Skip to content

Commit ba029fc

Browse files
tstarlingGirgias
tstarling
authored and
Girgias
committed
Fix GH-9323: crash when the VM enters userspace code via the GC
Closes GH-9323
1 parent 410e5d4 commit ba029fc

File tree

3 files changed

+17
-2
lines changed

3 files changed

+17
-2
lines changed

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ PHP NEWS
22
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
33
?? ??? 2022, PHP 8.0.24
44

5+
- Core:
6+
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
7+
(Tim Starling)
8+
59
- DOM:
610
. Fixed bug #79451 (Using DOMDocument->replaceChild on doctype causes
711
double free) (NathanFreeman)

Zend/zend_vm_def.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4299,6 +4299,7 @@ ZEND_VM_INLINE_HANDLER(62, ZEND_RETURN, CONST|TMP|VAR|CV, ANY, SPEC(OBSERVER))
42994299
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
43004300
ZVAL_COPY_VALUE(return_value, retval_ptr);
43014301
if (GC_MAY_LEAK(ref)) {
4302+
SAVE_OPLINE();
43024303
gc_possible_root(ref);
43034304
}
43044305
ZVAL_NULL(retval_ptr);
@@ -8304,8 +8305,8 @@ ZEND_VM_C_LABEL(check_indirect):
83048305
zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
83058306

83068307
ZVAL_REF(variable_ptr, ref);
8308+
SAVE_OPLINE();
83078309
if (GC_DELREF(garbage) == 0) {
8308-
SAVE_OPLINE();
83098310
rc_dtor_func(garbage);
83108311
if (UNEXPECTED(EG(exception))) {
83118312
ZVAL_NULL(variable_ptr);

Zend/zend_vm_execute.h

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4073,6 +4073,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CONST_
40734073
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
40744074
ZVAL_COPY_VALUE(return_value, retval_ptr);
40754075
if (GC_MAY_LEAK(ref)) {
4076+
SAVE_OPLINE();
40764077
gc_possible_root(ref);
40774078
}
40784079
ZVAL_NULL(retval_ptr);
@@ -4150,6 +4151,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_OBSER
41504151
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
41514152
ZVAL_COPY_VALUE(return_value, retval_ptr);
41524153
if (GC_MAY_LEAK(ref)) {
4154+
SAVE_OPLINE();
41534155
gc_possible_root(ref);
41544156
}
41554157
ZVAL_NULL(retval_ptr);
@@ -18585,6 +18587,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_TMP_HA
1858518587
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
1858618588
ZVAL_COPY_VALUE(return_value, retval_ptr);
1858718589
if (GC_MAY_LEAK(ref)) {
18590+
SAVE_OPLINE();
1858818591
gc_possible_root(ref);
1858918592
}
1859018593
ZVAL_NULL(retval_ptr);
@@ -21200,6 +21203,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_VAR_HA
2120021203
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
2120121204
ZVAL_COPY_VALUE(return_value, retval_ptr);
2120221205
if (GC_MAY_LEAK(ref)) {
21206+
SAVE_OPLINE();
2120321207
gc_possible_root(ref);
2120421208
}
2120521209
ZVAL_NULL(retval_ptr);
@@ -37947,6 +37951,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CV_HAN
3794737951
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
3794837952
ZVAL_COPY_VALUE(return_value, retval_ptr);
3794937953
if (GC_MAY_LEAK(ref)) {
37954+
SAVE_OPLINE();
3795037955
gc_possible_root(ref);
3795137956
}
3795237957
ZVAL_NULL(retval_ptr);
@@ -42680,8 +42685,8 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_GLOBAL_SPEC_C
4268042685
zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
4268142686

4268242687
ZVAL_REF(variable_ptr, ref);
42688+
SAVE_OPLINE();
4268342689
if (GC_DELREF(garbage) == 0) {
42684-
SAVE_OPLINE();
4268542690
rc_dtor_func(garbage);
4268642691
if (UNEXPECTED(EG(exception))) {
4268742692
ZVAL_NULL(variable_ptr);
@@ -55390,6 +55395,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
5539055395
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
5539155396
ZVAL_COPY_VALUE(return_value, retval_ptr);
5539255397
if (GC_MAY_LEAK(ref)) {
55398+
SAVE_OPLINE();
5539355399
gc_possible_root(ref);
5539455400
}
5539555401
ZVAL_NULL(retval_ptr);
@@ -55468,6 +55474,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
5546855474
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
5546955475
ZVAL_COPY_VALUE(return_value, retval_ptr);
5547055476
if (GC_MAY_LEAK(ref)) {
55477+
SAVE_OPLINE();
5547155478
gc_possible_root(ref);
5547255479
}
5547355480
ZVAL_NULL(retval_ptr);
@@ -57001,6 +57008,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
5700157008
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
5700257009
ZVAL_COPY_VALUE(return_value, retval_ptr);
5700357010
if (GC_MAY_LEAK(ref)) {
57011+
SAVE_OPLINE();
5700457012
gc_possible_root(ref);
5700557013
}
5700657014
ZVAL_NULL(retval_ptr);
@@ -57306,6 +57314,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
5730657314
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
5730757315
ZVAL_COPY_VALUE(return_value, retval_ptr);
5730857316
if (GC_MAY_LEAK(ref)) {
57317+
SAVE_OPLINE();
5730957318
gc_possible_root(ref);
5731057319
}
5731157320
ZVAL_NULL(retval_ptr);
@@ -58427,6 +58436,7 @@ ZEND_API void execute_ex(zend_execute_data *ex)
5842758436
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
5842858437
ZVAL_COPY_VALUE(return_value, retval_ptr);
5842958438
if (GC_MAY_LEAK(ref)) {
58439+
SAVE_OPLINE();
5843058440
gc_possible_root(ref);
5843158441
}
5843258442
ZVAL_NULL(retval_ptr);

0 commit comments

Comments
 (0)