[2011-10-26 09:44 UTC] jinmoku at hotmail dot com

Description:
------------
GC crash with referenced array in RecursiveArrayIterator,(no problem with gc_disable)

Test script:
---------------
$tree = array();
$branch = &$tree;

$courses = array(
    'f1' => '/d1',
    'f6' => '/d2',
    'f7' => '/d3',
    'f8' => '/d3/d4',
    'f9' => '/d3/d4',
);

foreach($courses as $id => $course) {
    $path = explode('/', substr($course, 1));
    $branch = &$tree;
    foreach($path as $category) {
        if (!isset($branch[$category])) {
            $branch[$category] = array();
        }
        $branch = &$branch[$category];
    }
    $branch[] = $id;
}

$iterator = new RecursiveIteratorIterator(
    new RecursiveArrayIterator($tree),
    RecursiveIteratorIterator::SELF_FIRST
);

foreach($iterator as $file);

Actual result:
--------------
PHP5TS!GC_REMOVE_ZVAL_FROM_BUFFER+2C4In php__PID__1756__Date__10_26_2011__Time_11_24_34AM__612__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!gc_remove_zval_from_buffer+2c4 in C:\Program Files (x86)\PHP\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x0000000c on thread 0



php5ts!gc_remove_zval_from_buffer+2c4     0127fbd0     00291a70     00291a70    
php5ts!gc_remove_zval_from_buffer+476     00291a70     00bef62c     73fc3b4e    
php5ts!gc_collect_cycles+6a               00291a70     00291a70     6592cc2e    
php5ts!zend_deactivate+126                00291a70     00291a70     00291a04    
php5ts!php_request_shutdown+31f           00000000     013c742c     00000001    
php!main+122b                             00000002     00291a00     00291fd0    
php!memcpy+160                            7efde000     00befb68     77439ed2    
kernel32!BaseThreadInitThunk+e            7efde000     77d7d20f     00000000    
ntdll!__RtlUserThreadStart+70             013c3002     7efde000     00000000    
ntdll!_RtlUserThreadStart+1b              013c3002     7efde000     00000000