Fixed bug #78973

nikic · nikic · commit 11b041d3c6f6 · 2019-12-16T18:52:30.000+01:00
Save opline in leave helper to correctly handle destructor calls
during CV freeing (or other leave freeing).
diff --git a/NEWS b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #78929 (plus signs in cookie values are converted to spaces).
     (Alexey Kachalin)
+  . Fixed bug #78973 (Destructor during CV freeing causes segfault if opline
+    never saved). (Nikita)
 
 - OPcache:
   . Fixed bug #78961 (erroneous optimization of re-assigned $GLOBALS). (Dmitry)
diff --git a/Zend/tests/bug78973.phpt b/Zend/tests/bug78973.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78973: Destructor during CV freeing causes segfault if opline never saved
+--FILE--
+<?php
+
+function test($x) {
+}
+test(new class {
+    public function __destruct() {
+        debug_print_backtrace();
+    }
+});
+
+?>
+--EXPECTF--
+#0  class@anonymous->__destruct() called at [%s:4]
+#1  test() called at [%s:5]
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -2867,6 +2867,7 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 {
 	zend_execute_data *old_execute_data;
 	uint32_t call_info = EX_CALL_INFO();
+	SAVE_OPLINE();
 
 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
 		i_free_compiled_variables(execute_data);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -1130,6 +1130,7 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper
 {
 	zend_execute_data *old_execute_data;
 	uint32_t call_info = EX_CALL_INFO();
+	SAVE_OPLINE();
 
 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
 		i_free_compiled_variables(execute_data);
@@ -53445,6 +53446,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
 {
 	zend_execute_data *old_execute_data;
 	uint32_t call_info = EX_CALL_INFO();
+	SAVE_OPLINE();
 
 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
 		i_free_compiled_variables(execute_data);

Original file line number	Diff line number	Diff line change
`@@ -2867,6 +2867,7 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)`
`2867`	`2867`	`{`
`2868`	`2868`	`zend_execute_data *old_execute_data;`
`2869`	`2869`	`uint32_t call_info = EX_CALL_INFO();`
	`2870`	`+ SAVE_OPLINE();`
`2870`	`2871`
`2871`	`2872`	`if (EXPECTED((call_info & (ZEND_CALL_CODE\|ZEND_CALL_TOP\|ZEND_CALL_HAS_SYMBOL_TABLE\|ZEND_CALL_FREE_EXTRA_ARGS\|ZEND_CALL_ALLOCATED)) == 0)) {`
`2872`	`2873`	`i_free_compiled_variables(execute_data);`
Original file line number	Diff line number	Diff line change
`@@ -1130,6 +1130,7 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper`
`1130`	`1130`	`{`
`1131`	`1131`	`zend_execute_data *old_execute_data;`
`1132`	`1132`	`uint32_t call_info = EX_CALL_INFO();`
	`1133`	`+ SAVE_OPLINE();`
`1133`	`1134`
`1134`	`1135`	`if (EXPECTED((call_info & (ZEND_CALL_CODE\|ZEND_CALL_TOP\|ZEND_CALL_HAS_SYMBOL_TABLE\|ZEND_CALL_FREE_EXTRA_ARGS\|ZEND_CALL_ALLOCATED)) == 0)) {`
`1135`	`1136`	`i_free_compiled_variables(execute_data);`
`@@ -53445,6 +53446,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)`
`53445`	`53446`	`{`
`53446`	`53447`	`zend_execute_data *old_execute_data;`
`53447`	`53448`	`uint32_t call_info = EX_CALL_INFO();`
	`53449`	`+ SAVE_OPLINE();`
`53448`	`53450`
`53449`	`53451`	`if (EXPECTED((call_info & (ZEND_CALL_CODE\|ZEND_CALL_TOP\|ZEND_CALL_HAS_SYMBOL_TABLE\|ZEND_CALL_FREE_EXTRA_ARGS\|ZEND_CALL_ALLOCATED)) == 0)) {`
`53450`	`53452`	`i_free_compiled_variables(execute_data);`