mirror of
https://github.com/php/php-src.git
synced 2025-08-16 05:58:45 +02:00
Fix GH-9323: crash when the VM enters userspace code via the GC
Closes GH-9323
This commit is contained in:
Tim Starling
George Peter Banyard
parent
410e5d48a3
commit
ba029fce68
3 changed files with 17 additions and 2 deletions
4
NEWS
4
NEWS
|
|
@ -2,6 +2,10 @@ PHP NEWS
|
|||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? 2022, PHP 8.0.24
|
||||
|
||||
- Core:
|
||||
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
|
||||
(Tim Starling)
|
||||
|
||||
- DOM:
|
||||
. Fixed bug #79451 (Using DOMDocument->replaceChild on doctype causes
|
||||
double free) (NathanFreeman)
|
||||
|
|
|
|||
|
|
@ -4299,6 +4299,7 @@ ZEND_VM_INLINE_HANDLER(62, ZEND_RETURN, CONST|TMP|VAR|CV, ANY, SPEC(OBSERVER))
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -8304,8 +8305,8 @@ ZEND_VM_C_LABEL(check_indirect):
|
|||
zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
|
||||
|
||||
ZVAL_REF(variable_ptr, ref);
|
||||
SAVE_OPLINE();
|
||||
if (GC_DELREF(garbage) == 0) {
|
||||
SAVE_OPLINE();
|
||||
rc_dtor_func(garbage);
|
||||
if (UNEXPECTED(EG(exception))) {
|
||||
ZVAL_NULL(variable_ptr);
|
||||
|
|
|
|||
|
|
@ -4073,6 +4073,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CONST_
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -4150,6 +4151,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_OBSER
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -18585,6 +18587,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_TMP_HA
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -21200,6 +21203,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_VAR_HA
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -37947,6 +37951,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CV_HAN
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -42680,8 +42685,8 @@ check_indirect:
|
|||
zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
|
||||
|
||||
ZVAL_REF(variable_ptr, ref);
|
||||
SAVE_OPLINE();
|
||||
if (GC_DELREF(garbage) == 0) {
|
||||
SAVE_OPLINE();
|
||||
rc_dtor_func(garbage);
|
||||
if (UNEXPECTED(EG(exception))) {
|
||||
ZVAL_NULL(variable_ptr);
|
||||
|
|
@ -55390,6 +55395,7 @@ zend_leave_helper_SPEC_LABEL:
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -55468,6 +55474,7 @@ zend_leave_helper_SPEC_LABEL:
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -57001,6 +57008,7 @@ zend_leave_helper_SPEC_LABEL:
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -57306,6 +57314,7 @@ zend_leave_helper_SPEC_LABEL:
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
@ -58427,6 +58436,7 @@ zend_leave_helper_SPEC_LABEL:
|
|||
zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
|
||||
ZVAL_COPY_VALUE(return_value, retval_ptr);
|
||||
if (GC_MAY_LEAK(ref)) {
|
||||
SAVE_OPLINE();
|
||||
gc_possible_root(ref);
|
||||
}
|
||||
ZVAL_NULL(retval_ptr);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue