From: Xinchen Hui <laruence@php.net>
Date: Thu, 18 Oct 2012 07:49:37 +0000 (+0800)
Subject: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)
X-Git-Tag: php-5.5.0alpha1~27^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ccc519b7a92bfe4b191c0e2e3869516171247ac2;p=php

Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

This should also fixed various segfaults which the bt looks like cored in zval_mark_grey
---

diff --git a/NEWS b/NEWS
index eca66987eb..06bdf3dbbe 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2012, PHP 5.4.9
 
+- Core:
+  . Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite). (Laruence)
+
 - Fileinfo:
   . Fixed bug #63248 (Load multiple magic files from a directory under Windows).
     (Anatoliy)
diff --git a/Zend/tests/bug63055.phpt b/Zend/tests/bug63055.phpt
new file mode 100644
index 0000000000..0901e5b34e
--- /dev/null
+++ b/Zend/tests/bug63055.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #63055 (Segfault in zend_gc with SF2 testsuite)
+--FILE--
+<?php
+for ($i=0; $i<9998; $i++) {
+    $array = array();
+    $array[0] = &$array;
+    unset($array);
+}
+
+$matches = array("foo" => "bar");
+$dummy   = array("dummy");
+$dummy[1] = &$dummy;
+
+$matches[1] = &$matches;
+$matches[2] = $dummy;
+
+$ma         = $matches;
+preg_match_all("/(\d)+/", "foo123456bar", $matches);
+echo "okey";
+?>
+--EXPECTF--
+okey
diff --git a/Zend/zend_gc.h b/Zend/zend_gc.h
index ba30b3aa3b..1f86f19b71 100644
--- a/Zend/zend_gc.h
+++ b/Zend/zend_gc.h
@@ -179,7 +179,7 @@ END_EXTERN_C()
 
 static zend_always_inline void gc_zval_check_possible_root(zval *z TSRMLS_DC)
 {
-	if (z->type == IS_ARRAY || z->type == IS_OBJECT) {
+	if ((z->type == IS_ARRAY && !z->value.ht->inconsistent) || z->type == IS_OBJECT) {
 		gc_zval_possible_root(z TSRMLS_CC);
 	}
 }