diff --git a/NEWS b/NEWS index 28734647d61..b45dce71fc5 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2022, PHP 8.0.24 +- Core: + . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) + (Tim Starling) + - DOM: . Fixed bug #79451 (Using DOMDocument->replaceChild on doctype causes double free) (NathanFreeman) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 1b4ef0d0846..d1aea77e8f9 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -4299,6 +4299,7 @@ ZEND_VM_INLINE_HANDLER(62, ZEND_RETURN, CONST|TMP|VAR|CV, ANY, SPEC(OBSERVER)) zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -8304,8 +8305,8 @@ ZEND_VM_C_LABEL(check_indirect): zend_refcounted *garbage = Z_COUNTED_P(variable_ptr); ZVAL_REF(variable_ptr, ref); + SAVE_OPLINE(); if (GC_DELREF(garbage) == 0) { - SAVE_OPLINE(); rc_dtor_func(garbage); if (UNEXPECTED(EG(exception))) { ZVAL_NULL(variable_ptr); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 0daa7b9e507..5e41f9f88b7 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -4073,6 +4073,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CONST_ zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -4150,6 +4151,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_OBSER zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -18585,6 +18587,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_TMP_HA zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -21200,6 +21203,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_VAR_HA zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -37947,6 +37951,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RETURN_SPEC_CV_HAN zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -42680,8 +42685,8 @@ check_indirect: zend_refcounted *garbage = Z_COUNTED_P(variable_ptr); ZVAL_REF(variable_ptr, ref); + SAVE_OPLINE(); if (GC_DELREF(garbage) == 0) { - SAVE_OPLINE(); rc_dtor_func(garbage); if (UNEXPECTED(EG(exception))) { ZVAL_NULL(variable_ptr); @@ -55390,6 +55395,7 @@ zend_leave_helper_SPEC_LABEL: zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -55468,6 +55474,7 @@ zend_leave_helper_SPEC_LABEL: zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -57001,6 +57008,7 @@ zend_leave_helper_SPEC_LABEL: zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -57306,6 +57314,7 @@ zend_leave_helper_SPEC_LABEL: zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr); @@ -58427,6 +58436,7 @@ zend_leave_helper_SPEC_LABEL: zend_refcounted *ref = Z_COUNTED_P(retval_ptr); ZVAL_COPY_VALUE(return_value, retval_ptr); if (GC_MAY_LEAK(ref)) { + SAVE_OPLINE(); gc_possible_root(ref); } ZVAL_NULL(retval_ptr);