Fix SplObjectStorage getHash() guard leaking across a bailout

iliaal · iliaal · commit 3fc40d51d975 · 2026-06-14T18:40:10.000-04:00
The getHash() recursion guard increments a request-persistent counter
around the userland getHash() call but decrements it only on the normal
return path. A bailout inside an overridden getHash() (out-of-memory,
timeout, or any fatal) skips the decrement, and the counter is never
reset per request, so on a persistent SAPI every later request on the
same worker wrongly throws "Modification of SplObjectStorage during
getHash() is prohibited". Reset the counter in the SPL request init so
each request starts at zero regardless of how the previous one exited.
diff --git a/ext/spl/php_spl.c b/ext/spl/php_spl.c
@@ -563,6 +563,7 @@ PHP_MINIT_FUNCTION(spl)
 PHP_RINIT_FUNCTION(spl) /* {{{ */
 {
 	spl_autoload_extensions = NULL;
+	spl_object_storage_reset_get_hash_depth();
 	return SUCCESS;
 } /* }}} */
 
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
@@ -47,6 +47,11 @@ static zend_object_handlers spl_handler_MultipleIterator;
 
 ZEND_TLS uint32_t spl_object_storage_get_hash_depth;
 
+void spl_object_storage_reset_get_hash_depth(void)
+{
+	spl_object_storage_get_hash_depth = 0;
+}
+
 typedef struct _spl_SplObjectStorage { /* {{{ */
 	HashTable         storage;
 	zend_long         index;
diff --git a/ext/spl/spl_observer.h b/ext/spl/spl_observer.h
@@ -31,4 +31,6 @@ extern PHPAPI zend_class_entry *spl_ce_MultipleIterator;
 
 PHP_MINIT_FUNCTION(spl_observer);
 
+void spl_object_storage_reset_get_hash_depth(void);
+
 #endif /* SPL_OBSERVER_H */
diff --git a/sapi/cli/tests/spl_object_storage_gethash_bailout.phpt b/sapi/cli/tests/spl_object_storage_gethash_bailout.phpt
@@ -0,0 +1,42 @@
+--TEST--
+SplObjectStorage getHash() depth counter is reset after a bailout in a user getHash()
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--INI--
+allow_url_fopen=1
+--FILE--
+<?php
+include "php_cli_server.inc";
+
+$code = <<<'PHP'
+if ($_SERVER["REQUEST_URI"] === "/poison") {
+    class Poison extends SplObjectStorage {
+        public function getHash($o): string {
+            ini_set("memory_limit", "2M");
+            str_repeat("a", 100 * 1024 * 1024);
+            return "x";
+        }
+    }
+    (new Poison())->offsetSet(new stdClass());
+    echo "poison";
+} else {
+    $s = new SplObjectStorage();
+    $s->offsetSet(new stdClass());
+    echo "check-ok count=", count($s);
+}
+PHP;
+
+php_cli_server_start($code, 'router.php');
+
+$base = 'http://' . PHP_CLI_SERVER_ADDRESS;
+// Request 1 bails out (OOM) inside the overridden getHash() mid-offsetSet.
+@file_get_contents($base . '/poison');
+// A later request on the same worker must not be poisoned by a stuck counter.
+echo @file_get_contents($base . '/check'), "\n";
+echo @file_get_contents($base . '/check'), "\n";
+?>
+--EXPECT--
+check-ok count=1
+check-ok count=1

Original file line number	Diff line number	Diff line change
`@@ -563,6 +563,7 @@ PHP_MINIT_FUNCTION(spl)`
`563`	`563`	`PHP_RINIT_FUNCTION(spl) /* {{{ */`
`564`	`564`	`{`
`565`	`565`	`spl_autoload_extensions = NULL;`
	`566`	`+ spl_object_storage_reset_get_hash_depth();`
`566`	`567`	`return SUCCESS;`
`567`	`568`	`} /* }}} */`
`568`	`569`