Fix GH-15869: Stack overflow in zend_array_destroy with deeply nested arrays#21494
Open
iliaal wants to merge 1 commit intophp:masterfrom
Open
Fix GH-15869: Stack overflow in zend_array_destroy with deeply nested arrays#21494iliaal wants to merge 1 commit intophp:masterfrom
iliaal wants to merge 1 commit intophp:masterfrom
Conversation
…ted arrays zend_array_destroy() recurses through i_zval_ptr_dtor for each element, which overflows the C stack when arrays are nested deeply enough (~40-50k levels on a typical 8MB stack). Apply a tail-call optimization: when an element is an array whose refcount reaches zero, defer its destruction instead of recursing. After freeing the current hash table, loop back to destroy the deferred child. This eliminates recursion entirely for linear chains (the common crash scenario) while arrays with multiple nested children still recurse per-branch, each independently benefiting from the same optimization. Closes phpGH-15869
Closed
4 tasks
dstogov
reviewed
Mar 23, 2026
Member
dstogov
left a comment
There was a problem hiding this comment.
This would fix the stack overflow only for a single particular case.
The problem might be simple re-reproduced with $a=[$a,$a] or with objects.
Also the fix may change the order of object destructors (probably this is not critical for master branch), and may interfere with GC.
I'm not sure if we should accept this incomplete fix.
The complete fix would require maintaining a separate destruction queue, but this may introduce different troubles.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
zend_array_destroy()recurses viai_zval_ptr_dtorfor each element, overflowing the C stack at ~40-50k nesting levels$a = [$a]in a loop) now use zero stack depth regardless of nestingFixes #15869