Fix GH-17447: Assertion failure when array popping a self addressing variable

This is the same bug as GH-16957, and fixed in the same way.

Closes GH-17448.

Author: nielsdos

NEWS

@@ -69,6 +69,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15833 (Segmentation fault (access null pointer) in
     ext/spl/spl_array.c). (nielsdos)
 
+- Standard:
+  . Fixed bug GH-17447 (Assertion failure when array popping a self addressing
+    variable). (nielsdos)
+
 - Windows:
   . Fixed clang compiler detection. (cmb)
 

ext/standard/array.c

@@ -3564,7 +3564,8 @@ PHP_FUNCTION(array_pop)
 				break;
 			}
 		}
-		RETVAL_COPY_DEREF(val);
+		RETVAL_COPY_VALUE(val);
+		ZVAL_UNDEF(val);
 
 		if (idx == (Z_ARRVAL_P(stack)->nNextFreeElement - 1)) {
 			Z_ARRVAL_P(stack)->nNextFreeElement = Z_ARRVAL_P(stack)->nNextFreeElement - 1;
@@ -3588,7 +3589,8 @@ PHP_FUNCTION(array_pop)
 				break;
 			}
 		}
-		RETVAL_COPY_DEREF(val);
+		RETVAL_COPY_VALUE(val);
+		ZVAL_UNDEF(val);
 
 		if (!p->key && (zend_long)p->h == (Z_ARRVAL_P(stack)->nNextFreeElement - 1)) {
 			Z_ARRVAL_P(stack)->nNextFreeElement = Z_ARRVAL_P(stack)->nNextFreeElement - 1;
@@ -3598,6 +3600,10 @@ PHP_FUNCTION(array_pop)
 		zend_hash_del_bucket(Z_ARRVAL_P(stack), p);
 	}
 	zend_hash_internal_pointer_reset(Z_ARRVAL_P(stack));
+
+	if (Z_ISREF_P(return_value)) {
+		zend_unwrap_reference(return_value);
+	}
 }
 /* }}} */
 

ext/standard/tests/array/gh17447.phpt

@@ -0,0 +1,12 @@
+--TEST--
+GH-17447 (Assertion failure when array poping a self addressing variable)
+--FILE--
+<?php
+$input[] = &$input;
+var_dump(array_pop($input), $input);
+?>
+--EXPECT--
+array(0) {
+}
+array(0) {
+}