From bdc87b0f66666e188e35d61b9ad9199db378c4ab Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 27 Sep 2023 22:16:43 +0200
Subject: [PATCH] Fix #80092: ZTS + preload = segfault on shutdown

After preloading has executed, the executor globals for class_table and
function_table are still referring to the values during preloading.
If no request happens after that then these values will remain dangling
pointers. If then the -v option on CLI or -h option (and possibly
others) on CGI is provided, there is a double free.
Fix it by nulling the pointers explicitly after preloading has finished
to fix it for all SAPIs.

Closes GH-12311.
---
 NEWS                          |  1 +
 ext/opcache/ZendAccelerator.c |  2 ++
 sapi/cli/tests/bug80092.phpt  | 36 +++++++++++++++++++++++++++++++++++
 sapi/cli/tests/preload.inc    |  7 +++++++
 4 files changed, 46 insertions(+)
 create mode 100644 sapi/cli/tests/bug80092.phpt
 create mode 100644 sapi/cli/tests/preload.inc

diff --git a/NEWS b/NEWS
index 4e934351bab..317e2abbe99 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-12215 (Module entry being overwritten causes type errors in
     ext/dom). (nielsdos)
   . Fixed bug GH-12273 (__builtin_cpu_init check). (Freaky)
+  . Fixed bug #80092 (ZTS + preload = segfault on shutdown). (nielsdos)
 
 - CType:
   . Fixed bug GH-11997 (ctype_alnum 5 times slower in PHP 8.1 or greater).
diff --git a/ext/opcache/ZendAccelerator.c b/ext/opcache/ZendAccelerator.c
index 7d0d9a69381..e1acff2e4e2 100644
--- a/ext/opcache/ZendAccelerator.c
+++ b/ext/opcache/ZendAccelerator.c
@@ -4780,6 +4780,8 @@ static int accel_finish_startup(void)
 			SIGG(check) = 0;
 #endif
 			php_request_shutdown(NULL); /* calls zend_shared_alloc_unlock(); */
+			EG(class_table) = NULL;
+			EG(function_table) = NULL;
 			PG(report_memleaks) = orig_report_memleaks;
 		} else {
 			zend_shared_alloc_unlock();
diff --git a/sapi/cli/tests/bug80092.phpt b/sapi/cli/tests/bug80092.phpt
new file mode 100644
index 00000000000..dadce9fc778
--- /dev/null
+++ b/sapi/cli/tests/bug80092.phpt
@@ -0,0 +1,36 @@
+--TEST--
+Bug #80092 (ZTS + preload = segfault on shutdown)
+--SKIPIF--
+<?php
+include 'skipif.inc';
+if (substr(PHP_OS, 0, 3) == 'WIN') {
+    die ("skip not for Windows");
+}
+$extDir = ini_get('extension_dir');
+if (!file_exists($extDir . '/opcache.so')) {
+    die ('skip opcache shared object not found in extension_dir');
+}
+?>
+--FILE--
+<?php
+
+$cmd = [
+    PHP_BINARY, '-n',
+    '-dextension_dir=' . ini_get('extension_dir'),
+    '-dzend_extension=opcache.so',
+    '-dopcache.enable=1',
+    '-dopcache.enable_cli=1',
+    '-dopcache.preload=' . __DIR__ . '/preload.inc',
+    '-v'
+];
+
+$proc = proc_open($cmd, [['null'], ['pipe', 'w'], ['redirect', 1]], $pipes);
+echo stream_get_contents($pipes[1]);
+
+?>
+--EXPECTF--
+preloaded
+PHP %s
+Copyright (c) The PHP Group
+Zend Engine %s
+    with Zend OPcache %s
diff --git a/sapi/cli/tests/preload.inc b/sapi/cli/tests/preload.inc
new file mode 100644
index 00000000000..469ba934415
--- /dev/null
+++ b/sapi/cli/tests/preload.inc
@@ -0,0 +1,7 @@
+<?php
+
+class SomeClass {}
+
+function foo() {}
+
+echo "preloaded\n";