From: Dmitry Stogov <dmitry@zend.com>
Date: Fri, 9 Aug 2019 12:58:44 +0000 (+0300)
Subject: Merge branch 'PHP-7.4'
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a037a5bd33ef04a5eacb2d7962d1adf9c781de6d;p=php

Merge branch 'PHP-7.4'

* PHP-7.4:
  Fixed second part of the bug #78379 (Cast to object confuses GC, causes crash)
---

a037a5bd33ef04a5eacb2d7962d1adf9c781de6d
diff --cc Zend/zend_gc.c
index 7a997a485d,97a7edaac2..e5c961d3d0
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@@ -696,10 -696,13 +696,11 @@@ tail_call
  		if (EXPECTED(!(OBJ_FLAGS(ref) & IS_OBJ_FREE_CALLED))) {
  			int n;
  			zval *zv, *end;
 -			zval tmp;
  
 -			ZVAL_OBJ(&tmp, obj);
 -			ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +			ht = obj->handlers->get_gc(obj, &zv, &n);
  			end = zv + n;
- 			if (EXPECTED(!ht)) {
+ 			if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_BLACK))) {
+ 				ht = NULL;
  				if (!n) goto next;
  				while (!Z_REFCOUNTED_P(--end)) {
  					if (zv == end) goto next;
@@@ -811,10 -816,13 +814,11 @@@ static void gc_mark_grey(zend_refcounte
  			if (EXPECTED(!(OBJ_FLAGS(ref) & IS_OBJ_FREE_CALLED))) {
  				int n;
  				zval *zv, *end;
 -				zval tmp;
  
 -				ZVAL_OBJ(&tmp, obj);
 -				ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +				ht = obj->handlers->get_gc(obj, &zv, &n);
  				end = zv + n;
- 				if (EXPECTED(!ht)) {
+ 				if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_GREY))) {
+ 					ht = NULL;
  					if (!n) goto next;
  					while (!Z_REFCOUNTED_P(--end)) {
  						if (zv == end) goto next;
@@@ -997,10 -1007,13 +1003,11 @@@ tail_call
  				if (EXPECTED(!(OBJ_FLAGS(ref) & IS_OBJ_FREE_CALLED))) {
  					int n;
  					zval *zv, *end;
 -					zval tmp;
  
 -					ZVAL_OBJ(&tmp, obj);
 -					ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +					ht = obj->handlers->get_gc(obj, &zv, &n);
  					end = zv + n;
- 					if (EXPECTED(!ht)) {
+ 					if (EXPECTED(!ht) || UNEXPECTED(!GC_REF_CHECK_COLOR(ht, GC_GREY))) {
+ 						ht = NULL;
  						if (!n) goto next;
  						while (!Z_REFCOUNTED_P(--end)) {
  							if (zv == end) goto next;
@@@ -1165,9 -1181,11 +1174,10 @@@ static int gc_collect_white(zend_refcou
  				  || obj->ce->destructor != NULL)) {
  					*flags |= GC_HAS_DESTRUCTORS;
  				}
 -				ZVAL_OBJ(&tmp, obj);
 -				ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +				ht = obj->handlers->get_gc(obj, &zv, &n);
  				end = zv + n;
- 				if (EXPECTED(!ht)) {
+ 				if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_BLACK))) {
+ 					ht = NULL;
  					if (!n) goto next;
  					while (!Z_REFCOUNTED_P(--end)) {
  						/* count non-refcounted for compatibility ??? */