Fixed bug #47329 (Crash in garbage collector)

diff --git a/NEWS b/NEWS
index ef89228a81b31b05df68df6d6e49a5892068107c..918e8fb23bedfd7744fa5564c3b3b352f25e4452 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2009, PHP 5.3.0 Beta 2
+- Fixed bug #47329 (Crash in garbage collector). (Dmitry)
 - Fixed bug #47320 ($php_errormsg out of scope in functions). (Dmitry)
 - Fixed bug #47265 (generating phar.phar failes because of safe_mode). (Greg)
 - Fixed bug #47229 (preg_quote() should escape the '-' char). (Nuno)

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 9bf53e1b2508c067780ff207e27b54b70d277eef..4337fd3dc6f624374193a55052dbd5f4e115172a 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1965,6 +1965,7 @@ PHP_FUNCTION(array_unshift)
        zval ***args,                   /* Function arguments array */
                   *stack;                      /* Input stack */
        HashTable *new_hash;    /* New hashtable for the stack */
+       HashTable  old_hash;
        int argc;                               /* Number of function arguments */
        
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "a+", &stack, &args, &argc) == FAILURE) {
@@ -1974,12 +1975,13 @@ PHP_FUNCTION(array_unshift)
        /* Use splice to insert the elements at the beginning. Destroy old
         * hashtable and replace it with new one */
        new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[0], argc, NULL);
-       zend_hash_destroy(Z_ARRVAL_P(stack));
+       old_hash = *Z_ARRVAL_P(stack);
        if (Z_ARRVAL_P(stack) == &EG(symbol_table)) {
                zend_reset_all_cv(&EG(symbol_table) TSRMLS_CC);
        }
        *Z_ARRVAL_P(stack) = *new_hash;
        FREE_HASHTABLE(new_hash);
+       zend_hash_destroy(&old_hash);
 
        /* Clean up and return the number of elements in the stack */
        efree(args);
@@ -1996,6 +1998,7 @@ PHP_FUNCTION(array_splice)
                 ***repl = NULL;                /* Replacement elements */
        HashTable *new_hash = NULL,     /* Output array's hash */
                 **rem_hash = NULL;     /* Removed elements' hash */
+       HashTable  old_hash;
        Bucket *p;                                      /* Bucket used for traversing hash */
        long    i,
                        offset,
@@ -2053,12 +2056,13 @@ PHP_FUNCTION(array_splice)
        new_hash = php_splice(Z_ARRVAL_P(array), offset, length, repl, repl_num, rem_hash);
 
        /* Replace input array's hashtable with the new one */
-       zend_hash_destroy(Z_ARRVAL_P(array));
+       old_hash = *Z_ARRVAL_P(array);
        if (Z_ARRVAL_P(array) == &EG(symbol_table)) {
                zend_reset_all_cv(&EG(symbol_table) TSRMLS_CC);
        }
        *Z_ARRVAL_P(array) = *new_hash;
        FREE_HASHTABLE(new_hash);
+       zend_hash_destroy(&old_hash);
 
        /* Clean up */
        if (ZEND_NUM_ARGS() == 4) {
@@ -2532,6 +2536,7 @@ PHP_FUNCTION(array_pad)
        zval  *pad_value;       /* Padding value obviously */
        zval ***pads;           /* Array to pass to splice */
        HashTable *new_hash;/* Return value from splice */
+       HashTable  old_hash;
        long pad_size;          /* Size to pad to */
        long pad_size_abs;      /* Absolute value of pad_size */
        int     input_size;             /* Size of the input array */
@@ -2581,12 +2586,13 @@ PHP_FUNCTION(array_pad)
        }
 
        /* Copy the result hash into return value */
-       zend_hash_destroy(Z_ARRVAL_P(return_value));
+       old_hash = *Z_ARRVAL_P(return_value);
        if (Z_ARRVAL_P(return_value) == &EG(symbol_table)) {
                zend_reset_all_cv(&EG(symbol_table) TSRMLS_CC);
        }
        *Z_ARRVAL_P(return_value) = *new_hash;
        FREE_HASHTABLE(new_hash);
+       zend_hash_destroy(&old_hash);
 
        /* Clean up */
        efree(pads);