From 64c1d43b68dd812ce4d3dec0a9b469fd4c060f30 Mon Sep 17 00:00:00 2001
From: Alexandre Daubois <2144837+alexandre-daubois@users.noreply.github.com>
Date: Mon, 6 Oct 2025 16:51:23 +0200
Subject: [PATCH] Fix GH-19926: reset internal pointer earlier while splicing
 array while COW violation flag is still set (#19929)

---
 NEWS                                          |  2 ++
 ext/standard/array.c                          |  8 ++++++--
 ext/standard/tests/array/gh19926.phpt         | 20 +++++++++++++++++++
 ext/standard/tests/array/gh19926_pointer.phpt | 19 ++++++++++++++++++
 4 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/array/gh19926.phpt
 create mode 100644 ext/standard/tests/array/gh19926_pointer.phpt

diff --git a/NEWS b/NEWS
index 2edaf09ce70..c2db743c84e 100644
--- a/NEWS
+++ b/NEWS
@@ -62,6 +62,8 @@ PHP                                                                        NEWS
     (alexandre-daubois)
   . Fixed bug GH-20043 (array_unique assertion failure with RC1 array
     causing an exception on sort). (nielsdos)
+  . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
+    while COW violation flag is still set). (alexandre-daubois)
 
 - Streams:
   . Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
diff --git a/ext/standard/array.c b/ext/standard/array.c
index b7b5f82d61c..4896ac44a72 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -3376,6 +3376,12 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
 	HT_SET_ITERATORS_COUNT(in_hash, 0);
 	in_hash->pDestructor = NULL;
 
+	/* Set internal pointer to 0 directly instead of calling zend_hash_internal_pointer_reset().
+	 * This avoids the COW violation assertion and delays advancing to the first valid position
+	 * until after we've switched to the new array structure (out_hash). The iterator will be
+	 * advanced when actually accessed, at which point it will find valid indexes in the new array. */
+	in_hash->nInternalPointer = 0;
+
 	if (UNEXPECTED(GC_DELREF(in_hash) == 0)) {
 		/* Array was completely deallocated during the operation */
 		zend_array_destroy(in_hash);
@@ -3394,8 +3400,6 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
 	in_hash->nNextFreeElement  = out_hash.nNextFreeElement;
 	in_hash->arData            = out_hash.arData;
 	in_hash->pDestructor       = out_hash.pDestructor;
-
-	zend_hash_internal_pointer_reset(in_hash);
 }
 /* }}} */
 
diff --git a/ext/standard/tests/array/gh19926.phpt b/ext/standard/tests/array/gh19926.phpt
new file mode 100644
index 00000000000..b714db9eb2b
--- /dev/null
+++ b/ext/standard/tests/array/gh19926.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-19926 (Assertion failure zend_hash_internal_pointer_reset_ex)
+--FILE--
+<?php
+class ThrowingDestructor {
+    function __destruct() {
+        throw new Exception();
+    }
+}
+
+$arr = [new ThrowingDestructor(), new ThrowingDestructor()];
+
+try {
+    array_splice($arr, 0, 2);
+} catch (Exception $e) {
+    echo "Exception caught, no assertion failure\n";
+}
+?>
+--EXPECT--
+Exception caught, no assertion failure
diff --git a/ext/standard/tests/array/gh19926_pointer.phpt b/ext/standard/tests/array/gh19926_pointer.phpt
new file mode 100644
index 00000000000..c134f3b594b
--- /dev/null
+++ b/ext/standard/tests/array/gh19926_pointer.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-19926 (internal pointer behavior after array_splice)
+--FILE--
+<?php
+$a = [1, 2, 3];
+unset($a[0]);
+next($a);
+
+echo "Before array_splice: ";
+var_dump(current($a));
+
+array_splice($a, 0, 0, [999]);
+
+echo "After array_splice: ";
+var_dump(current($a));
+?>
+--EXPECT--
+Before array_splice: int(3)
+After array_splice: int(999)