Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)

Author: laruence

NEWS

@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.4.20
 
 - Core:
+  . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
+    (Laruence)
   . Fixed bug #65579 (Using traits with get_class_methods causes segfault).
     (Adam)
   . Fixed bug #65490 (Duplicate calls to get lineno & filename for 

Zend/tests/bug60598.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #60598 (cli/apache sapi segfault on objects manipulation)
+--FILE--
+<?php
+define('OBJECT_COUNT', 10000);
+
+$containers = array();
+
+class Object {
+    protected $_guid = 0;
+    public function __construct() {
+		global $containers;
+		$this->guid = 1;
+        $containers[spl_object_hash($this)] = $this;
+    }
+    public function __destruct() {
+		global $containers;
+        $containers[spl_object_hash($this)] = NULL;
+    }
+}
+
+for ($i = 0; $i < OBJECT_COUNT; ++$i) {
+    new Object();
+}
+
+// You probably won't see this because of the "zend_mm_heap corrupted"
+?>
+If you see this, try to increase OBJECT_COUNT to 100,000
+--EXPECT--
+If you see this, try to increase OBJECT_COUNT to 100,000

Zend/zend_objects_API.c

@@ -57,6 +57,11 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS
 					obj->dtor(obj->object, i TSRMLS_CC);
 					obj = &objects->object_buckets[i].bucket.obj;
 					obj->refcount--;
+
+					if (obj->refcount == 0) {
+						/* in case gc_collect_cycle is triggered before free_storage */
+						GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
+					}
 				}
 			}
 		}