Fixed bug #78973

Save opline in leave helper to correctly handle destructor calls
during CV freeing (or other leave freeing).

diff --git a/NEWS b/NEWS
index 9388881ab1b1e48e5dfcdf8c7159d0b742fe70f9..adc5ae1cc8c4bbe62adc6edd2b2a624a0225bead 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #78929 (plus signs in cookie values are converted to spaces).
     (Alexey Kachalin)
+  . Fixed bug #78973 (Destructor during CV freeing causes segfault if opline
+    never saved). (Nikita)
 
 - OPcache:
   . Fixed bug #78961 (erroneous optimization of re-assigned $GLOBALS). (Dmitry)

diff --git a/Zend/tests/bug78973.phpt b/Zend/tests/bug78973.phpt
new file mode 100644 (file)
index 0000000..5bdd16e
--- /dev/null
+++ b/Zend/tests/bug78973.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78973: Destructor during CV freeing causes segfault if opline never saved
+--FILE--
+<?php
+
+function test($x) {
+}
+test(new class {
+    public function __destruct() {
+        debug_print_backtrace();
+    }
+});
+
+?>
+--EXPECTF--
+#0  class@anonymous->__destruct() called at [%s:4]
+#1  test() called at [%s:5]

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 87d475bf186191d72957873f23fcd248d01eeb40..1ff9a81eadca3c51e7a9319b0e1a03b6c45098cd 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2867,6 +2867,7 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 {
        zend_execute_data *old_execute_data;
        uint32_t call_info = EX_CALL_INFO();
+       SAVE_OPLINE();
 
        if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
                i_free_compiled_variables(execute_data);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 14e1314bcb4fa15230dba71484050d4a4827cd49..5e444817c79ea34ad0b1ff1f4147891883a6c726 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1130,6 +1130,7 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper
 {
        zend_execute_data *old_execute_data;
        uint32_t call_info = EX_CALL_INFO();
+       SAVE_OPLINE();
 
        if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
                i_free_compiled_variables(execute_data);
@@ -53445,6 +53446,7 @@ zend_leave_helper_SPEC_LABEL:
 {
        zend_execute_data *old_execute_data;
        uint32_t call_info = EX_CALL_INFO();
+       SAVE_OPLINE();
 
        if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
                i_free_compiled_variables(execute_data);