1--TEST-- 2GH-16646: Use-after-free in ArrayObject::unset() with destructor 3--FILE-- 4<?php 5 6class B { 7 public $b; 8 function __construct($arg) { 9 $this->b = $arg; 10 } 11} 12 13class C { 14 function __destruct() { 15 global $arr; 16 echo __METHOD__, "\n"; 17 $arr->exchangeArray([]); 18 } 19} 20 21$arr = new ArrayObject(new B(new C)); 22unset($arr["b"]); 23var_dump($arr); 24 25?> 26--EXPECT-- 27C::__destruct 28object(ArrayObject)#1 (1) { 29 ["storage":"ArrayObject":private]=> 30 array(0) { 31 } 32} 33
