diff options
| author | Nikita Popov <nikic@php.net> | 2016-08-16 21:05:57 +0200 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2016-08-16 21:05:57 +0200 |
| commit | 7384fcff0a764aaa9a4320a4e06bfeff89508047 (patch) | |
| tree | 2b9c5e63e89353da35748216689098e1129ecec6 | |
| parent | 6fcedc96fbabc2787e18f904347f7a1429992c89 (diff) | |
| parent | e2230c17d3e17981c739cb858bc78d47d2365836 (diff) | |
| download | php-git-7384fcff0a764aaa9a4320a4e06bfeff89508047.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
| -rw-r--r-- | Zend/tests/bug72854.phpt | 18 | ||||
| -rw-r--r-- | Zend/zend_execute.c | 4 |
2 files changed, 21 insertions, 1 deletions
diff --git a/Zend/tests/bug72854.phpt b/Zend/tests/bug72854.phpt new file mode 100644 index 0000000000..74139c7ebc --- /dev/null +++ b/Zend/tests/bug72854.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72854: PHP Crashes on duplicate destructor call +--FILE-- +<?php + +function get() { + $t = new stdClass; + $t->prop = $t; + return $t; +} + +$i = 42; +get()->prop =& $i; + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 65069a3c1c..4676260f41 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -567,6 +567,7 @@ static inline zval *_get_obj_zval_ptr_ptr(int op_type, znode_op node, zend_execu static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *value_ptr) { zend_reference *ref; + zval garbage; if (EXPECTED(!Z_ISREF_P(value_ptr))) { ZVAL_NEW_REF(value_ptr, value_ptr); @@ -576,8 +577,9 @@ static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *v ref = Z_REF_P(value_ptr); GC_REFCOUNT(ref)++; - zval_ptr_dtor(variable_ptr); + ZVAL_COPY_VALUE(&garbage, variable_ptr); ZVAL_REF(variable_ptr, ref); + zval_ptr_dtor(&garbage); } /* this should modify object only if it's empty */ |