Fixed bug #81514

nikic · nikic · commit bd3e5363836d · 2021-10-08T10:31:24.000+02:00
Objects reuse the GC_PERSISTENT flag as IS_OBJ_WEAKLY_REFERENCED,
which we did not account for in ZVAL_COPY_OR_DUP. To make things
worse the incorrect zval_copy_ctor_func() invocation silently did
nothing. To avoid that, add an assertion that it should only be
called with arrays and strings (unlike the normal zval_copy_ctor()
which can be safely called on any zval).
diff --git a/NEWS b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
   . Fixed bug #75941 (Fix compile failure on Solaris with clang). (Jarom&iacute;r
     Dole&#269;ek)
   . Fixed bug #81380 (Observer may not be initialized properly). (krakjoe)
+  . Fixed bug #81514 (Using Enum as key in WeakMap triggers GC + SegFault).
+    (Nikita)
 
 - Date:
   . Fixed bug #81504 (Incorrect timezone transition details for POSIX data).
diff --git a/Zend/tests/enum/weak-map.phpt b/Zend/tests/enum/weak-map.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Use enum as WeakMap key
+--FILE--
+<?php
+
+enum TestEnum {
+    case A;
+}
+
+$map = new WeakMap();
+$map[TestEnum::A] = 'a string';
+var_dump($map[TestEnum::A]);
+var_dump($map[TestEnum::A]);
+
+?>
+--EXPECT--
+string(8) "a string"
+string(8) "a string"
diff --git a/Zend/zend_types.h b/Zend/zend_types.h
@@ -1286,7 +1286,9 @@ static zend_always_inline uint32_t zval_delref_p(zval* pz) {
 		uint32_t _t = Z_TYPE_INFO_P(_z2);								\
 		ZVAL_COPY_VALUE_EX(_z1, _z2, _gc, _t);							\
 		if (Z_TYPE_INFO_REFCOUNTED(_t)) {								\
-			if (EXPECTED(!(GC_FLAGS(_gc) & GC_PERSISTENT))) {			\
+			/* Objects reuse PERSISTENT as WEAKLY_REFERENCED */			\
+			if (EXPECTED(!(GC_FLAGS(_gc) & GC_PERSISTENT)				\
+					|| GC_TYPE(_gc) == IS_OBJECT)) {					\
 				GC_ADDREF(_gc);											\
 			} else {													\
 				zval_copy_ctor_func(_z1);								\
diff --git a/Zend/zend_variables.c b/Zend/zend_variables.c
@@ -129,5 +129,7 @@ ZEND_API void ZEND_FASTCALL zval_copy_ctor_func(zval *zvalue)
 		ZEND_ASSERT(!ZSTR_IS_INTERNED(Z_STR_P(zvalue)));
 		CHECK_ZVAL_STRING(Z_STR_P(zvalue));
 		ZVAL_NEW_STR(zvalue, zend_string_dup(Z_STR_P(zvalue), 0));
+	} else {
+		ZEND_UNREACHABLE();
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -129,5 +129,7 @@ ZEND_API void ZEND_FASTCALL zval_copy_ctor_func(zval *zvalue)`
`129`	`129`	`ZEND_ASSERT(!ZSTR_IS_INTERNED(Z_STR_P(zvalue)));`
`130`	`130`	`CHECK_ZVAL_STRING(Z_STR_P(zvalue));`
`131`	`131`	`ZVAL_NEW_STR(zvalue, zend_string_dup(Z_STR_P(zvalue), 0));`
	`132`	`+ } else {`
	`133`	`+ ZEND_UNREACHABLE();`
`132`	`134`	`}`
`133`	`135`	`}`