Fixed bug #63635 (Segfault in gc_collect_cycles)

Zend/tests/bug63635.phpt

@@ -0,0 +1,58 @@
+--TEST--
+Bug #63635 (Segfault in gc_collect_cycles)
+--FILE--
+<?php
+class Node {
+	public $parent = NULL;
+	public $childs = array();
+	
+	function __construct(Node $parent=NULL) {
+		if ($parent) {
+			$parent->childs[] = $this;
+		}
+		$this->childs[] = $this;
+	}
+	
+	function __destruct() {
+		$this->childs = NULL;
+	}	
+}
+
+define("MAX", 16);
+
+for ($n = 0; $n < 20; $n++) {
+	$top = new Node();
+	for ($i=0 ; $i<MAX ; $i++) {
+		$ci = new Node($top);
+		for ($j=0 ; $j<MAX ; $j++) {
+			$cj = new Node($ci);
+			for ($k=0 ; $k<MAX ; $k++) {
+				$ck = new Node($cj);
+			}
+		}
+	}
+	echo "$n\n";
+}
+echo "ok\n";
+--EXPECT--
+0
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+ok

Zend/zend_gc.c

@@ -644,7 +644,8 @@ tail_call:
 			struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj;
 
 			if (obj->buffered == (gc_root_buffer*)GC_WHITE) {
-				GC_SET_BLACK(obj->buffered);
+				/* PURPLE instead of BLACK to prevent buffering in nested gc calls */
+				GC_SET_PURPLE(obj->buffered);
 
 				if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid &&
 				             (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) {
@@ -715,7 +716,8 @@ static void zobj_collect_white(zval *pz TSRMLS_DC)
 		struct _store_object *obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].bucket.obj;
 
 		if (obj->buffered == (gc_root_buffer*)GC_WHITE) {
-			GC_SET_BLACK(obj->buffered);
+			/* PURPLE instead of BLACK to prevent buffering in nested gc calls */
+			GC_SET_PURPLE(obj->buffered);
 
 			if (EXPECTED(EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(pz)].valid &&
 			             (get_gc = Z_OBJ_HANDLER_P(pz, get_gc)) != NULL)) {