Use destroy stack for multi-branch deeply nested arrays

The single-child tail-call only defers one array per level.  When
multiple children all reach refcount zero (e.g. two independent
deep chains in one array), the extras still recursed through
rc_dtor_func and could overflow the C stack.

Replace the fallback rc_dtor_func call for additional array children
with a heap-backed destroy stack (small on-stack buffer for the
common case, grows via emalloc when needed).  Linear chains still
use the zero-allocation tail-call path.

Author: iliaal

Zend/tests/gh15869_multi_branch.phpt

@@ -0,0 +1,23 @@
+--TEST--
+GH-15869 (Stack overflow in zend_array_destroy with multiple deeply nested branches)
+--FILE--
+<?php
+ini_set('memory_limit', '1G');
+
+/* Two independent deeply nested chains in one array.
+ * Without the destroy stack, one branch would recurse via rc_dtor_func. */
+$a = [];
+$b = [];
+for ($i = 0; $i < 200000; $i++) {
+    $a = [$a];
+    $b = [$b];
+}
+$c = [$a, $b];
+unset($a, $b);
+echo "Built\n";
+unset($c);
+echo "Freed\n";
+?>
+--EXPECT--
+Built
+Freed

Zend/zend_hash.c

@@ -1821,6 +1821,13 @@ ZEND_API void ZEND_FASTCALL zend_hash_destroy(HashTable *ht)
 ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 {
 	zend_array *child;
+	/* On-stack buffer avoids heap allocation for the common case. Arrays
+	 * with multiple nested children whose refcount all reach zero push
+	 * extras here instead of recursing through rc_dtor_func. */
+	zend_array *ds_buf[8];
+	zend_array **ds = ds_buf;
+	size_t ds_size = 0;
+	size_t ds_cap = sizeof(ds_buf) / sizeof(ds_buf[0]);
 
 tail_call:
 	child = NULL;
@@ -1841,15 +1848,31 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 
 		SET_INCONSISTENT(HT_IS_DESTROYING);
 
-		/* Deferred dtor: when an element is an array with refcount reaching
-		 * zero, save it for tail-call destruction instead of recursing.
-		 * Prevents stack overflow with deeply nested arrays. */
+		/* When an element is an array whose refcount reaches zero, defer its
+		 * destruction instead of recursing. The first child is kept for a
+		 * tail-call (zero overhead for linear chains). Additional children
+		 * are pushed onto a destroy stack, eliminating C stack growth
+		 * regardless of nesting shape. */
 #define ZVAL_DTOR_DEFERRED(zv) do { \
 	if (Z_REFCOUNTED_P(zv)) { \
 		zend_refcounted *ref = Z_COUNTED_P(zv); \
 		if (!GC_DELREF(ref)) { \
-			if (!child && GC_TYPE(ref) == IS_ARRAY) { \
-				child = (zend_array *)ref; \
+			if (GC_TYPE(ref) == IS_ARRAY) { \
+				if (!child) { \
+					child = (zend_array *)ref; \
+				} else { \
+					if (UNEXPECTED(ds_size >= ds_cap)) { \
+						if (ds == ds_buf) { \
+							ds_cap = 32; \
+							ds = emalloc(ds_cap * sizeof(zend_array *)); \
+							memcpy(ds, ds_buf, sizeof(ds_buf)); \
+						} else { \
+							ds_cap *= 2; \
+							ds = erealloc(ds, ds_cap * sizeof(zend_array *)); \
+						} \
+					} \
+					ds[ds_size++] = (zend_array *)ref; \
+				} \
 			} else { \
 				rc_dtor_func(ref); \
 			} \
@@ -1906,6 +1929,15 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 		ht = (HashTable *)child;
 		goto tail_call;
 	}
+
+	if (UNEXPECTED(ds_size > 0)) {
+		ht = (HashTable *)ds[--ds_size];
+		goto tail_call;
+	}
+
+	if (UNEXPECTED(ds != ds_buf)) {
+		efree(ds);
+	}
 }
 
 ZEND_API void ZEND_FASTCALL zend_hash_clean(HashTable *ht)