From 6e55f4df23956aaff8ff0d5296994357594d6357 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Wed, 2 Oct 2024 12:29:19 +0200
Subject: [PATCH 1/4] Fix assertion failure in generator dtor (#16025)

---
 Zend/tests/gh15866.phpt | 53 +++++++++++++++++++++++++++++++++++++++++
 Zend/zend_generators.c  | 25 +++++--------------
 Zend/zend_generators.h  |  1 -
 3 files changed, 59 insertions(+), 20 deletions(-)
 create mode 100644 Zend/tests/gh15866.phpt

diff --git a/Zend/tests/gh15866.phpt b/Zend/tests/gh15866.phpt
new file mode 100644
index 00000000000..99a3a6e6a95
--- /dev/null
+++ b/Zend/tests/gh15866.phpt
@@ -0,0 +1,53 @@
+--TEST--
+GH-15866: Core dumped in Zend/zend_generators.c
+--FILE--
+<?php
+
+class Canary {
+    public function __construct(public mixed $value) {}
+    public function __destruct() {
+        printf("%s\n", __METHOD__);
+    }
+}
+
+function g() {
+    Fiber::suspend();
+}
+
+function f($canary) {
+    try {
+        var_dump(yield from g());
+    } finally {
+        print "Generator finally\n";
+    }
+}
+
+$canary = new Canary(null);
+$iterable = f($canary);
+$fiber = new Fiber(function () use ($iterable, $canary) {
+    try {
+        $iterable->next();
+    } finally {
+        print "Fiber finally\n";
+    }
+});
+$canary->value = $fiber;
+$fiber->start();
+
+// Reset roots
+gc_collect_cycles();
+
+// Add to roots, create garbage cycles
+$fiber = $iterable = $canary = null;
+
+print "Collect cycles\n";
+gc_collect_cycles();
+
+?>
+==DONE==
+--EXPECT--
+Collect cycles
+Canary::__destruct
+Generator finally
+Fiber finally
+==DONE==
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
index 4ac45949bd3..9089d821f30 100644
--- a/Zend/zend_generators.c
+++ b/Zend/zend_generators.c
@@ -218,43 +218,30 @@ static zend_always_inline void clear_link_to_root(zend_generator *generator) {
 	}
 }
 
-/* In the context of zend_generator_dtor_storage during shutdown, check if
- * the intermediate node 'generator' is running in a fiber */
+/* Check if the node 'generator' is running in a fiber */
 static inline bool check_node_running_in_fiber(zend_generator *generator) {
-	ZEND_ASSERT(EG(flags) & EG_FLAGS_IN_SHUTDOWN);
 	ZEND_ASSERT(generator->execute_data);
 
-	if (generator->flags & ZEND_GENERATOR_IN_FIBER) {
+	if (EXPECTED(generator->flags & ZEND_GENERATOR_IN_FIBER)) {
 		return true;
 	}
 
-	if (generator->node.children == 0) {
+	if (EXPECTED(generator->node.children == 0)) {
 		return false;
 	}
 
-	if (generator->flags & ZEND_GENERATOR_DTOR_VISITED) {
-		return false;
-	}
-	generator->flags |= ZEND_GENERATOR_DTOR_VISITED;
-
 	if (generator->node.children == 1) {
-		if (check_node_running_in_fiber(generator->node.child.single)) {
-			goto in_fiber;
-		}
-		return false;
+		return check_node_running_in_fiber(generator->node.child.single);
 	}
 
 	zend_generator *child;
 	ZEND_HASH_FOREACH_PTR(generator->node.child.ht, child) {
 		if (check_node_running_in_fiber(child)) {
-			goto in_fiber;
+			return true;
 		}
 	} ZEND_HASH_FOREACH_END();
-	return false;
 
-in_fiber:
-	generator->flags |= ZEND_GENERATOR_IN_FIBER;
-	return true;
+	return false;
 }
 
 static void zend_generator_dtor_storage(zend_object *object) /* {{{ */
diff --git a/Zend/zend_generators.h b/Zend/zend_generators.h
index a41fb7699d8..00d38a9d28d 100644
--- a/Zend/zend_generators.h
+++ b/Zend/zend_generators.h
@@ -93,7 +93,6 @@ static const zend_uchar ZEND_GENERATOR_FORCED_CLOSE      = 0x2;
 static const zend_uchar ZEND_GENERATOR_AT_FIRST_YIELD    = 0x4;
 static const zend_uchar ZEND_GENERATOR_DO_INIT           = 0x8;
 static const zend_uchar ZEND_GENERATOR_IN_FIBER          = 0x10;
-static const zend_uchar ZEND_GENERATOR_DTOR_VISITED      = 0x20;
 
 void zend_register_generator_ce(void);
 ZEND_API void zend_generator_close(zend_generator *generator, bool finished_execution);

From 36945ecb711b428945ceb55743f58d4b5338d9d7 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Wed, 2 Oct 2024 12:30:27 +0200
Subject: [PATCH 2/4] [ci skip] NEWS for GH-16025

---
 NEWS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NEWS b/NEWS
index 13e5f49ae7c..7ef01952a6e 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ PHP                                                                        NEWS
     exception). (ilutov)
   . Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of
     nested generator frame). (ilutov)
+  . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
 
 - Date:
   . Fixed bug GH-15582: Crash when not calling parent constructor of

From 26fd8d2ca65c287343025819dd27c8a46fb28fab Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Wed, 2 Oct 2024 12:32:53 +0200
Subject: [PATCH 3/4] [ci skip] NEWS for GH-16025

---
 NEWS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NEWS b/NEWS
index 20913d4a51d..8586f3407cb 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ PHP                                                                        NEWS
     exception). (ilutov)
   . Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of
     nested generator frame). (ilutov)
+  . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
 
 - DOM:
   . Fixed bug GH-16039 (Segmentation fault (access null pointer) in

From cd64780764ed3d1a402eea0febf3177b537fdc19 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Wed, 2 Oct 2024 12:34:37 +0200
Subject: [PATCH 4/4] [ci skip] NEWS for GH-16025

---
 NEWS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NEWS b/NEWS
index c165be2f5a5..5ed73a53cdd 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-16026 (Reuse of dtor fiber during shutdown). (Arnaud)
   . Fixed bug GH-15999 (zend_std_write_property() assertion failure with lazy
     objects). (Arnaud)
+  . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
 
 - DOM:
   . Fixed bug GH-16039 (Segmentation fault (access null pointer) in