Corrupted zend_mm_heap when using a closure in attribute

[alexandre-daubois]

Description

When working on symfony/symfony#59800, I faced a crash in the engine. The CI crashes on the added test:

/**
 * @requires PHP 8.5
 */
public function testAttributesWithClosure()
{
    $loader = new AttributeLoader();
    $metadata = new ClassMetadata(WhenTestWithClosure::class);

    self::assertTrue($loader->loadClassMetadata($metadata));

    [$classConstraint] = $metadata->getConstraints();

    // ...
}

After a short investigation, $loader->loadClassMetadata($metadata) is the culprit. This happens when using closures in attributes, here is the fixtures that causes the crash:

use Symfony\Component\Validator\Constraints\NotBlank;
use Symfony\Component\Validator\Constraints\NotNull;
use Symfony\Component\Validator\Constraints\When;

#[When(expression: static function () {
        return true;
    }, constraints: new NotNull()
)]
class WhenTestWithClosure
{
    #[When(expression: static function () {
        return true;
    }, constraints: [
        new NotNull(),
        new NotBlank(),
    ])]
    private $foo;
}

When running the test, the output is:

............................................................. 4758 / 5217 ( 91%)
.................................zend_mm_heap corrupted
zsh: abort      ./phpunit src/Symfony/Component/Validator/Test

This can be reproduced by checking out this PR symfony/symfony#59800 and running with PHP 8.5:

./phpunit src/Symfony/Component/Validator/Tests/Constraints/WhenTest.php

I tried to make a simpler reproducer but I wasn't able to. I'd be happy to help setting up the reproducer described if needed. Thanks!

PHP Version

8.5

Operating System

macOS 15.3.1

[TimWolla]

$ php-src/sapi/cli/php ./phpunit src/Symfony/Component/Validator/Tests/Constraints/WhenTest.php
PHPUnit 9.6.22 by Sebastian Bergmann and contributors.

Testing Symfony\Component\Validator\Tests\Constraints\WhenTest
...=================================================================
==587646==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d0001a0114 at pc 0x566f99b60d41 bp 0x7fff6aae5470 sp 0x7fff6aae5468
READ of size 4 at 0x50d0001a0114 thread T0
    #0 0x566f99b60d40 in zend_string_addref php-src/Zend/zend_string.h:160:7
    #1 0x566f99b54a95 in zend_create_closure_ex php-src/Zend/zend_closures.c:756:3
    #2 0x566f99b4339f in zend_create_closure php-src/Zend/zend_closures.c:842:2
    #3 0x566f99a9a89b in zend_ast_evaluate_inner php-src/Zend/zend_ast.c:1009:4
    #4 0x566f99a9076b in zend_ast_evaluate_ex php-src/Zend/zend_ast.c:572:18
    #5 0x566f99cdfe1b in zval_update_constant_with_ctx php-src/Zend/zend_execute_API.c:756:25
    #6 0x566f99ce0964 in zval_update_constant_ex php-src/Zend/zend_execute_API.c:774:9
    #7 0x566f99ac0467 in zend_get_attribute_value php-src/Zend/zend_attributes.c:255:18
    #8 0x566f99ac739a in zend_get_attribute_object php-src/Zend/zend_attributes.c:314:19
    #9 0x566f989b7c5e in zim_ReflectionAttribute_newInstance php-src/ext/reflection/php_reflection.c:7230:17
    #10 0x566f99fdf3d3 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:2037:4
    #11 0x566f99d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #12 0x566f9a4685b4 in zend_generator_resume php-src/Zend/zend_generators.c:822:3
    #13 0x566f9a46e7fa in zend_generator_ensure_initialized php-src/Zend/zend_generators.c:878:3
    #14 0x566f9a46e114 in zend_generator_rewind php-src/Zend/zend_generators.c:886:2
    #15 0x566f9a480049 in zend_generator_iterator_rewind php-src/Zend/zend_generators.c:1162:2
    #16 0x566f9a3d6d52 in zend_fe_reset_iterator php-src/Zend/zend_execute.c:5218:3
    #17 0x566f9a05e770 in ZEND_FE_RESET_R_SPEC_VAR_HANDLER php-src/Zend/zend_vm_execute.h:22883:20
    #18 0x566f99d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #19 0x566f99d411f2 in zend_execute php-src/Zend/zend_vm_execute.h:64247:2
    #20 0x566f9a86acb8 in zend_execute_script php-src/Zend/zend.c:1943:3
    #21 0x566f993f5156 in php_execute_script_ex php-src/main/main.c:2584:13
    #22 0x566f993f59f8 in php_execute_script php-src/main/main.c:2624:9
    #23 0x566f9a879cfa in do_cli php-src/sapi/cli/php_cli.c:948:5
    #24 0x566f9a8756f2 in main php-src/sapi/cli/php_cli.c:1348:18
    #25 0x775a6da2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #26 0x775a6da2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #27 0x566f972033a4 in _start (php-src/sapi/cli/php+0x1e033a4) (BuildId: 8d3eb77b39a0039c721a93671676fd3afe43c773)

0x50d0001a0114 is located 4 bytes inside of 136-byte region [0x50d0001a0110,0x50d0001a0198)
freed by thread T0 here:
    #0 0x566f9729dd4a in free (php-src/sapi/cli/php+0x1e9dd4a) (BuildId: 8d3eb77b39a0039c721a93671676fd3afe43c773)
    #1 0x566f999d2643 in __zend_free php-src/Zend/zend_alloc.c:3308:2
    #2 0x566f999db46d in _efree php-src/Zend/zend_alloc.c:2747:3
    #3 0x566f9a74ee98 in zend_string_release_ex php-src/Zend/zend_string.h:362:5
    #4 0x566f9a74bc9c in destroy_op_array php-src/Zend/zend_opcode.c:565:3
    #5 0x566f9a74e858 in destroy_op_array php-src/Zend/zend_opcode.c:646:4
    #6 0x566f9a0435ae in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER php-src/Zend/zend_vm_execute.h:41094:3
    #7 0x566f99d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #8 0x566f99ce80bc in zend_call_function php-src/Zend/zend_execute_API.c:1008:3
    #9 0x566f99cec957 in zend_call_known_function php-src/Zend/zend_execute_API.c:1102:23
    #10 0x566f98aa906a in spl_perform_autoload php-src/ext/spl/php_spl.c:442:3
    #11 0x566f99cf04cc in zend_lookup_class_ex php-src/Zend/zend_execute_API.c:1272:7
    #12 0x566f99cf0eaa in zend_lookup_class php-src/Zend/zend_execute_API.c:1295:9
    #13 0x566f9891cf03 in reflection_class_object_ctor php-src/ext/reflection/php_reflection.c:4001:13
    #14 0x566f9891b29e in zim_ReflectionClass___construct php-src/ext/reflection/php_reflection.c:4018:2
    #15 0x566f99fdc818 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1919:4
    #16 0x566f99d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #17 0x566f99d411f2 in zend_execute php-src/Zend/zend_vm_execute.h:64247:2
    #18 0x566f9a86acb8 in zend_execute_script php-src/Zend/zend.c:1943:3
    #19 0x566f993f5156 in php_execute_script_ex php-src/main/main.c:2584:13
    #20 0x566f993f59f8 in php_execute_script php-src/main/main.c:2624:9
    #21 0x566f9a879cfa in do_cli php-src/sapi/cli/php_cli.c:948:5
    #22 0x566f9a8756f2 in main php-src/sapi/cli/php_cli.c:1348:18
    #23 0x775a6da2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0x775a6da2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #25 0x566f972033a4 in _start (php-src/sapi/cli/php+0x1e033a4) (BuildId: 8d3eb77b39a0039c721a93671676fd3afe43c773)

previously allocated by thread T0 here:
    #0 0x566f9729e429 in __interceptor_realloc (php-src/sapi/cli/php+0x1e9e429) (BuildId: 8d3eb77b39a0039c721a93671676fd3afe43c773)
    #1 0x566f999dbdcb in __zend_realloc php-src/Zend/zend_alloc.c:3299:6
    #2 0x566f999db668 in _erealloc php-src/Zend/zend_alloc.c:2758:10
    #3 0x566f9a86eb45 in zend_string_realloc php-src/Zend/zend_string.h:252:25
    #4 0x566f9a86e612 in smart_str_trim_to_size_ex php-src/Zend/zend_smart_str.h:95:12
    #5 0x566f9a86e06a in smart_str_extract_ex php-src/Zend/zend_smart_str.h:109:3
    #6 0x566f9a854716 in smart_str_extract php-src/Zend/zend_smart_str.h:120:9
    #7 0x566f9a854681 in zend_vstrpprintf php-src/Zend/zend.c:350:9
    #8 0x566f9a854a70 in zend_strpprintf_unchecked php-src/Zend/zend.c:372:8
    #9 0x566f99ba7239 in zend_begin_func_decl php-src/Zend/zend_compile.c:8200:22
    #10 0x566f99ba208e in zend_compile_func_decl_ex php-src/Zend/zend_compile.c:8312:12
    #11 0x566f99b8e04c in zend_compile_func_decl php-src/Zend/zend_compile.c:8443:9
    #12 0x566f99b9beef in zend_compile_const_expr_closure php-src/Zend/zend_compile.c:11250:22
    #13 0x566f99b8d50f in zend_compile_const_expr php-src/Zend/zend_compile.c:11319:4
    #14 0x566f99b84a1f in zend_const_expr_to_zval php-src/Zend/zend_compile.c:11334:2
    #15 0x566f99bacf6b in zend_compile_attributes php-src/Zend/zend_compile.c:7448:6
    #16 0x566f99b90c78 in zend_compile_class_decl php-src/Zend/zend_compile.c:9128:3
    #17 0x566f99b8dd45 in zend_compile_top_stmt php-src/Zend/zend_compile.c:11368:3
    #18 0x566f99b8d86d in zend_compile_top_stmt php-src/Zend/zend_compile.c:11357:4
    #19 0x566f9a624196 in zend_compile php-src/Zend/zend_language_scanner.l:618:3
    #20 0x566f9a6238ed in compile_file php-src/Zend/zend_language_scanner.l:653:14
    #21 0x566f98774af1 in phar_compile_file php-src/ext/phar/phar.c:3320:9
    #22 0x566f9a62716b in compile_filename php-src/Zend/zend_language_scanner.l:704:11
    #23 0x566f9a3d56c9 in zend_include_or_eval php-src/Zend/zend_execute.c:5183:19
    #24 0x566f9a041b7c in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER php-src/Zend/zend_vm_execute.h:41067:17
    #25 0x566f99d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #26 0x566f99ce80bc in zend_call_function php-src/Zend/zend_execute_API.c:1008:3
    #27 0x566f99cec957 in zend_call_known_function php-src/Zend/zend_execute_API.c:1102:23
    #28 0x566f98aa906a in spl_perform_autoload php-src/ext/spl/php_spl.c:442:3
    #29 0x566f99cf04cc in zend_lookup_class_ex php-src/Zend/zend_execute_API.c:1272:7

SUMMARY: AddressSanitizer: heap-use-after-free php-src/Zend/zend_string.h:160:7 in zend_string_addref
Shadow bytes around the buggy address:
  0x50d00019fe80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x50d00019ff00: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x50d00019ff80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x50d0001a0000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x50d0001a0080: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x50d0001a0100: fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x50d0001a0180: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x50d0001a0200: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x50d0001a0280: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x50d0001a0300: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x50d0001a0380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==587646==ABORTING

[TimWolla]

Simple reproducer:

dummy.php

<?php

#[Attr(static function () {
    return true;
})]
class Dummy {}

test5.php

<?php

spl_autoload_register(static function ($className) {
    if ($className === 'Dummy') {
        require(__DIR__ . '/dummy.php');
    }
});

#[Attribute(Attribute::TARGET_CLASS | Attribute::IS_REPEATABLE)]
class Attr
{
    public function __construct(public Closure $value) {}
}

(new ReflectionClass('Dummy'))->getAttributes()[0]->newInstance();

Results in:

$ sapi/cli/php test5.php
=================================================================
==597619==ERROR: AddressSanitizer: heap-use-after-free on address 0x507000011204 at pc 0x576d68b60d41 bp 0x7ffd1b2d1810 sp 0x7ffd1b2d1808
READ of size 4 at 0x507000011204 thread T0
    #0 0x576d68b60d40 in zend_string_addref php-src/Zend/zend_string.h:160:7
    #1 0x576d68b54a95 in zend_create_closure_ex php-src/Zend/zend_closures.c:756:3
    #2 0x576d68b4339f in zend_create_closure php-src/Zend/zend_closures.c:842:2
    #3 0x576d68a9a89b in zend_ast_evaluate_inner php-src/Zend/zend_ast.c:1009:4
    #4 0x576d68a9076b in zend_ast_evaluate_ex php-src/Zend/zend_ast.c:572:18
    #5 0x576d68cdfe1b in zval_update_constant_with_ctx php-src/Zend/zend_execute_API.c:756:25
    #6 0x576d68ce0964 in zval_update_constant_ex php-src/Zend/zend_execute_API.c:774:9
    #7 0x576d68ac0467 in zend_get_attribute_value php-src/Zend/zend_attributes.c:255:18
    #8 0x576d68ac739a in zend_get_attribute_object php-src/Zend/zend_attributes.c:314:19
    #9 0x576d679b7c5e in zim_ReflectionAttribute_newInstance php-src/ext/reflection/php_reflection.c:7230:17
    #10 0x576d68fdc818 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1919:4
    #11 0x576d68d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #12 0x576d68d411f2 in zend_execute php-src/Zend/zend_vm_execute.h:64247:2
    #13 0x576d6986adb8 in zend_execute_script php-src/Zend/zend.c:1943:3
    #14 0x576d683f5156 in php_execute_script_ex php-src/main/main.c:2584:13
    #15 0x576d683f59f8 in php_execute_script php-src/main/main.c:2624:9
    #16 0x576d69879dfa in do_cli php-src/sapi/cli/php_cli.c:948:5
    #17 0x576d698757f2 in main php-src/sapi/cli/php_cli.c:1348:18
    #18 0x7bfa8982a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7bfa8982a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #20 0x576d662033a4 in _start (php-src/sapi/cli/php+0x1e033a4) (BuildId: a69eb4063042fd2efb6cdec1f8785d1271f0f417)

0x507000011204 is located 4 bytes inside of 80-byte region [0x507000011200,0x507000011250)
freed by thread T0 here:
    #0 0x576d6629dd4a in free (php-src/sapi/cli/php+0x1e9dd4a) (BuildId: a69eb4063042fd2efb6cdec1f8785d1271f0f417)
    #1 0x576d689d2643 in __zend_free php-src/Zend/zend_alloc.c:3308:2
    #2 0x576d689db46d in _efree php-src/Zend/zend_alloc.c:2747:3
    #3 0x576d6974ef98 in zend_string_release_ex php-src/Zend/zend_string.h:362:5
    #4 0x576d6974bd94 in destroy_op_array php-src/Zend/zend_opcode.c:566:3
    #5 0x576d6974e950 in destroy_op_array php-src/Zend/zend_opcode.c:647:4
    #6 0x576d690385ff in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER php-src/Zend/zend_vm_execute.h:5274:3
    #7 0x576d68d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #8 0x576d68ce80bc in zend_call_function php-src/Zend/zend_execute_API.c:1008:3
    #9 0x576d68cec957 in zend_call_known_function php-src/Zend/zend_execute_API.c:1102:23
    #10 0x576d67aa906a in spl_perform_autoload php-src/ext/spl/php_spl.c:442:3
    #11 0x576d68cf04cc in zend_lookup_class_ex php-src/Zend/zend_execute_API.c:1272:7
    #12 0x576d68cf0eaa in zend_lookup_class php-src/Zend/zend_execute_API.c:1295:9
    #13 0x576d6791cf03 in reflection_class_object_ctor php-src/ext/reflection/php_reflection.c:4001:13
    #14 0x576d6791b29e in zim_ReflectionClass___construct php-src/ext/reflection/php_reflection.c:4018:2
    #15 0x576d68fdc818 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1919:4
    #16 0x576d68d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #17 0x576d68d411f2 in zend_execute php-src/Zend/zend_vm_execute.h:64247:2
    #18 0x576d6986adb8 in zend_execute_script php-src/Zend/zend.c:1943:3
    #19 0x576d683f5156 in php_execute_script_ex php-src/main/main.c:2584:13
    #20 0x576d683f59f8 in php_execute_script php-src/main/main.c:2624:9
    #21 0x576d69879dfa in do_cli php-src/sapi/cli/php_cli.c:948:5
    #22 0x576d698757f2 in main php-src/sapi/cli/php_cli.c:1348:18
    #23 0x7bfa8982a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0x7bfa8982a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #25 0x576d662033a4 in _start (php-src/sapi/cli/php+0x1e033a4) (BuildId: a69eb4063042fd2efb6cdec1f8785d1271f0f417)

previously allocated by thread T0 here:
    #0 0x576d6629e429 in __interceptor_realloc (php-src/sapi/cli/php+0x1e9e429) (BuildId: a69eb4063042fd2efb6cdec1f8785d1271f0f417)
    #1 0x576d689dbdcb in __zend_realloc php-src/Zend/zend_alloc.c:3299:6
    #2 0x576d689db668 in _erealloc php-src/Zend/zend_alloc.c:2758:10
    #3 0x576d6986ec45 in zend_string_realloc php-src/Zend/zend_string.h:252:25
    #4 0x576d6986e712 in smart_str_trim_to_size_ex php-src/Zend/zend_smart_str.h:95:12
    #5 0x576d6986e16a in smart_str_extract_ex php-src/Zend/zend_smart_str.h:109:3
    #6 0x576d69854816 in smart_str_extract php-src/Zend/zend_smart_str.h:120:9
    #7 0x576d69854781 in zend_vstrpprintf php-src/Zend/zend.c:350:9
    #8 0x576d69854b70 in zend_strpprintf_unchecked php-src/Zend/zend.c:372:8
    #9 0x576d68ba7239 in zend_begin_func_decl php-src/Zend/zend_compile.c:8200:22
    #10 0x576d68ba208e in zend_compile_func_decl_ex php-src/Zend/zend_compile.c:8312:12
    #11 0x576d68b8e04c in zend_compile_func_decl php-src/Zend/zend_compile.c:8443:9
    #12 0x576d68b9beef in zend_compile_const_expr_closure php-src/Zend/zend_compile.c:11250:22
    #13 0x576d68b8d50f in zend_compile_const_expr php-src/Zend/zend_compile.c:11319:4
    #14 0x576d68b84a1f in zend_const_expr_to_zval php-src/Zend/zend_compile.c:11334:2
    #15 0x576d68bacf6b in zend_compile_attributes php-src/Zend/zend_compile.c:7448:6
    #16 0x576d68b90c78 in zend_compile_class_decl php-src/Zend/zend_compile.c:9128:3
    #17 0x576d68b8dd45 in zend_compile_top_stmt php-src/Zend/zend_compile.c:11368:3
    #18 0x576d68b8d86d in zend_compile_top_stmt php-src/Zend/zend_compile.c:11357:4
    #19 0x576d69624196 in zend_compile php-src/Zend/zend_language_scanner.l:618:3
    #20 0x576d696238ed in compile_file php-src/Zend/zend_language_scanner.l:653:14
    #21 0x576d67774af1 in phar_compile_file php-src/ext/phar/phar.c:3320:9
    #22 0x576d6962716b in compile_filename php-src/Zend/zend_language_scanner.l:704:11
    #23 0x576d693d56c9 in zend_include_or_eval php-src/Zend/zend_execute.c:5183:19
    #24 0x576d69036bcd in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER php-src/Zend/zend_vm_execute.h:5247:17
    #25 0x576d68d3ffd7 in execute_ex php-src/Zend/zend_vm_execute.h:58595:7
    #26 0x576d68ce80bc in zend_call_function php-src/Zend/zend_execute_API.c:1008:3
    #27 0x576d68cec957 in zend_call_known_function php-src/Zend/zend_execute_API.c:1102:23
    #28 0x576d67aa906a in spl_perform_autoload php-src/ext/spl/php_spl.c:442:3
    #29 0x576d68cf04cc in zend_lookup_class_ex php-src/Zend/zend_execute_API.c:1272:7

SUMMARY: AddressSanitizer: heap-use-after-free php-src/Zend/zend_string.h:160:7 in zend_string_addref
Shadow bytes around the buggy address:
  0x507000010f80: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x507000011000: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x507000011080: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x507000011100: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x507000011180: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
=>0x507000011200:[fd]fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x507000011280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000011300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000011380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000011400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000011480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==597619==ABORTING

[sartor]

I have same issue on PHP 8.4.4. It occurs not every time, but very frequently. There were no problems on PHP 8.4.3.
Some times message is:
zend_mm_heap corrupted
And some times:
Allowed memory size of 1073741824 bytes exhausted (tried to allocate 7998520908462056072 bytes

[TimWolla]

@sartor The “zend_mm_heap corrupted” message is just a symptom of a large number of possible errors. Even though the message is the same, your issue has a different cause.

Can you try to narrow down what triggers the message in your case and then file a separate issue?

[sartor]

This error happens when i run specific test via phpunit that send small request using Symfony http client. I can't easily extract small amount of code to provide it here

[TimWolla]

@sartor

You can try the following:

1. export USE_ZEND_ALLOC=0
2. valgrind php vendor/bin/phpunit that/specific/test.php

The second step with running PHP in valgrind should (hopefully) point out some error details when the issue is reproducible. The first step is necessary for valgrind to correctly detect the issue.

[sartor]

Thank you for suggestion!

$ valgrind --leak-check=full ./bin/phpunit tests/functional/api/crm/CrmGetBatchTest.php
==52053== Memcheck, a memory error detector
==52053== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==52053== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==52053== Command: ./bin/phpunit tests/functional/api/crm/CrmGetBatchTest.php
==52053== 
[INFO]  No new migrations found. Your system is up-to-date
PHPUnit 11.5.2 by Sebastian Bergmann and contributors.

Runtime:       PHP 8.4.4
Configuration: /var/www/analytics/phpunit.xml

zend_mm_heap corrupted
==52053== 
==52053== HEAP SUMMARY:
==52053==     in use at exit: 154,587 bytes in 890 blocks
==52053==   total heap usage: 2,139 allocs, 1,249 frees, 232,501 bytes allocated
==52053== 
==52053== LEAK SUMMARY:
==52053==    definitely lost: 0 bytes in 0 blocks
==52053==    indirectly lost: 0 bytes in 0 blocks
==52053==      possibly lost: 0 bytes in 0 blocks
==52053==    still reachable: 154,587 bytes in 890 blocks
==52053==         suppressed: 0 bytes in 0 blocks
==52053== Reachable blocks (those to which a pointer was found) are not shown.
==52053== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==52053== 
==52053== For lists of detected and suppressed errors, rerun with: -s
==52053== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

[TimWolla]

@sartor It appears that you forgot the export USE_ZEND_ALLOC=0. That should disable ZendMM, which means that the zend_mm_heap message should not appear. Can you double-check?

[sartor]

I run this command, but not correct, because i run test in docker. Now output changed from:
zend_mm_heap corrupted to malloc(): unaligned tcache chunk detected

$ valgrind --leak-check=full ./bin/phpunit tests/functional/api/crm/CrmGetBatchTest.php
==61547== Memcheck, a memory error detector
==61547== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==61547== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==61547== Command: ./bin/phpunit tests/functional/api/crm/CrmGetBatchTest.php
==61547== 
[INFO]  No new migrations found. Your system is up-to-date
PHPUnit 11.5.2 by Sebastian Bergmann and contributors.

Runtime:       PHP 8.4.4
Configuration: /var/www/analytics/phpunit.xml

malloc(): unaligned tcache chunk detected
==61547== 
==61547== HEAP SUMMARY:
==61547==     in use at exit: 154,587 bytes in 890 blocks
==61547==   total heap usage: 2,139 allocs, 1,249 frees, 232,501 bytes allocated
==61547== 
==61547== LEAK SUMMARY:
==61547==    definitely lost: 0 bytes in 0 blocks
==61547==    indirectly lost: 0 bytes in 0 blocks
==61547==      possibly lost: 0 bytes in 0 blocks
==61547==    still reachable: 154,587 bytes in 890 blocks
==61547==         suppressed: 0 bytes in 0 blocks
==61547== Reachable blocks (those to which a pointer was found) are not shown.
==61547== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==61547== 
==61547== For lists of detected and suppressed errors, rerun with: -s
==61547== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

[TimWolla]

@sartor Thank you. Unfortunately it appears that valgrind did not detect an issue, which is surprising. This issue is not the right place for further analysis of your issue, since it clearly has a different cause. Would you mind filing a separate issue with the output above so that someone else can also have a look?

Please link to our existing discussion and please also indicate if you are using any non-default extensions (e.g. Xdebug for code coverage).