Merge branch 'PHP-7.2'

* PHP-7.2:
  Don't keep HashTable.pDestructor in SHM and always set it into ZVAL_PTR_DTOR in zval_array_dup(). Keeping pointer to a function in SHM is not safe because of ASLR.

Zend/zend_hash.c

@@ -1831,7 +1831,7 @@ ZEND_API HashTable* ZEND_FASTCALL zend_array_dup(HashTable *source)
 	GC_TYPE_INFO(target) = IS_ARRAY | (GC_COLLECTABLE << GC_FLAGS_SHIFT);
 
 	target->nTableSize = source->nTableSize;
-	target->pDestructor = source->pDestructor;
+	target->pDestructor = ZVAL_PTR_DTOR;
 
 	if (source->nNumUsed == 0) {
 		HT_FLAGS(target) = (HT_FLAGS(source) & ~(HASH_FLAG_INITIALIZED|HASH_FLAG_PACKED)) | HASH_FLAG_STATIC_KEYS;

ext/opcache/zend_persist.c

@@ -89,6 +89,7 @@ static void zend_hash_persist(HashTable *ht, zend_persist_func_t pPersistElement
 	Bucket *p;
 
 	HT_FLAGS(ht) |= HASH_FLAG_STATIC_KEYS;
+	ht->pDestructor = NULL;
 
 	if (!(HT_FLAGS(ht) & HASH_FLAG_INITIALIZED)) {
 		HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
@@ -175,6 +176,7 @@ static void zend_hash_persist_immutable(HashTable *ht)
 	Bucket *p;
 
 	HT_FLAGS(ht) |= HASH_FLAG_STATIC_KEYS;
+	ht->pDestructor = NULL;
 
 	if (!(HT_FLAGS(ht) & HASH_FLAG_INITIALIZED)) {
 		HT_SET_DATA_ADDR(ht, &uninitialized_bucket);