Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit bc7d00ea6dac · 2025-06-18T21:20:30.000+02:00
* PHP-8.4:
  Fix use after free during shutdown destruction
diff --git a/Zend/tests/gh18833.phpt b/Zend/tests/gh18833.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18833 (Use after free with weakmaps dependent on destruction order)
+--FILE--
+<?php
+
+class a {
+    public static WeakMap $map;
+    public static Generator $storage;
+}
+
+a::$map = new WeakMap;
+
+$closure = function () {
+    $obj = new a;
+    a::$map[$obj] = true;
+    yield $obj;
+};
+a::$storage = $closure();
+a::$storage->current();
+
+echo "ok\n";
+?>
+--EXPECT--
+ok
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
@@ -100,7 +100,9 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_free_object_storage(zend_objects_
 			if (IS_OBJ_VALID(obj)) {
 				if (!(OBJ_FLAGS(obj) & IS_OBJ_FREE_CALLED)) {
 					GC_ADD_FLAGS(obj, IS_OBJ_FREE_CALLED);
-					if (obj->handlers->free_obj != zend_object_std_dtor) {
+					if (obj->handlers->free_obj != zend_object_std_dtor
+					 || (OBJ_FLAGS(obj) & IS_OBJ_WEAKLY_REFERENCED)
+					) {
 						GC_ADDREF(obj);
 						obj->handlers->free_obj(obj);
 					}
