SimpleXML's unset can break DOM objects

[YuanchengJiang]

Description

The following code:

<?php
$dom = Dom\HTMLDocument::createEmpty();
$body = $dom->appendChild($dom->createElement("body"));
foreach (["style", "script", "xmp", "iframe", "noembed", "noframes", "plaintext", "noscript"] as $tag) {
$tag = $body->appendChild($dom->createElementNS("some:ns", $tag));
}
$fusion = $tag;
$html = simplexml_import_dom($fusion);
$script1_dataflow = $html;
$array = ['foo'];
foreach ($array as $key => &$value) {
unset($script1_dataflow[$key]);
}
var_dump(get_defined_vars());

Resulted in this output:

/php-src/ext/dom/token_list.c:206:25: runtime error: member access within null pointer of type 'php_libxml_ref_obj' (aka 'struct _php_libxml_ref_obj')

PHP Version

nightly

Operating System

ubuntu 22.04

[nielsdos]

It's not related to the new classes, here is a reproducer for old DOM that repros on 8.0:

<?php
$dom = new DOMDocument;
$tag = $dom->appendChild($dom->createElement("style"));
$html = simplexml_import_dom($tag);
unset($html[0]);
$tag->append("foo");

I wouldn't be surprised if you can find a reproducer for even older versions.

Basically, simplexml thinks it owns the node and uses the "free resource" approach to get rid of it when unsetting. This causes the pointer to the node in the internal object to become NULL, causing a failure in all places that get the node assuming that it can't be NULL.
I'm not sure yet whether this is better fixed in simplexml or dom.