<?phpclass ArrayObjectWithBcMathextends ArrayObject{publicfunctionoffsetGet($offset):mixed    {$value =parent::offsetGet($offset);if ($valueinstanceofBcMath\Number) {return$value->powmod(2,3);        }return$value;    }publicfunctionoffsetSet($offset,$value):void    {if ($valueinstanceofBcMath\Number) {parent::offsetSet(str_rot13($offset),$value->powmod(2,3));        }else {parent::offsetSet($offset,$value);        }    }}$values = ['foo' =>'','bar' =>null,'baz' =>42,'qux' =>newBcMath\Number(12)];$object =newArrayObjectWithBcMath($values);var_dump($object->offsetGet('foo'),isset($object['foo']),empty($object['foo']));var_dump($object->offsetGet('bar'),isset($object['bar']),empty($object['bar']));var_dump($object->offsetGet('baz'),isset($object['baz']),empty($object['baz']));var_dump($object->offsetGet('qux'),isset($object['qux']),empty($object['qux']));var_dump($object->offsetGet('sbb'),isset($object['sbb']),empty($object['sbb']));?>

==2226394==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000847d0 at pc 0x556caeaa6327 bp 0x7ffcbf612500 sp 0x7ffcbf6124f0READ of size 8 at 0x6060000847d0 thread T0    #0 0x556caeaa6326 in i_zend_is_true /home/w023dtc/nightly_php/php-src/Zend/zend_operators.h:424    #1 0x556caeaa6326 in zend_is_true /home/w023dtc/nightly_php/php-src/Zend/zend_operators.c:2840    #2 0x556cade80d9d in spl_array_has_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:673    #3 0x556cade816d9 in spl_array_has_dimension /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:678    #4 0x556cae653afb in zend_isempty_dim_slow /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3176    #5 0x556cae7e1374 in ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:45426    #6 0x556cae8f5fce in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:63386    #7 0x556cae950b0f in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64247    #8 0x556caeb13bef in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1941    #9 0x556cae2bc1e3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2584    #10 0x556caeb19285 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:938    #11 0x556cacea4c32 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1313    #12 0x14e0e50b8d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)    #13 0x14e0e50b8e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)    #14 0x556cacea5f84 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x2d77f84)0x6060000847d0 is located 48 bytes inside of 64-byte region [0x6060000847a0,0x6060000847e0)freed by thread T0 here:    #0 0x14e0e8eba537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127    #1 0x556caea8a7d0 in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:198    #2 0x556cade80f8e in spl_array_has_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:669    #3 0x556cade816d9 in spl_array_has_dimension /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:678    #4 0x556cae653afb in zend_isempty_dim_slow /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3176    #5 0x556cae7e1374 in ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:45426    #6 0x556cae8f5fce in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:63386    #7 0x556cae950b0f in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64247    #8 0x556caeb13bef in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1941    #9 0x556cae2bc1e3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2584    #10 0x556caeb19285 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:938    #11 0x556cacea4c32 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1313    #12 0x14e0e50b8d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)previously allocated by thread T0 here:    #0 0x14e0e8eba887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145    #1 0x556cae4c90c4 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3280    #2 0x556cad1d3884 in zend_object_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.h:94    #3 0x556cad1d3884 in bcmath_number_create /home/w023dtc/nightly_php/php-src/ext/bcmath/bcmath.c:885    #4 0x556cad1e429f in bcmath_number_new_obj /home/w023dtc/nightly_php/php-src/ext/bcmath/bcmath.c:1161    #5 0x556cad1e429f in zim_BcMath_Number_powmod /home/w023dtc/nightly_php/php-src/ext/bcmath/bcmath.c:1644    #6 0x556cae93f278 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2037    #7 0x556cae93f278 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:58865    #8 0x556cae624ef4 in zend_call_function /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:1008    #9 0x556cae6270e7 in zend_call_known_function /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:1102    #10 0x556caea0fe7f in zend_call_method /home/w023dtc/nightly_php/php-src/Zend/zend_interfaces.c:83    #11 0x556cade81840 in zend_call_method_with_1_params /home/w023dtc/nightly_php/php-src/Zend/zend_interfaces.h:52    #12 0x556cade81840 in spl_array_read_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:437    #13 0x556cade80d69 in spl_array_has_dimension_ex /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:662    #14 0x556cade816d9 in spl_array_has_dimension /home/w023dtc/nightly_php/php-src/ext/spl/spl_array.c:678    #15 0x556cae653afb in zend_isempty_dim_slow /home/w023dtc/nightly_php/php-src/Zend/zend_execute.c:3176    #16 0x556cae7e1374 in ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_CV_CONST_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:45426    #17 0x556cae8f5fce in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:63386    #18 0x556cae950b0f in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:64247    #19 0x556caeb13bef in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1941    #20 0x556cae2bc1e3 in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2584    #21 0x556caeb19285 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:938    #22 0x556cacea4c32 in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1313    #23 0x14e0e50b8d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_operators.h:424 in i_zend_is_trueShadow bytes around the buggy address:  0x0c0c800088a0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00  0x0c0c800088b0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa  0x0c0c800088c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa  0x0c0c800088d0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00  0x0c0c800088e0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00=>0x0c0c800088f0: fa fa fa fa fd fd fd fd fd fd[fd]fd fa fa fa fa  0x0c0c80008900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c0c80008910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c0c80008920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c0c80008930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c0c80008940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):  Addressable:           00  Partially addressable: 01 02 03 04 05 06 07  Heap left redzone:       fa  Freed heap region:       fd  Stack left redzone:      f1  Stack mid redzone:       f2  Stack right redzone:     f3  Stack after return:      f5  Stack use after scope:   f8  Global redzone:          f9  Global init order:       f6  Poisoned by user:        f7  Container overflow:      fc  Array cookie:            ac  Intra object redzone:    bb  ASan internal:           fe  Left alloca redzone:     ca  Right alloca redzone:    cb  Shadow gap:              cc==2226394==ABORTING