diff options
| -rw-r--r-- | Zend/tests/bug72854.phpt | 18 | ||||
| -rw-r--r-- | Zend/zend_execute.c | 4 |
2 files changed, 21 insertions, 1 deletions
diff --git a/Zend/tests/bug72854.phpt b/Zend/tests/bug72854.phpt new file mode 100644 index 0000000000..74139c7ebc --- /dev/null +++ b/Zend/tests/bug72854.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72854: PHP Crashes on duplicate destructor call +--FILE-- +<?php + +function get() { + $t = new stdClass; + $t->prop = $t; + return $t; +} + +$i = 42; +get()->prop =& $i; + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 65069a3c1c..4676260f41 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -567,6 +567,7 @@ static inline zval *_get_obj_zval_ptr_ptr(int op_type, znode_op node, zend_execu static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *value_ptr) { zend_reference *ref; + zval garbage; if (EXPECTED(!Z_ISREF_P(value_ptr))) { ZVAL_NEW_REF(value_ptr, value_ptr); @@ -576,8 +577,9 @@ static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *v ref = Z_REF_P(value_ptr); GC_REFCOUNT(ref)++; - zval_ptr_dtor(variable_ptr); + ZVAL_COPY_VALUE(&garbage, variable_ptr); ZVAL_REF(variable_ptr, ref); + zval_ptr_dtor(&garbage); } /* this should modify object only if it's empty */ |