File: fix_crash_in_GC.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (55 lines) | stat: -rw-r--r-- 1,094 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -714,8 +714,8 @@ static inline zval* zend_assign_to_varia
 					ALLOC_ZVAL(variable_ptr);
 					*variable_ptr_ptr = variable_ptr;
 					*variable_ptr = *value;
-					zval_copy_ctor(variable_ptr);
 					Z_SET_REFCOUNT_P(variable_ptr, 1);
+					zval_copy_ctor(variable_ptr);
 				} else {
 					*variable_ptr_ptr = value;
 					Z_ADDREF_P(value);
--- /dev/null
+++ b/Zend/tests/gc_032.phpt
@@ -0,0 +1,40 @@
+--TEST--
+GC 032: Crash in GC because of invalid reference counting
+--FILE--
+<?php
+$a = array();
+$b =& $a;
+$a[0] = $a;
+debug_zval_dump($a);
+$a = array(array());
+$b =& $a;
+$a[0][0] = $a;
+debug_zval_dump($a);
+?>
+--EXPECT--
+array(1) refcount(1){
+  [0]=>
+  array(1) refcount(3){
+    [0]=>
+    array(1) refcount(3){
+      [0]=>
+      *RECURSION*
+    }
+  }
+}
+array(1) refcount(1){
+  [0]=>
+  array(1) refcount(3){
+    [0]=>
+    array(1) refcount(1){
+      [0]=>
+      array(1) refcount(3){
+        [0]=>
+        array(1) refcount(1){
+          [0]=>
+          *RECURSION*
+        }
+      }
+    }
+  }
+}