issue #66085 experimental fix

Author: ahamid

ext/standard/basic_functions.h

@@ -161,6 +161,11 @@ typedef signed long php_int32;
 
 #define MT_N (624)
 
+typedef struct _zval_chain {
+    zval* value;
+    struct _zval_chain* next;
+} zval_chain;
+
 typedef struct _php_basic_globals {
 	HashTable *user_shutdown_function_names;
 	HashTable putenv_ht;
@@ -208,6 +213,7 @@ typedef struct _php_basic_globals {
 	struct {
 		void *var_hash;
 		unsigned level;
+		zval_chain* zval_refs;
 	} serialize;
 	struct {
 		void *var_hash;

ext/standard/php_var.h

@@ -51,6 +51,7 @@ typedef struct php_unserialize_data* php_unserialize_data_t;
 
 PHPAPI void php_var_serialize(smart_str *buf, zval **struc, php_serialize_data_t *var_hash TSRMLS_DC);
 PHPAPI int php_var_unserialize(zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC);
+void php_var_serialize_release_zval_chain(zval_chain* zval_refs);
 
 #define PHP_VAR_SERIALIZE_INIT(var_hash_ptr) \
 do  { \
@@ -61,6 +62,7 @@ do  { \
 		if (!BG(serialize_lock)) { \
 			BG(serialize).var_hash = (void *)(var_hash_ptr); \
 			BG(serialize).level = 1; \
+			BG(serialize).zval_refs = NULL; \
 		} \
 	} else { \
 		(var_hash_ptr) = (php_serialize_data_t)BG(serialize).var_hash; \
@@ -79,6 +81,7 @@ do { \
 			zend_hash_destroy((php_serialize_data_t)BG(serialize).var_hash); \
 			FREE_HASHTABLE((php_serialize_data_t)BG(serialize).var_hash); \
 			BG(serialize).var_hash = NULL; \
+			php_var_serialize_release_zval_chain(BG(serialize).zval_refs); \
 		} \
 	} \
 } while (0)

ext/standard/var.c

@@ -543,6 +543,61 @@ PHP_FUNCTION(var_export)
 
 static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var_hash TSRMLS_DC);
 
+/**
+ * Iterates over zvals captured during serialization, and releases/decrements them
+ */
+void php_var_serialize_release_zval_chain(zval_chain* zval_refs) {
+    zval_chain* node =  BG(serialize).zval_refs;
+    zval_chain* next = NULL;
+    int count = 0;
+
+    while (node != NULL) {
+#if 0
+        fprintf(stderr, "- zval chain %d: ref (%d) %p\n", count, Z_REFCOUNT_P(node->value), node->value);
+#endif
+        count++;
+        next = node->next;
+        zval_ptr_dtor(&(node->value));
+        //Z_DELREF_P(node->value);
+        efree(node);
+        node = next;
+    }
+}
+
+/**
+ * Increments zval reference count in order to keep it alive for the duration of object graph serialization;
+ * registers zval in threadlocal list of zvals to decrement/release when topmost serialization frame is popped
+ */
+static inline void php_var_serialize_capture_zval(zval* var) {
+    // increment reference count
+    zend_uint refcount = Z_ADDREF_P(var);
+    //zval_copy_ctor(var);
+
+    // store on threadlocal serialization list for decrement when serialization frame is popped
+    zval_chain* new_zval = emalloc(sizeof(zval_chain));
+    new_zval->value = var;
+    new_zval->next = NULL;
+    zval_chain** zval_refs = &BG(serialize).zval_refs;
+    
+    // optimize later:
+    // new_zval->next = *zval_refs;
+    // *zval_refs = new_zval;
+    
+    // singly linked list - find the end and append
+    int i = 0;
+    while (*zval_refs) {
+        zval_refs = &((**zval_refs).next);
+        i++;
+    }
+    *zval_refs = new_zval;
+    
+#if 0
+    fprintf(stderr, "+ zval chain %d: ref (%d) %p\n", i, Z_REFCOUNT_P(var), var);
+#endif
+
+}
+
+
 static inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old TSRMLS_DC) /* {{{ */
 {
 	ulong var_no;
@@ -572,6 +627,9 @@ static inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old
 		return FAILURE;
 	}
 
+	// capture the zval to keep it alive for the duration of serialization
+	php_var_serialize_capture_zval(var);
+
 	/* +1 because otherwise hash will think we are trying to store NULL pointer */
 	var_no = zend_hash_num_elements(var_hash) + 1;
 	zend_hash_add(var_hash, p, len, &var_no, sizeof(var_no), NULL);