From: Nikita Popov Date: Mon, 16 Dec 2019 17:52:30 +0000 (+0100) Subject: Fixed bug #78973 X-Git-Tag: php-7.4.7RC1~426^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=11b041d3c6f65ba7539c61edcf9587618af1ed43;p=php Fixed bug #78973 Save opline in leave helper to correctly handle destructor calls during CV freeing (or other leave freeing). --- diff --git a/NEWS b/NEWS index 9388881ab1..adc5ae1cc8 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,8 @@ PHP NEWS - Core: . Fixed bug #78929 (plus signs in cookie values are converted to spaces). (Alexey Kachalin) + . Fixed bug #78973 (Destructor during CV freeing causes segfault if opline + never saved). (Nikita) - OPcache: . Fixed bug #78961 (erroneous optimization of re-assigned $GLOBALS). (Dmitry) diff --git a/Zend/tests/bug78973.phpt b/Zend/tests/bug78973.phpt new file mode 100644 index 0000000000..5bdd16e402 --- /dev/null +++ b/Zend/tests/bug78973.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78973: Destructor during CV freeing causes segfault if opline never saved +--FILE-- + +--EXPECTF-- +#0 class@anonymous->__destruct() called at [%s:4] +#1 test() called at [%s:5] diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 87d475bf18..1ff9a81ead 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2867,6 +2867,7 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY) { zend_execute_data *old_execute_data; uint32_t call_info = EX_CALL_INFO(); + SAVE_OPLINE(); if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) { i_free_compiled_variables(execute_data); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 14e1314bcb..5e444817c7 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -1130,6 +1130,7 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper { zend_execute_data *old_execute_data; uint32_t call_info = EX_CALL_INFO(); + SAVE_OPLINE(); if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) { i_free_compiled_variables(execute_data); @@ -53445,6 +53446,7 @@ zend_leave_helper_SPEC_LABEL: { zend_execute_data *old_execute_data; uint32_t call_info = EX_CALL_INFO(); + SAVE_OPLINE(); if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) { i_free_compiled_variables(execute_data);