Fixed bug #78989

nikic · nikic · commit 1146bdb9b21c · 2020-01-28T10:43:15.000+01:00
Always operate on copies of the functions, so we don't reference
temporary trait methods that have gone out of scope.

This could be more efficient, but doing an allocated copy only when
strictly necessary turned out to be somewhat tricky.
diff --git a/NEWS b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   . Fixed bug #79155 (Property nullability lost when using multiple property
     definition). (Nikita)
   . Fixed bug #78323 (Code 0 is returned on invalid options). (Ivan Mikheykin)
+  . Fixed bug #78989 (Delayed variance check involving trait segfaults).
+    (Nikita)
 
 - CURL:
   . Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
diff --git a/Zend/tests/type_declarations/variance/parent_in_class_success.phpt b/Zend/tests/type_declarations/variance/parent_in_class_success.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Use of parent inside a class that has / has no parent (success cases)
+--FILE--
+<?php
+
+// Legal: A2::parent == P2
+class P2 {}
+class A2 extends P2 {
+    public function method(parent $x) {}
+}
+class B2 extends A2 {
+    public function method(P2 $x) {}
+}
+
+// Legal: B3::parent == A3 is subclass of A3::parent == P3 in covariant position
+class P3 {}
+class A3 extends P3 {
+    public function method($x): parent {}
+}
+class B3 extends A3 {
+    public function method($x): parent {}
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/tests/type_declarations/variance/property_types_early_bind.phpt b/Zend/tests/type_declarations/variance/property_types_early_bind.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Early binding should be prevented if property types cannot be checked
+--FILE--
+<?php
+
+class X {}
+class_alias('X', 'Y');
+
+class A {
+    public X $prop;
+}
+class B extends A {
+    public Y $prop;
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/tests/type_declarations/variance/trait_error.phpt b/Zend/tests/type_declarations/variance/trait_error.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Trait delayed variance check fails
+--FILE--
+<?php
+
+// Taken from bug #78989.
+
+class X {
+    function method($a): A {}
+}
+trait T {
+    function method($r): B {}
+}
+class U extends X {
+    use T;
+}
+
+?>
+--EXPECTF--
+Fatal error: Could not check compatibility between T::method($r): B and X::method($a): A, because class B is not available in %s on line %d
diff --git a/Zend/tests/type_declarations/variance/trait_success.phpt b/Zend/tests/type_declarations/variance/trait_success.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Trait delayed variance check succeeds
+--FILE--
+<?php
+
+// Taken from bug #79179.
+
+spl_autoload_register(function() {
+    interface InterfaceB extends InterfaceA {}
+});
+
+interface InterfaceA {}
+
+trait SomeTrait {
+    abstract public function func(): ?InterfaceA;
+}
+
+class Foo {
+    public function func(): ?InterfaceB {}
+}
+
+class Bar extends Foo {
+    use SomeTrait;
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
@@ -2237,8 +2237,10 @@ typedef struct {
 	union {
 		zend_class_entry *dependency_ce;
 		struct {
-			const zend_function *parent_fn;
-			const zend_function *child_fn;
+			/* Traits may use temporary on-stack functions during inheritance checks,
+			 * so use copies of functions here as well. */
+			zend_function parent_fn;
+			zend_function child_fn;
 			zend_bool always_error;
 		};
 		struct {
@@ -2292,8 +2294,8 @@ static void add_compatibility_obligation(
 	HashTable *obligations = get_or_init_obligations_for_class(ce);
 	variance_obligation *obligation = emalloc(sizeof(variance_obligation));
 	obligation->type = OBLIGATION_COMPATIBILITY;
-	obligation->child_fn = child_fn;
-	obligation->parent_fn = parent_fn;
+	obligation->child_fn = *child_fn;
+	obligation->parent_fn = *parent_fn;
 	obligation->always_error = always_error;
 	zend_hash_next_index_insert_ptr(obligations, obligation);
 }
@@ -2324,15 +2326,15 @@ static int check_variance_obligation(zval *zv) {
 	} else if (obligation->type == OBLIGATION_COMPATIBILITY) {
 		zend_string *unresolved_class;
 		inheritance_status status = zend_do_perform_implementation_check(
-			&unresolved_class, obligation->child_fn, obligation->parent_fn);
+			&unresolved_class, &obligation->child_fn, &obligation->parent_fn);
 
 		if (UNEXPECTED(status != INHERITANCE_SUCCESS)) {
 			if (EXPECTED(status == INHERITANCE_UNRESOLVED)) {
 				return ZEND_HASH_APPLY_KEEP;
 			}
 			ZEND_ASSERT(status == INHERITANCE_ERROR);
 			emit_incompatible_method_error_or_warning(
-				obligation->child_fn, obligation->parent_fn, status, unresolved_class,
+				&obligation->child_fn, &obligation->parent_fn, status, unresolved_class,
 				obligation->always_error);
 		}
 		/* Either the compatibility check was successful or only threw a warning. */
@@ -2402,10 +2404,10 @@ static void report_variance_errors(zend_class_entry *ce) {
 		if (obligation->type == OBLIGATION_COMPATIBILITY) {
 			/* Just used to fetch the unresolved_class in this case. */
 			status = zend_do_perform_implementation_check(
-				&unresolved_class, obligation->child_fn, obligation->parent_fn);
+				&unresolved_class, &obligation->child_fn, &obligation->parent_fn);
 			ZEND_ASSERT(status == INHERITANCE_UNRESOLVED);
 			emit_incompatible_method_error_or_warning(
-				obligation->child_fn, obligation->parent_fn,
+				&obligation->child_fn, &obligation->parent_fn,
 				status, unresolved_class, obligation->always_error);
 		} else if (obligation->type == OBLIGATION_PROPERTY_COMPATIBILITY) {
 			emit_incompatible_property_error(obligation->child_prop, obligation->parent_prop);
