Fix GH-16957: Assertion failure in array_shift with self-referencing array

nielsdos · nielsdos · commit f1fc4e8ff707 · 2024-11-29T19:21:11.000+01:00
We have an RC1 violation because we're immediately dereferencing and copying the resulting array in the test case. Instead, transfer the lifetime using RETVAL_COPY_VALUE and unwrap only after the internal iterator is reset. Closes GH-16970.
diff --git a/NEWS b/NEWS
@@ -76,6 +76,8 @@ PHP                                                                        NEWS
 - Standard:
   . Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF
     properties). (nielsdos)
+  . Fixed bug GH-16957 (Assertion failure in array_shift with
+    self-referencing array). (nielsdos)
 
 - Streams:
   . Fixed network connect poll interuption handling. (Jakub Zelenka)
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -3511,7 +3511,8 @@ PHP_FUNCTION(array_shift)
 			}
 			idx++;
 		}
-		RETVAL_COPY_DEREF(val);
+		RETVAL_COPY_VALUE(val);
+		ZVAL_UNDEF(val);
 
 		/* Delete the first value */
 		zend_hash_packed_del_val(Z_ARRVAL_P(stack), val);
@@ -3565,7 +3566,8 @@ PHP_FUNCTION(array_shift)
 			}
 			idx++;
 		}
-		RETVAL_COPY_DEREF(val);
+		RETVAL_COPY_VALUE(val);
+		ZVAL_UNDEF(val);
 
 		/* Delete the first value */
 		zend_hash_del_bucket(Z_ARRVAL_P(stack), p);
@@ -3589,6 +3591,10 @@ PHP_FUNCTION(array_shift)
 	}
 
 	zend_hash_internal_pointer_reset(Z_ARRVAL_P(stack));
+
+	if (Z_ISREF_P(return_value)) {
+		zend_unwrap_reference(return_value);
+	}
 }
 /* }}} */
 
diff --git a/ext/standard/tests/array/gh16957.phpt b/ext/standard/tests/array/gh16957.phpt
@@ -0,0 +1,41 @@
+--TEST--
+GH-16957 (Assertion failure in array_shift with self-referencing array)
+--FILE--
+<?php
+$new_array = array(&$new_array, 1, 'two');
+var_dump($shifted = array_shift($new_array));
+var_dump($new_array);
+var_dump($new_array === $shifted);
+
+$new_array2 = array(&$new_array2, 2 => 1, 300 => 'two');
+var_dump($shifted = array_shift($new_array2));
+var_dump($new_array2);
+var_dump($new_array2 === $shifted);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  int(1)
+  [1]=>
+  string(3) "two"
+}
+array(2) {
+  [0]=>
+  int(1)
+  [1]=>
+  string(3) "two"
+}
+bool(true)
+array(2) {
+  [0]=>
+  int(1)
+  [1]=>
+  string(3) "two"
+}
+array(2) {
+  [0]=>
+  int(1)
+  [1]=>
+  string(3) "two"
+}
+bool(true)

Original file line number	Diff line number	Diff line change
`@@ -3511,7 +3511,8 @@ PHP_FUNCTION(array_shift)`
`3511`	`3511`	`}`
`3512`	`3512`	`idx++;`
`3513`	`3513`	`}`
`3514`		`- RETVAL_COPY_DEREF(val);`
	`3514`	`+ RETVAL_COPY_VALUE(val);`
	`3515`	`+ ZVAL_UNDEF(val);`
`3515`	`3516`
`3516`	`3517`	`/* Delete the first value */`
`3517`	`3518`	`zend_hash_packed_del_val(Z_ARRVAL_P(stack), val);`
`@@ -3565,7 +3566,8 @@ PHP_FUNCTION(array_shift)`
`3565`	`3566`	`}`
`3566`	`3567`	`idx++;`
`3567`	`3568`	`}`
`3568`		`- RETVAL_COPY_DEREF(val);`
	`3569`	`+ RETVAL_COPY_VALUE(val);`
	`3570`	`+ ZVAL_UNDEF(val);`
`3569`	`3571`
`3570`	`3572`	`/* Delete the first value */`
`3571`	`3573`	`zend_hash_del_bucket(Z_ARRVAL_P(stack), p);`
`@@ -3589,6 +3591,10 @@ PHP_FUNCTION(array_shift)`
`3589`	`3591`	`}`
`3590`	`3592`
`3591`	`3593`	`zend_hash_internal_pointer_reset(Z_ARRVAL_P(stack));`
	`3594`	`+`
	`3595`	`+ if (Z_ISREF_P(return_value)) {`
	`3596`	`+ zend_unwrap_reference(return_value);`
	`3597`	`+ }`
`3592`	`3598`	`}`
`3593`	`3599`	`/* }}} */`
`3594`	`3600`