From 896814e139d8dead8193f0e44cdc4ba3d8a002c7 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Fri, 22 Apr 2016 17:48:35 +0200 Subject: [PATCH] Make zval_ptr_dtor / _zval_dtor_func more robust In particular, allow arrays with refcount>1, like we already allow for all other types. _zval_dtor_func is now the same as _zval_dtor_func_for_ptr with an extra refcount decrement check at the start. At this point we might as well drop it... Cherry-pick of ded69ee6e6039d56ee7b65b1a578ed1e3d1859da from PHP-7.1. --- Zend/zend_variables.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/Zend/zend_variables.c b/Zend/zend_variables.c index 98bad6878fa..6e0c7491e3f 100644 --- a/Zend/zend_variables.c +++ b/Zend/zend_variables.c @@ -30,17 +30,20 @@ ZEND_API void ZEND_FASTCALL _zval_dtor_func(zend_refcounted *p ZEND_FILE_LINE_DC) { + if (--GC_REFCOUNT(p)) { + return; + } + switch (GC_TYPE(p)) { case IS_STRING: case IS_CONSTANT: { zend_string *str = (zend_string*)p; CHECK_ZVAL_STRING_REL(str); - zend_string_release(str); + zend_string_free(str); break; } case IS_ARRAY: { zend_array *arr = (zend_array*)p; - ZEND_ASSERT(GC_REFCOUNT(arr) <= 1); zend_array_destroy(arr); break; } @@ -54,25 +57,21 @@ ZEND_API void ZEND_FASTCALL _zval_dtor_func(zend_refcounted *p ZEND_FILE_LINE_DC case IS_OBJECT: { zend_object *obj = (zend_object*)p; - OBJ_RELEASE(obj); + zend_objects_store_del(obj); break; } case IS_RESOURCE: { zend_resource *res = (zend_resource*)p; - if (--GC_REFCOUNT(res) == 0) { - /* destroy resource */ - zend_list_free(res); - } + /* destroy resource */ + zend_list_free(res); break; } case IS_REFERENCE: { zend_reference *ref = (zend_reference*)p; - if (--GC_REFCOUNT(ref) == 0) { - i_zval_ptr_dtor(&ref->val ZEND_FILE_LINE_RELAY_CC); - efree_size(ref, sizeof(zend_reference)); - } + i_zval_ptr_dtor(&ref->val ZEND_FILE_LINE_RELAY_CC); + efree_size(ref, sizeof(zend_reference)); break; } default: