fix: use fixed-size destroy stack to avoid OOM during array cleanup

iliaal · claude · iliaal · commit 8d66718c53f8 · 2026-03-23T08:31:45.000-04:00
Replace the dynamically growing heap buffer (emalloc/erealloc) with a
fixed-size on-stack array of 32 entries. When the buffer is full, fall
back to a recursive zend_array_destroy call instead of heap allocation.

This prevents Fatal OOM errors during shutdown when memory_limit is
already exhausted, as seen in stack_limit_014 on x32 and macOS ARM64.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
@@ -1821,13 +1821,12 @@ ZEND_API void ZEND_FASTCALL zend_hash_destroy(HashTable *ht)
 ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 {
 	zend_array *child;
-	/* On-stack buffer avoids heap allocation for the common case. Arrays
-	 * with multiple nested children whose refcount all reach zero push
-	 * extras here instead of recursing through rc_dtor_func. */
-	zend_array *ds_buf[8];
-	zend_array **ds = ds_buf;
+	/* Fixed-size buffer for deferred array destruction. Arrays with multiple
+	 * nested children whose refcount all reach zero are pushed here instead
+	 * of recursing through rc_dtor_func. If the buffer fills, we fall back
+	 * to a recursive zend_array_destroy call for the overflow. */
+	zend_array *ds[32];
 	size_t ds_size = 0;
-	size_t ds_cap = sizeof(ds_buf) / sizeof(ds_buf[0]);
 
 tail_call:
 	child = NULL;
@@ -1851,27 +1850,19 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 		/* When an element is an array whose refcount reaches zero, defer its
 		 * destruction instead of recursing. The first child is kept for a
 		 * tail-call (zero overhead for linear chains). Additional children
-		 * are pushed onto a destroy stack, eliminating C stack growth
-		 * regardless of nesting shape. */
+		 * are pushed onto a fixed-size destroy stack. If the stack is full,
+		 * fall back to a recursive zend_array_destroy call. */
 #define ZVAL_DTOR_DEFERRED(zv) do { \
 	if (Z_REFCOUNTED_P(zv)) { \
 		zend_refcounted *ref = Z_COUNTED_P(zv); \
 		if (!GC_DELREF(ref)) { \
 			if (GC_TYPE(ref) == IS_ARRAY) { \
 				if (!child) { \
 					child = (zend_array *)ref; \
-				} else { \
-					if (UNEXPECTED(ds_size >= ds_cap)) { \
-						if (ds == ds_buf) { \
-							ds_cap = 32; \
-							ds = emalloc(ds_cap * sizeof(zend_array *)); \
-							memcpy(ds, ds_buf, sizeof(ds_buf)); \
-						} else { \
-							ds_cap *= 2; \
-							ds = erealloc(ds, ds_cap * sizeof(zend_array *)); \
-						} \
-					} \
+				} else if (EXPECTED(ds_size < sizeof(ds) / sizeof(ds[0]))) { \
 					ds[ds_size++] = (zend_array *)ref; \
+				} else { \
+					zend_array_destroy((HashTable *)ref); \
 				} \
 			} else { \
 				rc_dtor_func(ref); \
@@ -1934,10 +1925,6 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 		ht = (HashTable *)ds[--ds_size];
 		goto tail_call;
 	}
-
-	if (UNEXPECTED(ds != ds_buf)) {
-		efree(ds);
-	}
 }
 
 ZEND_API void ZEND_FASTCALL zend_hash_clean(HashTable *ht)
