Crash on coercion with throwing __toString()

### Description

The following code:

```php
<?php

class C {
    public function __toString() {
        global $c;
        $c = [];
        throw new Exception();
    }
}

class D {
    public string $prop;
}

$c = new C();
$d = new D();
try {
    $d->prop = $c;
} catch (Exception $e) {}
var_dump($d);
```

Resulted in this output:
```
=================================================================
==3196108==ERROR: AddressSanitizer: heap-use-after-free on address 0x50300002ab80 at pc 0x00000160753a bp 0x7fff1764ef70 sp 0x7fff1764ef68
READ of size 4 at 0x50300002ab80 thread T0
    #0 0x1607539 in zend_gc_delref /home/ilutov/Developer/php-src/Zend/zend_types.h:1228
    #1 0x1608118 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:43
    #2 0x160874e in zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.c:84
    #3 0x1682c4b in _zend_hash_del_el_ex /home/ilutov/Developer/php-src/Zend/zend_hash.c:1425
    #4 0x16832e5 in _zend_hash_del_el /home/ilutov/Developer/php-src/Zend/zend_hash.c:1452
    #5 0x168c2ae in zend_hash_graceful_reverse_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1977
    #6 0x159fdc5 in zend_shutdown_executor_values /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:284
    #7 0x15a3a81 in shutdown_executor /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:416
    #8 0x1612f80 in zend_deactivate /home/ilutov/Developer/php-src/Zend/zend.c:1266
    #9 0x13b9b13 in php_request_shutdown /home/ilutov/Developer/php-src/main/main.c:1899
    #10 0x1d4c4f1 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1135
    #11 0x1d4d36e in main %s:%d
    #12 0x7f210ba39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #13 0x7f210ba3914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #14 0x604034 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x604034) (BuildId: 7f40a5e3d3f7cd5a7175930181626fc3ef5632ee)

0x50300002ab80 is located 0 bytes inside of 32-byte region [0x50300002ab80,0x50300002aba0)
freed by thread T0 here:
    #0 0x7f210c6f6638 in free.part.0 (/lib64/libasan.so.8+0xf6638) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d)
    #1 0x1508e99 in tracked_free /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2851
    #2 0x1507107 in _efree_custom /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2486
    #3 0x1507414 in _efree /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2606
    #4 0x1608728 in zend_reference_destroy /home/ilutov/Developer/php-src/Zend/zend_variables.c:75
    #5 0x1608308 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #6 0x1608128 in i_zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.h:44
    #7 0x160874e in zval_ptr_dtor /home/ilutov/Developer/php-src/Zend/zend_variables.c:84
    #8 0x1a8a0d0 in zend_std_write_property /home/ilutov/Developer/php-src/Zend/zend_object_handlers.c:893
    #9 0x1928c40 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:41614
    #10 0x19ba9db in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:59666
    #11 0x19bf38a in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:60439
    #12 0x16192cf in zend_execute_scripts /home/ilutov/Developer/php-src/Zend/zend.c:1840
    #13 0x13bd096 in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2578
    #14 0x1d4ad18 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:964
    #15 0x1d4d36e in main %s:%d
    #16 0x7f210ba39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #17 0x7f210ba3914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #18 0x604034 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x604034) (BuildId: 7f40a5e3d3f7cd5a7175930181626fc3ef5632ee)

previously allocated by thread T0 here:
    #0 0x7f210c6f7997 in malloc (/lib64/libasan.so.8+0xf7997) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d)
    #1 0x1508bd2 in tracked_malloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2832
    #2 0x1506f7d in _malloc_custom /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2477
    #3 0x1507349 in _emalloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2596
    #4 0x193da1d in ZEND_BIND_GLOBAL_SPEC_CV_CONST_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:43386
    #5 0x19bb2c0 in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:59758
    #6 0x15acabf in zend_call_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:949
    #7 0x15ae3ca in zend_call_known_function /home/ilutov/Developer/php-src/Zend/zend_execute_API.c:1043
    #8 0x1a7f85a in zend_call_known_instance_method /home/ilutov/Developer/php-src/Zend/zend_API.h:753
    #9 0x1a7f894 in zend_call_known_instance_method_with_0_params /home/ilutov/Developer/php-src/Zend/zend_API.h:759
    #10 0x1a99302 in zend_std_cast_object_tostring /home/ilutov/Developer/php-src/Zend/zend_object_handlers.c:1871
    #11 0x1626c5e in zend_parse_arg_str_weak /home/ilutov/Developer/php-src/Zend/zend_API.c:671
    #12 0x16e6343 in zend_verify_weak_scalar_type_hint /home/ilutov/Developer/php-src/Zend/zend_execute.c:745
    #13 0x16e69b4 in zend_verify_scalar_type_hint /home/ilutov/Developer/php-src/Zend/zend_execute.c:812
    #14 0x16e8432 in i_zend_check_property_type /home/ilutov/Developer/php-src/Zend/zend_execute.c:947
    #15 0x16e8464 in i_zend_verify_property_type /home/ilutov/Developer/php-src/Zend/zend_execute.c:952
    #16 0x16e84b5 in zend_verify_property_type /home/ilutov/Developer/php-src/Zend/zend_execute.c:961
    #17 0x1a8a0b6 in zend_std_write_property /home/ilutov/Developer/php-src/Zend/zend_object_handlers.c:892
    #18 0x1928c40 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:41614
    #19 0x19ba9db in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:59666
    #20 0x19bf38a in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:60439
    #21 0x16192cf in zend_execute_scripts /home/ilutov/Developer/php-src/Zend/zend.c:1840
    #22 0x13bd096 in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2578
    #23 0x1d4ad18 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:964
    #24 0x1d4d36e in main %s:%d
    #25 0x7f210ba39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #26 0x7f210ba3914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #27 0x604034 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x604034) (BuildId: 7f40a5e3d3f7cd5a7175930181626fc3ef5632ee)

SUMMARY: AddressSanitizer: heap-use-after-free /home/ilutov/Developer/php-src/Zend/zend_types.h:1228 in zend_gc_delref
Shadow bytes around the buggy address:
  0x50300002a900: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x50300002a980: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x50300002aa00: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x50300002aa80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x50300002ab00: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x50300002ab80:[fd]fd fd fd fa fa 00 00 00 01 fa fa fa fa fa fa
  0x50300002ac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ac80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ad80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50300002ae00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3196108==ABORTING
```

### PHP Version

PHP 8.2+

### Operating System

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Crash on coercion with throwing __toString() #14969

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Crash on coercion with throwing __toString() #14969

Description

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions