As you said, it would be better to handle this during unserialize. I would use the following pattern:

zval_ptr_dtor(&intern->array);
ZVAL_COPY_VALUE(&intern->array, array);
ZVAL_NULL(array);
SEPARATE_ARRAY(&intern->array);

This will take ownership of the unserialized array, and prevent anyone else from acquiring a reference to it through malicious unserialize input using r/R.

@nikic why ZVAL_NULL(array); ? my understanding of zend_empty_array is everyone are sharing a immutable empty array.

@jhdxr Using ZVAL_COPY + SEPARATE_ARRAY would work, but would always lead to an array copy, because the refcount will always be > 1 after the COPY. Using COPY_VALUE + NULLing the original value transfers ownership to you, so if nobody else was using it, no copy will have to be performed.

@nikic my point is the original value in this case is zend_empty_array, which is shared and should be used by others when needed. ZVAL_NULL will modify the shared instance.

is it a good idea to do ZVAL_COPY for zend_empty_array, and ZVAL_COPY_VALUE+ZVAL_NULL for other cases?

@jhdxr ZVAL_NULL will not modify the array, it will only modify the place storing the array (a slot in the serialization backreference table).

@nikic got it. thanks!

Thanks! Applied as b15189f.