Fixed bug #73960

diff --git a/NEWS b/NEWS
index 485896272f70110c452eeaf58c7642bf957e51ad..b598d4ddd00a35defb384a7f0d65c323f47506c3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #73370 (falsely exits with "Out of Memory" when using
     USE_ZEND_ALLOC=0). (Nikita)
+  . Fixed bug #73960 (Leak with instance method calling static method with
+    referenced return). (Nikita)
 
 - Date:
   . Fixed bug #72096 (Swatch time value incorrect for dates before 1970). (mcq8)

diff --git a/Zend/tests/bug73960.phpt b/Zend/tests/bug73960.phpt
new file mode 100644 (file)
index 0000000..533c87a
--- /dev/null
+++ b/Zend/tests/bug73960.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73960: Leak with instance method calling static method with referenced return
+--FILE--
+<?php
+
+$value = 'one';
+$array = array($value);
+$array = $ref =& $array;
+var_dump($array);
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(3) "one"
+}

diff --git a/Zend/zend_execute.h b/Zend/zend_execute.h
index d98fe053439b5fd39d43aa51343c759de1b09375..f010f0a45d21d9294c2c0cb0f5c2f7b324aca14c 100644 (file)
--- a/Zend/zend_execute.h
+++ b/Zend/zend_execute.h
@@ -79,6 +79,10 @@ static zend_always_inline zval* zend_assign_to_variable(zval *variable_ptr, zval
                                return variable_ptr;
                        }
                        if (ZEND_CONST_COND(value_type & (IS_VAR|IS_CV), 1) && variable_ptr == value) {
+                               if (value_type == IS_VAR && ref) {
+                                       ZEND_ASSERT(GC_REFCOUNT(ref) > 1);
+                                       --GC_REFCOUNT(ref);
+                               }
                                return variable_ptr;
                        }
                        garbage = Z_COUNTED_P(variable_ptr);