Merge branch 'PHP-7.3' into PHP-7.4

dstogov · dstogov · commit 1456467cfe19 · 2019-08-09T15:58:33.000+03:00
* PHP-7.3:
  Fixed second part of the bug #78379 (Cast to object confuses GC, causes crash)
diff --git a/Zend/tests/bug78379_2.phpt b/Zend/tests/bug78379_2.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #78379.2 (Cast to object confuses GC, causes crash)
+--FILE--
+<?php
+class E {}
+function f() {
+	$e1 = new E;
+	$e2 = new E;
+	$a = ['e2' => $e2];
+	$e1->a = (object)$a;
+	$e2->e1 = $e1;
+	$e2->a = (object)$a;
+}
+f();
+gc_collect_cycles();
+echo "End\n";
+?>
+--EXPECT--
+End
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
@@ -701,11 +701,14 @@ static void gc_scan_black(zend_refcounted *ref, gc_stack *stack)
 			ZVAL_OBJ(&tmp, obj);
 			ht = obj->handlers->get_gc(&tmp, &zv, &n);
 			end = zv + n;
-			if (EXPECTED(!ht)) {
+			if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_BLACK))) {
+				ht = NULL;
 				if (!n) goto next;
 				while (!Z_REFCOUNTED_P(--end)) {
 					if (zv == end) goto next;
 				}
+			} else {
+				GC_REF_SET_BLACK(ht);
 			}
 			while (zv != end) {
 				if (Z_REFCOUNTED_P(zv)) {
@@ -818,11 +821,14 @@ static void gc_mark_grey(zend_refcounted *ref, gc_stack *stack)
 				ZVAL_OBJ(&tmp, obj);
 				ht = obj->handlers->get_gc(&tmp, &zv, &n);
 				end = zv + n;
-				if (EXPECTED(!ht)) {
+				if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_GREY))) {
+					ht = NULL;
 					if (!n) goto next;
 					while (!Z_REFCOUNTED_P(--end)) {
 						if (zv == end) goto next;
 					}
+				} else {
+					GC_REF_SET_COLOR(ht, GC_GREY);
 				}
 				while (zv != end) {
 					if (Z_REFCOUNTED_P(zv)) {
@@ -1006,11 +1012,14 @@ static void gc_scan(zend_refcounted *ref, gc_stack *stack)
 					ZVAL_OBJ(&tmp, obj);
 					ht = obj->handlers->get_gc(&tmp, &zv, &n);
 					end = zv + n;
-					if (EXPECTED(!ht)) {
+					if (EXPECTED(!ht) || UNEXPECTED(!GC_REF_CHECK_COLOR(ht, GC_GREY))) {
+						ht = NULL;
 						if (!n) goto next;
 						while (!Z_REFCOUNTED_P(--end)) {
 							if (zv == end) goto next;
 						}
+					} else {
+						GC_REF_SET_COLOR(ht, GC_WHITE);
 					}
 					while (zv != end) {
 						if (Z_REFCOUNTED_P(zv)) {
@@ -1175,7 +1184,8 @@ static int gc_collect_white(zend_refcounted *ref, uint32_t *flags, gc_stack *sta
 				ZVAL_OBJ(&tmp, obj);
 				ht = obj->handlers->get_gc(&tmp, &zv, &n);
 				end = zv + n;
-				if (EXPECTED(!ht)) {
+				if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_BLACK))) {
+					ht = NULL;
 					if (!n) goto next;
 					while (!Z_REFCOUNTED_P(--end)) {
 						/* count non-refcounted for compatibility ??? */
@@ -1184,6 +1194,8 @@ static int gc_collect_white(zend_refcounted *ref, uint32_t *flags, gc_stack *sta
 						}
 						if (zv == end) goto next;
 					}
+				} else {
+					GC_REF_SET_BLACK(ht);
 				}
 				while (zv != end) {
 					if (Z_REFCOUNTED_P(zv)) {
