Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

This should also fixed various segfaults which the bt looks like cored in zval_mark_grey

diff --git a/NEWS b/NEWS
index eca66987eb7b259b29a80ae6e42806dac010d26c..06bdf3dbbeab7c1658a87940f014161625b671bd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2012, PHP 5.4.9
 
+- Core:
+  . Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite). (Laruence)
+
 - Fileinfo:
   . Fixed bug #63248 (Load multiple magic files from a directory under Windows).
     (Anatoliy)

diff --git a/Zend/tests/bug63055.phpt b/Zend/tests/bug63055.phpt
new file mode 100644 (file)
index 0000000..0901e5b
--- /dev/null
+++ b/Zend/tests/bug63055.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #63055 (Segfault in zend_gc with SF2 testsuite)
+--FILE--
+<?php
+for ($i=0; $i<9998; $i++) {
+    $array = array();
+    $array[0] = &$array;
+    unset($array);
+}
+
+$matches = array("foo" => "bar");
+$dummy   = array("dummy");
+$dummy[1] = &$dummy;
+
+$matches[1] = &$matches;
+$matches[2] = $dummy;
+
+$ma         = $matches;
+preg_match_all("/(\d)+/", "foo123456bar", $matches);
+echo "okey";
+?>
+--EXPECTF--
+okey

diff --git a/Zend/zend_gc.h b/Zend/zend_gc.h
index ba30b3aa3badd4e9218485add9a02ccaf61791d4..1f86f19b71f0aa9de5951dc67adb238ad54e83eb 100644 (file)
--- a/Zend/zend_gc.h
+++ b/Zend/zend_gc.h
@@ -179,7 +179,7 @@ END_EXTERN_C()
 
 static zend_always_inline void gc_zval_check_possible_root(zval *z TSRMLS_DC)
 {
-       if (z->type == IS_ARRAY || z->type == IS_OBJECT) {
+       if ((z->type == IS_ARRAY && !z->value.ht->inconsistent) || z->type == IS_OBJECT) {
                gc_zval_possible_root(z TSRMLS_CC);
        }
 }