Use-after-free in extract() with EXTR_REFS

[iluuu1994]

Fixes GH-18209

[nielsdos]

We should be using some try_assign stuff anyway, otherwise this is still broken:

<?php

class C {
    public function __destruct() {
        var_dump($GLOBALS['b']);
        $GLOBALS['b'] = 43;
    }
}

class D {
    public static C $x;
}

D::$x = new C;
$b =& D::$x;

$array = ['b' => 42];
extract($array, EXTR_REFS);

var_dump($b);
var_dump(D::$x); // 42! type system broke :(

EDIT: NVM as pointed out on Slack (sorry!)

[iluuu1994]

Ugh, I hate references. Relevant, maybe in 10 years we can get rid of them. 🥲

[iluuu1994]

As mentioned privately, the example is actually correct. The first two prints come from the var_dump()s in main, the last one comes from __destruct(). C is only destroyed during shutdown as D::$x holds on to it.

I will change this to use zend_safe_assign_to_variable_noref() on master, as you have suggested in Slack. 🙂

[iluuu1994]

Turns out we can't use zend_safe_assign_to_variable_noref() specifically because semantics are weird, and we're writing over existing references. However, zend_safe_assign_to_variable_noref() asserts that the variable written to is not a reference, assuming any references would have been DEREFed, which is generally the correct thing to do.