nikic/a.php Secret

## a.php
<?php
function gen() {
    yield +$a;
    +$a;
    if ($a=1){
        @var_dump(yield from gen($a+1));
    }
}
function bar($gen) {
    yield from $gen;
}
$gen=gen();
$gens[]=bar($gen);
$gens[]=bar($gen);
do {
    foreach ($gens as $g) {
        var_dump($g->current());
        $g->next();
    }
}
while ($gens[0]->valid());

## b
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000018040 at pc 0x000000da05c2 bp 0x7ffd1beea420 sp 0x7ffd1beea418
	READ of size 4 at 0x612000018040 thread T0
	    #0 0xda05c1 in zend_gc_addref php-src/Zend/zend_types.h:1160:9
	    #1 0xd9efe5 in zend_generator_update_current php-src/Zend/zend_generators.c:701:5
	    #2 0xda3620 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:241:3
	    #3 0xda3892 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:236:4
	    #4 0xdccad4 in zend_objects_store_call_destructors php-src/Zend/zend_objects_API.c:56:7
	    #5 0xb8623a in shutdown_destructors php-src/Zend/zend_execute_API.c:248:3
	    #6 0xbbdfdd in zend_call_destructors php-src/Zend/zend.c:1212:3
	    #7 0xa718cb in php_request_shutdown php-src/main/main.c:1756:3
	    #8 0xde5a92 in fuzzer_request_shutdown php-src/sapi/fuzzer/fuzzer-sapi.c:196:2
	    #9 0xde6091 in fuzzer_do_request_from_buffer php-src/sapi/fuzzer/fuzzer-sapi.c:267:2
	    #10 0xde542b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-execute.c:69:2
	    #11 0x47ef01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
	    #12 0x469fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
	    #13 0x47008e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
	    #14 0x498072 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #15 0x7f7b18a6682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
	    #16 0x4452a8 in _start

	0x612000018040 is located 0 bytes inside of 280-byte region [0x612000018040,0x612000018158)
	freed by thread T0 here:
	    #0 0x547a32 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
	    #1 0xb3ce24 in tracked_free php-src/Zend/zend_alloc.c:2748:2
	    #2 0xb364c7 in _efree_custom php-src/Zend/zend_alloc.c:2427:3
	    #3 0xb363d1 in _efree php-src/Zend/zend_alloc.c:2547:3
	    #4 0xdcdbfc in zend_objects_store_del php-src/Zend/zend_objects_API.c:197:3
	    #5 0xd9e1b4 in zend_object_release php-src/Zend/zend_objects_API.h:75:3
	    #6 0xda3a01 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:258:6
	    #7 0xda3892 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:236:4
	    #8 0xdccad4 in zend_objects_store_call_destructors php-src/Zend/zend_objects_API.c:56:7
	    #9 0xb8623a in shutdown_destructors php-src/Zend/zend_execute_API.c:248:3
	    #10 0xbbdfdd in zend_call_destructors php-src/Zend/zend.c:1212:3
	    #11 0xa718cb in php_request_shutdown php-src/main/main.c:1756:3
	    #12 0xde5a92 in fuzzer_request_shutdown php-src/sapi/fuzzer/fuzzer-sapi.c:196:2
	    #13 0xde6091 in fuzzer_do_request_from_buffer php-src/sapi/fuzzer/fuzzer-sapi.c:267:2
	    #14 0xde542b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-execute.c:69:2
	    #15 0x47ef01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
	    #16 0x469fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
	    #17 0x47008e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
	    #18 0x498072 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #19 0x7f7b18a6682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

	previously allocated by thread T0 here:
	    #0 0x547c9d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
	    #1 0xb36ac9 in __zend_malloc php-src/Zend/zend_alloc.c:3030:14
	    #2 0xb33a4e in tracked_malloc php-src/Zend/zend_alloc.c:2733:14
	    #3 0xb362f7 in _malloc_custom php-src/Zend/zend_alloc.c:2418:10
	    #4 0xb361ff in _emalloc php-src/Zend/zend_alloc.c:2537:10
	    #5 0xda327c in zend_generator_create php-src/Zend/zend_generators.c:442:14
	    #6 0xbcb2f6 in _object_and_properties_init php-src/Zend/zend_API.c:1438:3
	    #7 0xbcb592 in object_init_ex php-src/Zend/zend_API.c:1452:9
	    #8 0xcfe8d5 in ZEND_GENERATOR_CREATE_SPEC_HANDLER php-src/Zend/zend_vm_execute.h:2215:3
	    #9 0xde5599 in fuzzer_execute_ex php-src/sapi/fuzzer/fuzzer-execute.c:40:14
	    #10 0xc94208 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:1925:4
	    #11 0xde5599 in fuzzer_execute_ex php-src/sapi/fuzzer/fuzzer-execute.c:40:14
	    #12 0xd9fc7d in zend_generator_resume php-src/Zend/zend_generators.c:860:4
	    #13 0xda1cf3 in zim_Generator_next php-src/Zend/zend_generators.c:1023:2
	    #14 0xc93792 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1853:4
	    #15 0xde5599 in fuzzer_execute_ex php-src/sapi/fuzzer/fuzzer-execute.c:40:14
	    #16 0xc24e26 in zend_execute php-src/Zend/zend_vm_execute.h:59928:2
	    #17 0xde5fe9 in fuzzer_do_request_from_buffer php-src/sapi/fuzzer/fuzzer-sapi.c:259:5
	    #18 0xde542b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-execute.c:69:2
	    #19 0x47ef01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
	    #20 0x469fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
	    #21 0x47008e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
	    #22 0x498072 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #23 0x7f7b18a6682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
	<?php
	function gen() {
	yield +$a;
	+$a;
	if ($a=1){
	@var_dump(yield from gen($a+1));
	}
	}
	function bar($gen) {
	yield from $gen;
	}
	$gen=gen();
	$gens[]=bar($gen);
	$gens[]=bar($gen);
	do {
	foreach ($gens as $g) {
	var_dump($g->current());
	$g->next();
	}
	}
	while ($gens[0]->valid());
	==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000018040 at pc 0x000000da05c2 bp 0x7ffd1beea420 sp 0x7ffd1beea418
	READ of size 4 at 0x612000018040 thread T0
	#0 0xda05c1 in zend_gc_addref php-src/Zend/zend_types.h:1160:9
	#1 0xd9efe5 in zend_generator_update_current php-src/Zend/zend_generators.c:701:5
	#2 0xda3620 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:241:3
	#3 0xda3892 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:236:4
	#4 0xdccad4 in zend_objects_store_call_destructors php-src/Zend/zend_objects_API.c:56:7
	#5 0xb8623a in shutdown_destructors php-src/Zend/zend_execute_API.c:248:3
	#6 0xbbdfdd in zend_call_destructors php-src/Zend/zend.c:1212:3
	#7 0xa718cb in php_request_shutdown php-src/main/main.c:1756:3
	#8 0xde5a92 in fuzzer_request_shutdown php-src/sapi/fuzzer/fuzzer-sapi.c:196:2
	#9 0xde6091 in fuzzer_do_request_from_buffer php-src/sapi/fuzzer/fuzzer-sapi.c:267:2
	#10 0xde542b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-execute.c:69:2
	#11 0x47ef01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
	#12 0x469fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
	#13 0x47008e in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
	#14 0x498072 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	#15 0x7f7b18a6682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
	#16 0x4452a8 in _start

	0x612000018040 is located 0 bytes inside of 280-byte region [0x612000018040,0x612000018158)
	freed by thread T0 here:
	#0 0x547a32 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
	#1 0xb3ce24 in tracked_free php-src/Zend/zend_alloc.c:2748:2
	#2 0xb364c7 in _efree_custom php-src/Zend/zend_alloc.c:2427:3
	#3 0xb363d1 in _efree php-src/Zend/zend_alloc.c:2547:3
	#4 0xdcdbfc in zend_objects_store_del php-src/Zend/zend_objects_API.c:197:3
	#5 0xd9e1b4 in zend_object_release php-src/Zend/zend_objects_API.h:75:3
	#6 0xda3a01 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:258:6
	#7 0xda3892 in zend_generator_dtor_storage php-src/Zend/zend_generators.c:236:4
	#8 0xdccad4 in zend_objects_store_call_destructors php-src/Zend/zend_objects_API.c:56:7
	#9 0xb8623a in shutdown_destructors php-src/Zend/zend_execute_API.c:248:3
	#10 0xbbdfdd in zend_call_destructors php-src/Zend/zend.c:1212:3
	#11 0xa718cb in php_request_shutdown php-src/main/main.c:1756:3
	#12 0xde5a92 in fuzzer_request_shutdown php-src/sapi/fuzzer/fuzzer-sapi.c:196:2
	#13 0xde6091 in fuzzer_do_request_from_buffer php-src/sapi/fuzzer/fuzzer-sapi.c:267:2
	#14 0xde542b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-execute.c:69:2
	#15 0x47ef01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
	#16 0x469fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
	#17 0x47008e in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
	#18 0x498072 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	#19 0x7f7b18a6682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

	previously allocated by thread T0 here:
	#0 0x547c9d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
	#1 0xb36ac9 in __zend_malloc php-src/Zend/zend_alloc.c:3030:14
	#2 0xb33a4e in tracked_malloc php-src/Zend/zend_alloc.c:2733:14
	#3 0xb362f7 in _malloc_custom php-src/Zend/zend_alloc.c:2418:10
	#4 0xb361ff in _emalloc php-src/Zend/zend_alloc.c:2537:10
	#5 0xda327c in zend_generator_create php-src/Zend/zend_generators.c:442:14
	#6 0xbcb2f6 in _object_and_properties_init php-src/Zend/zend_API.c:1438:3
	#7 0xbcb592 in object_init_ex php-src/Zend/zend_API.c:1452:9
	#8 0xcfe8d5 in ZEND_GENERATOR_CREATE_SPEC_HANDLER php-src/Zend/zend_vm_execute.h:2215:3
	#9 0xde5599 in fuzzer_execute_ex php-src/sapi/fuzzer/fuzzer-execute.c:40:14
	#10 0xc94208 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER php-src/Zend/zend_vm_execute.h:1925:4
	#11 0xde5599 in fuzzer_execute_ex php-src/sapi/fuzzer/fuzzer-execute.c:40:14
	#12 0xd9fc7d in zend_generator_resume php-src/Zend/zend_generators.c:860:4
	#13 0xda1cf3 in zim_Generator_next php-src/Zend/zend_generators.c:1023:2
	#14 0xc93792 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1853:4
	#15 0xde5599 in fuzzer_execute_ex php-src/sapi/fuzzer/fuzzer-execute.c:40:14
	#16 0xc24e26 in zend_execute php-src/Zend/zend_vm_execute.h:59928:2
	#17 0xde5fe9 in fuzzer_do_request_from_buffer php-src/sapi/fuzzer/fuzzer-sapi.c:259:5
	#18 0xde542b in LLVMFuzzerTestOneInput php-src/sapi/fuzzer/fuzzer-execute.c:69:2
	#19 0x47ef01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
	#20 0x469fd2 in fuzzer::RunOneTest(fuzzer::Fuzzer, char const, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
	#21 0x47008e in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
	#22 0x498072 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	#23 0x7f7b18a6682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291