Handle reallocated root buffer during GC destroy phase (v2)

TysonAndre · TysonAndre · commit a9a1f40d7db1 · 2019-11-19T19:15:15.000-05:00
We no longer protect GC during the destroy phase, so we need to
deal with buffer reallocation.

Note that the implementation of spl_SplObjectStorage_free_storage
will call the destructor of SplObjectStorage, and free the instance properties,
which I think is what caused the root buffer to be reallocated.

This fixes bug #78811 for me.
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
@@ -1555,6 +1555,8 @@ ZEND_API int zend_gc_collect_cycles(void)
 						GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED);
 						GC_ADDREF(obj);
 						obj->handlers->free_obj(obj);
+						current = GC_IDX2PTR(idx);  // bug #78811: free_obj() can cause the root buffer to be reallocated.
+						obj = (zend_object*)GC_GET_PTR(current->ref);
 						GC_DELREF(obj);
 					}
 

Original file line number	Diff line number	Diff line change
`@@ -1555,6 +1555,8 @@ ZEND_API int zend_gc_collect_cycles(void)`
`1555`	`1555`	`GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED);`
`1556`	`1556`	`GC_ADDREF(obj);`
`1557`	`1557`	`obj->handlers->free_obj(obj);`
	`1558`	`+ current = GC_IDX2PTR(idx); // bug #78811: free_obj() can cause the root buffer to be reallocated.`
	`1559`	`+ obj = (zend_object*)GC_GET_PTR(current->ref);`
`1558`	`1560`	`GC_DELREF(obj);`
`1559`	`1561`	`}`
`1560`	`1562`