Handle reallocated root buffer during GC destroy phase

We no longer protect GC during the destroy phase, so we need to deal with buffer reallocation. Possible fix for bug #78811.
author: Nikita Popov <nikita.ppv@gmail.com> 2019-11-15 15:53:49 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2019-11-15 15:53:49 +0100
commit: 3f4a15113c50d2e86a59db8d41fb0a102f43d1c2 (patch)
tree: 17d3e7fc91d69981ba4008ef28ec909697ff142f
parent: 51ac4e302ca2d7c7466e6ab98c97a1435f51e7a2 (diff)
download: php-git-3f4a15113c50d2e86a59db8d41fb0a102f43d1c2.tar.gz
1 files changed, 6 insertions, 5 deletions
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index 8b242c003d..c36f4e7ced 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -1547,11 +1547,11 @@ ZEND_API int zend_gc_collect_cycles(void)
 			}
 		}
 
-		/* Destroy zvals */
+		/* Destroy zvals. The root buffer may be reallocated. */
 		GC_TRACE("Destroying zvals");
-		current = GC_IDX2PTR(GC_FIRST_ROOT);
-		last = GC_IDX2PTR(GC_G(first_unused));
-		while (current != last) {
+		idx = GC_FIRST_ROOT;
+		while (idx != end) {
+			current = GC_IDX2PTR(idx);
 			if (GC_IS_GARBAGE(current->ref)) {
 				p = GC_GET_PTR(current->ref);
 				GC_TRACE_REF(p, "destroying");
@@ -1582,11 +1582,12 @@ ZEND_API int zend_gc_collect_cycles(void)
 					zend_hash_destroy(arr);
 				}
 			}
-			current++;
+			idx++;
 		}
 
 		/* Free objects */
 		current = GC_IDX2PTR(GC_FIRST_ROOT);
+		last = GC_IDX2PTR(end);
 		while (current != last) {
 			if (GC_IS_GARBAGE(current->ref)) {
 				p = GC_GET_PTR(current->ref);
author	Nikita Popov <nikita.ppv@gmail.com>	2019-11-15 15:53:49 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2019-11-15 15:53:49 +0100
commit	3f4a15113c50d2e86a59db8d41fb0a102f43d1c2 (patch)
tree	17d3e7fc91d69981ba4008ef28ec909697ff142f
parent	51ac4e302ca2d7c7466e6ab98c97a1435f51e7a2 (diff)
download	php-git-3f4a15113c50d2e86a59db8d41fb0a102f43d1c2.tar.gz