1--TEST-- 2GH-16464: Use-after-free in SplDoublyLinkedList::offsetSet() when modifying list in destructor of overwritten object 3--FILE-- 4<?php 5 6class C { 7 public $a; 8 9 function __destruct() { 10 global $list; 11 var_dump($list->pop()); 12 } 13} 14 15$list = new SplDoublyLinkedList; 16$list->add(0, new C); 17$list[0] = 42; 18var_dump($list); 19 20?> 21--EXPECTF-- 22int(42) 23object(SplDoublyLinkedList)#%d (2) { 24 ["flags":"SplDoublyLinkedList":private]=> 25 int(0) 26 ["dllist":"SplDoublyLinkedList":private]=> 27 array(0) { 28 } 29} 30
