Prevented crash in GC because of incorrect reference counting

author Dmitry Stogov <dmitry@php.net>

Thu, 30 Sep 2010 14:11:51 +0000 (14:11 +0000)

committer Dmitry Stogov <dmitry@php.net>

Thu, 30 Sep 2010 14:11:51 +0000 (14:11 +0000)
author Dmitry Stogov <dmitry@php.net>
Thu, 30 Sep 2010 14:11:51 +0000 (14:11 +0000)
committer Dmitry Stogov <dmitry@php.net>
Thu, 30 Sep 2010 14:11:51 +0000 (14:11 +0000)
diff --git a/Zend/tests/gc_032.phpt b/Zend/tests/gc_032.phpt

new file mode 100644 (file)

index 0000000..615b008
--- /dev/null
+++ b/Zend/tests/gc_032.phpt
@@ -0,0 +1,40 @@
+--TEST--
+GC 032: Crash in GC because of invalid reference counting
+--FILE--
+<?php
+$a = array();
+$b =& $a;
+$a[0] = $a;
+debug_zval_dump($a);
+$a = array(array());
+$b =& $a;
+$a[0][0] = $a;
+debug_zval_dump($a);
+?>
+--EXPECT--
+array(1) refcount(1){
+  [0]=>
+  array(1) refcount(3){
+    [0]=>
+    array(1) refcount(3){
+      [0]=>
+      *RECURSION*
+    }
+  }
+}
+array(1) refcount(1){
+  [0]=>
+  array(1) refcount(3){
+    [0]=>
+    array(1) refcount(1){
+      [0]=>
+      array(1) refcount(3){
+        [0]=>
+        array(1) refcount(1){
+          [0]=>
+          *RECURSION*
+        }
+      }
+    }
+  }
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c

index fc91fbc926562c96658b569eb6382e1bb28bdd42..f21ccc154507098bff10eb832c48c9953a9a63b0 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -919,9 +919,9 @@ static inline zval* zend_assign_to_variable(zval **variable_ptr_ptr, zval *value
                         GC_ZVAL_CHECK_POSSIBLE_ROOT(variable_ptr);
                         if (PZVAL_IS_REF(value) && Z_REFCOUNT_P(value) > 0) {
                                 ALLOC_ZVAL(variable_ptr);
+                               *variable_ptr_ptr = variable_ptr;
                                 INIT_PZVAL_COPY(variable_ptr, value);
                                 zval_copy_ctor(variable_ptr);
-                               *variable_ptr_ptr = variable_ptr;
                                 return variable_ptr;
                         } else {
                                 *variable_ptr_ptr = value;
author	Dmitry Stogov <dmitry@php.net>
	Thu, 30 Sep 2010 14:11:51 +0000 (14:11 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Thu, 30 Sep 2010 14:11:51 +0000 (14:11 +0000)
Zend/tests/gc_032.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_execute.c		patch \| blob \| history