Merge branch 'PHP-8.3' into PHP-8.4

alexandre-daubois · alexandre-daubois · commit 2cc4532865a9 · 2025-10-06T16:52:50.000+02:00
* PHP-8.3: Fix phpGH-19926: reset internal pointer earlier while splicing array while COW violation flag is still set (php#19929)
diff --git a/NEWS b/NEWS
@@ -68,6 +68,8 @@ PHP                                                                        NEWS
     (alexandre-daubois)
   . Fixed bug GH-20043 (array_unique assertion failure with RC1 array
     causing an exception on sort). (nielsdos)
+  . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
+    while COW violation flag is still set). (alexandre-daubois)
 
 - Streams:
   . Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -3497,6 +3497,12 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
 	HT_SET_ITERATORS_COUNT(in_hash, 0);
 	in_hash->pDestructor = NULL;
 
+	/* Set internal pointer to 0 directly instead of calling zend_hash_internal_pointer_reset().
+	 * This avoids the COW violation assertion and delays advancing to the first valid position
+	 * until after we've switched to the new array structure (out_hash). The iterator will be
+	 * advanced when actually accessed, at which point it will find valid indexes in the new array. */
+	in_hash->nInternalPointer = 0;
+
 	if (UNEXPECTED(GC_DELREF(in_hash) == 0)) {
 		/* Array was completely deallocated during the operation */
 		zend_array_destroy(in_hash);
@@ -3515,8 +3521,6 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
 	in_hash->nNextFreeElement  = out_hash.nNextFreeElement;
 	in_hash->arData            = out_hash.arData;
 	in_hash->pDestructor       = out_hash.pDestructor;
-
-	zend_hash_internal_pointer_reset(in_hash);
 }
 /* }}} */
 
diff --git a/ext/standard/tests/array/gh19926.phpt b/ext/standard/tests/array/gh19926.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-19926 (Assertion failure zend_hash_internal_pointer_reset_ex)
+--FILE--
+<?php
+class ThrowingDestructor {
+    function __destruct() {
+        throw new Exception();
+    }
+}
+
+$arr = [new ThrowingDestructor(), new ThrowingDestructor()];
+
+try {
+    array_splice($arr, 0, 2);
+} catch (Exception $e) {
+    echo "Exception caught, no assertion failure\n";
+}
+?>
+--EXPECT--
+Exception caught, no assertion failure
diff --git a/ext/standard/tests/array/gh19926_pointer.phpt b/ext/standard/tests/array/gh19926_pointer.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-19926 (internal pointer behavior after array_splice)
+--FILE--
+<?php
+$a = [1, 2, 3];
+unset($a[0]);
+next($a);
+
+echo "Before array_splice: ";
+var_dump(current($a));
+
+array_splice($a, 0, 0, [999]);
+
+echo "After array_splice: ";
+var_dump(current($a));
+?>
+--EXPECT--
+Before array_splice: int(3)
+After array_splice: int(999)
