zend/zend_hash.c", line=1555) at /home/dcarlier/Contribs/php-src/Zend/zend_hash.c:73
#7  0x000055555e1d9410 in zend_hash_del (ht=0x7d9ff4dea288, key=0x7bfff2801b40) at /home/dcarlier/Contribs/php-src/Zend/zend_hash.c:1555
#8  0x000055555bd3747c in zif_putenv (execute_data=0x7bfff2807230, return_value=0x7bfff2807220) at /home/dcarlier/Contribs/php-src/ext/standard/basic_functions.c:762
#9  0x000055555de9bb42 in ZEND_DO_ICALL_SPEC_RETVAL_USED_TAILCALL_HANDLER (execute_data=0x7bfff2807160, opline=0x7bfff2874150) at Zend/zend_vm_execute.h:57205
#10 0x000055555d42c46f in execute_ex (ex=0x7bfff2807160) at Zend/zend_vm_execute.h:116212
#11 0x000055555d3cbc28 in zend_call_function (fci=0x7bfff3b0b440, fci_cache=0x7bfff3b0b4a0) at /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:1014
#12 0x000055555d3d11ab in zend_call_known_function (fn=0x7bfff2887500, object=0x7bfff2880d70, called_scope=0x7bfff288f000, retval_ptr=0x7bfff3951960, param_count=0, params=0x0, named_params=0x0)
    at /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:1108
#13 0x000055555d3d2ea1 in zend_call_known_fcc (fcc=0x7bfff3b0b340, retval_ptr=0x7bfff3951960, param_count=0, params=0x0, named_params=0x0) at Zend/zend_API.h:852
#14 0x000055555d3d28ca in zend_call_method_if_exists (object=0x7bfff2880d70, method_name=0x7bfff2880cd0, retval=0x7bfff3951960, param_count=0, params=0x0)
    at /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:1145
#15 0x000055555cc3bd09 in php_userstreamop_close (stream=0x7bfff2884300, close_handle=1) at /home/dcarlier/Contribs/php-src/main/streams/userspace.c:696
#16 0x000055555cc0826b in _php_stream_free (stream=0x7bfff2884300, close_options=11) at /home/dcarlier/Contribs/php-src/main/streams/streams.c:480
#17 0x000055555cc21c96 in stream_resource_regular_dtor (rsrc=0x7bfff3a800a0) at /home/dcarlier/Contribs/php-src/main/streams/streams.c:1856
#18 0x000055555e4becbf in zend_resource_dtor (res=0x7bfff2801d00) at /home/dcarlier/Contribs/php-src/Zend/zend_list.c:73
#19 0x000055555e4c1211 in zend_close_rsrc_list (ht=0x7e8ff4de88d0) at /home/dcarlier/Contribs/php-src/Zend/zend_list.c:228
#20 0x000055555d3adb44 in zend_shutdown_executor_values (fast_shutdown=false) at /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:276
#21 0x000055555d3b83ec in shutdown_executor () at /home/dcarlier/Contribs/php-src/Zend/zend_execute_API.c:455
#22 0x000055555e63e87d in zend_deactivate () at /home/dcarlier/Contribs/php-src/Zend/zend.c:1351
#23 0x000055555caf8253 in php_request_shutdown (dummy=0x0) at /home/dcarlier/Contribs/php-src/main/main.c:2025
#24 0x000055555e66531e in do_cli (argc=2, argv=0x7c2ff4de1bd0) at /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1158
#25 0x000055555e65ca42 in main (argc=2, argv=0x7c2ff4de1bd0) at /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1362