Weird pointers issue in nested loops

[bloatware]

Description

Hi,

I observe a weird issue in php 8.3.0 with the following (weird) code:

<?php
$test = array(
  'a' => 1,
  'b' => 2,
  'c' => 3,
  'd' => 4,
);

//unset($test['a']);
//unset($test['b']);
//unset($test['c']);
//unset($test['d']);

foreach($test as $k => &$v) { // Mind the reference!
    echo "Pass $k : ";

    foreach($test as $kk => $vv) {
        echo $test[$kk];
        if ($kk == $k) $test[$kk] = 0;
    }

    echo '<br />';
}

unset($v);

As expected, it outputs:

Pass a : 1234
Pass b : 0234
Pass c : 0034
Pass d : 0004

But if I unset, say $test['a'] and $test['b'] before the loop, the server seems to enter some kind of infinite loop. Unsetting only one element or only few last elements does not seem to yield any problem. When looping by value $k => $v everything is fine of course.

The problem seems to come from $test[$kk] = 0 assignment. If I comment it out, everything is fine again, whichever elements are unset.

I've tested it on few servers, with the same result. The code works without any issue in php from 5.4 to 8.2.

PHP Version

PHP 8.3.0

Operating System

Various

[nielsdos]

Can confirm, reverting cd53ce8 fixes this.

[nielsdos]

This loops hangs forever: iter_pos is equal to nNumUsed (2) and can't move further:

php-src/Zend/zend_hash.c

Lines 2419 to 2422 in e3de478

	do {
	zend_hash_iterators_update(target, iter_pos, target_idx);
	iter_pos = zend_hash_iterators_lower_pos(target, iter_pos + 1);
	} while (iter_pos < idx);

However, I find it odd because we are looping from p to end, which is from p to p+4 in the example code.
Then I see

php-src/Zend/zend_hash.c

Line 2410 in e3de478

target->nNumUsed = source->nNumOfElements;

which seems strange because now the number of used slots is equal to the number of elements, but we are still looping over all the buckets including the undef ones.
When I change that line to target->nNumUsed = source->nNumUsed; instead it seems to work...