Fix weakref notify reentrancy during object destruction (GH-20404)

Author: rizwan3d

Zend/tests/weakrefs/gh20404_weakmap_dtor_reentrancy.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-20404: Crash when adding object to WeakMap during destruction
+--FILE--
+<?php
+
+$w = new WeakMap;
+
+$o = new stdClass;
+$w[$o] = new class($r) {
+    function __construct(public &$r) {}
+    function __destruct() {
+        global $refs;
+        $o = $this->r->get();
+        for ($i = 0; $i < 8; ++$i) {
+            $r = new WeakMap;
+            $r[$o] = 1;
+            $refs[] = $r;
+        }
+    }
+};
+$r = WeakReference::create($o);
+
+echo "END OF SCRIPT\n";
+?>
+--EXPECT--
+END OF SCRIPT

Zend/zend_weakrefs.c

@@ -125,7 +125,13 @@ static void zend_weakref_register(zend_object *object, void *payload) {
 static void zend_weakref_unregister(zend_object *object, void *payload, bool weakref_free) {
 	zend_ulong obj_key = zend_object_to_weakref_key(object);
 	void *tagged_ptr = zend_hash_index_find_ptr(&EG(weakrefs), obj_key);
+
+	if (!tagged_ptr) {
+#if ZEND_DEBUG
 	ZEND_ASSERT(tagged_ptr && "Weakref not registered?");
+#endif
+        return;
+    }
 
 	void *ptr = ZEND_WEAKREF_GET_PTR(tagged_ptr);
 	uintptr_t tag = ZEND_WEAKREF_GET_TAG(tagged_ptr);
@@ -213,13 +219,13 @@ void zend_weakrefs_notify(zend_object *object) {
 	/* Annoyingly we can't use the HT destructor here, because we need access to the key (which
 	 * is the object address), which is not provided to the dtor. */
 	const zend_ulong obj_key = zend_object_to_weakref_key(object);
-	void *tagged_ptr = zend_hash_index_find_ptr(&EG(weakrefs), obj_key);
+	void *tagged_ptr;
 #if ZEND_DEBUG
 	ZEND_ASSERT(tagged_ptr && "Tracking of the IS_OBJ_WEAKLY_REFERENCE flag should be precise");
 #endif
-	if (tagged_ptr) {
-		zend_weakref_unref(object, tagged_ptr);
+	while ((tagged_ptr = zend_hash_index_find_ptr(&EG(weakrefs), obj_key))) {
 		zend_hash_index_del(&EG(weakrefs), obj_key);
+		zend_weakref_unref(object, tagged_ptr);
 	}
 }