Assertion Failure in zend_array_recalc_elements (zend_hash.c:464)

[vi3tL0u1s]

Description

The following fuzzer-generated input:

https://github.com/vi3tL0u1s/poc/blob/master/php-src-assertion-zend_array_recalc_elements

Resulted in this output:

php: /path/to/php-src/Zend/zend_hash.c:464: uint32_t zend_array_recalc_elements(const HashTable *): Assertion `!(((__ht)->u.flags & (1<<2)) != 0)' failed.
Aborted

To reproduce:

curl -s https://raw.githubusercontent.com/vi3tL0u1s/poc/master/php-src-assertion-zend_array_recalc_elements | ./php-src/sapi/cli/php

Commit:

908a3cce92e3

Configurations:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.5.0-dev (cli) (built: Sep 15 2025 20:38:21) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.5.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[iluuu1994]

Thanks! Minimized reproducer:

const A = 'a';

$a = [NULL];
unset(${A});

$a = $GLOBALS;
rsort($a);
serialize($a);