Fixed second part of the bug #78379 (Cast to object confuses GC, caus…

…es crash)
php · Aug 9, 2019 · 6b1cc12 · 6b1cc12
1 parent 2e2cd65
commit 6b1cc12
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 4 deletions.
diff --git a/Zend/tests/bug78379_2.phpt b/Zend/tests/bug78379_2.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #78379.2 (Cast to object confuses GC, causes crash)
+--FILE--
+<?php
+class E {}
+function f() {
+	$e1 = new E;
+	$e2 = new E;
+	$a = ['e2' => $e2];
+	$e1->a = (object)$a;
+	$e2->e1 = $e1;
+	$e2->a = (object)$a;
+}
+f();
+gc_collect_cycles();
+echo "End\n";
+?>
+--EXPECT--
+End
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
@@ -388,11 +388,14 @@ static void gc_scan_black(zend_refcounted *ref)
 			ZVAL_OBJ(&tmp, obj);
 			ht = get_gc(&tmp, &zv, &n);
 			end = zv + n;
-			if (EXPECTED(!ht)) {
+			if (EXPECTED(!ht) || UNEXPECTED(GC_REF_GET_COLOR(ht) == GC_BLACK)) {
+				ht = NULL;
 				if (!n) return;
 				while (!Z_REFCOUNTED_P(--end)) {
 					if (zv == end) return;
 				}
+			} else {
+				GC_REF_SET_BLACK(ht);
 			}
 			while (zv != end) {
 				if (Z_REFCOUNTED_P(zv)) {
@@ -498,11 +501,14 @@ static void gc_mark_grey(zend_refcounted *ref)
 				ZVAL_OBJ(&tmp, obj);
 				ht = get_gc(&tmp, &zv, &n);
 				end = zv + n;
-				if (EXPECTED(!ht)) {
+				if (EXPECTED(!ht) || UNEXPECTED(GC_REF_GET_COLOR(ht) == GC_GREY)) {
+					ht = NULL;
 					if (!n) return;
 					while (!Z_REFCOUNTED_P(--end)) {
 						if (zv == end) return;
 					}
+				} else {
+					GC_REF_SET_COLOR(ht, GC_GREY);
 				}
 				while (zv != end) {
 					if (Z_REFCOUNTED_P(zv)) {
@@ -616,11 +622,14 @@ static void gc_scan(zend_refcounted *ref)
 					ZVAL_OBJ(&tmp, obj);
 					ht = get_gc(&tmp, &zv, &n);
 					end = zv + n;
-					if (EXPECTED(!ht)) {
+					if (EXPECTED(!ht) || UNEXPECTED(GC_REF_GET_COLOR(ht) != GC_GREY)) {
+						ht = NULL;
 						if (!n) return;
 						while (!Z_REFCOUNTED_P(--end)) {
 							if (zv == end) return;
 						}
+					} else {
+						GC_REF_SET_COLOR(ht, GC_WHITE);
 					}
 					while (zv != end) {
 						if (Z_REFCOUNTED_P(zv)) {
@@ -791,7 +800,8 @@ static int gc_collect_white(zend_refcounted *ref, uint32_t *flags)
 				ZVAL_OBJ(&tmp, obj);
 				ht = get_gc(&tmp, &zv, &n);
 				end = zv + n;
-				if (EXPECTED(!ht)) {
+				if (EXPECTED(!ht) || UNEXPECTED(GC_REF_GET_COLOR(ht) == GC_BLACK)) {
+					ht = NULL;
 					if (!n) return count;
 					while (!Z_REFCOUNTED_P(--end)) {
 						/* count non-refcounted for compatibility ??? */
@@ -800,6 +810,8 @@ static int gc_collect_white(zend_refcounted *ref, uint32_t *flags)
 						}
 						if (zv == end) return count;
 					}
+				} else {
+					GC_REF_SET_BLACK(ht);
 				}
 				while (zv != end) {
 					if (Z_REFCOUNTED_P(zv)) {