Fix printing backtrace of fake generator frame

iluuu1994 · iluuu1994 · commit 706bcdbc1abd · 2024-09-27T17:34:51.000+02:00
Fixes GH-15851 Closes GH-15952
diff --git a/NEWS b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER). (cmb)
   . Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to
     exception). (ilutov)
+  . Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of
+    nested generator frame). (ilutov)
 
 - Date:
   . Fixed bug GH-15582: Crash when not calling parent constructor of
diff --git a/Zend/tests/generators/gh15851.phpt b/Zend/tests/generators/gh15851.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-15851: Access on NULL when printing backtrace with freed generator
+--FILE--
+<?php
+
+class Foo {
+    public function __destruct() {
+        debug_print_backtrace();
+    }
+}
+
+function bar() {
+    yield from foo();
+}
+
+function foo() {
+    $foo = new Foo();
+    yield;
+}
+
+$gen = bar();
+foreach ($gen as $dummy);
+
+?>
+--EXPECTF--
+#0 %s(%d): Foo->__destruct()
+#1 %s(%d): bar()
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
@@ -1725,6 +1725,16 @@ ZEND_API void zend_fetch_debug_backtrace(zval *return_value, int skip_last, int
 	}
 
 	while (call && (limit == 0 || frameno < limit)) {
+		if (UNEXPECTED(!call->func)) {
+			/* This is the fake frame inserted for nested generators. Normally,
+			 * this frame is preceded by the actual generator frame and then
+			 * replaced by zend_generator_check_placeholder_frame() below.
+			 * However, the frame is popped before cleaning the stack frame,
+			 * which is observable by destructors. */
+			call = zend_generator_check_placeholder_frame(call);
+			ZEND_ASSERT(call->func);
+		}
+
 		zend_execute_data *prev = call->prev_execute_data;
 
 		if (!prev) {
diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c
@@ -1075,6 +1075,7 @@ static int do_cli(int argc, char **argv) /* {{{ */
 					object_init_ex(&ref, pce);
 
 					memset(&execute_data, 0, sizeof(zend_execute_data));
+					execute_data.func = (zend_function *) &zend_pass_function;
 					EG(current_execute_data) = &execute_data;
 					zend_call_known_instance_method_with_1_params(
 						pce->constructor, Z_OBJ(ref), NULL, &arg);
