Fix phpGH-10496: Segfault in fiber with nested calls

bwoebi · bwoebi · commit 37cb645f6a4a · 2023-02-04T23:47:56.000Z
diff --git a/Zend/tests/fibers/gh10496.phpt b/Zend/tests/fibers/gh10496.phpt
@@ -0,0 +1,33 @@
+--FILE--
+Segfault when garbage collector is invoked inside of fiber
+--TEST--
+<?php
+
+function x(&$ref) {
+	$ref = new class() {
+		function __destruct() {
+			print "Dtor x()\n";
+		}
+	};
+}
+function suspend($x) {
+	Fiber::suspend();
+}
+$f = new Fiber(function() use (&$f) {
+	try {
+		x($var);
+		\ord(suspend(1));
+	} finally {
+		print "Cleaned\n";
+	}
+});
+$f->start();
+unset($f);
+gc_collect_cycles();
+print "Collected\n";
+
+?>
+--EXPECT--
+Cleaned
+Dtor x()
+Collected
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -4116,6 +4116,8 @@ static zend_always_inline zend_generator *zend_get_running_generator(EXECUTE_DAT
 
 ZEND_API void zend_unfinished_calls_gc(zend_execute_data *execute_data, zend_execute_data *call, uint32_t op_num, zend_get_gc_buffer *buf) /* {{{ */
 {
+	bool skip_current_call = (EX(func)->op_array.fn_flags & ZEND_ACC_GENERATOR) == 0 || (((zend_generator *) EX(return_value))->flags & ZEND_GENERATOR_IN_FIBER) != 0;
+
 	zend_op *opline = EX(func)->op_array.opcodes + op_num;
 	int level;
 	int do_exit;
@@ -4131,6 +4133,7 @@ ZEND_API void zend_unfinished_calls_gc(zend_execute_data *execute_data, zend_exe
 		opline->opcode == ZEND_NEW)) {
 		ZEND_ASSERT(op_num);
 		opline--;
+		skip_current_call = false;
 	}
 
 	do {
@@ -4189,7 +4192,7 @@ ZEND_API void zend_unfinished_calls_gc(zend_execute_data *execute_data, zend_exe
 				opline--;
 			}
 		} while (!do_exit);
-		if (call->prev_execute_data) {
+		if (skip_current_call || call->prev_execute_data) {
 			/* skip current call region */
 			level = 0;
 			do_exit = 0;
@@ -4219,6 +4222,11 @@ ZEND_API void zend_unfinished_calls_gc(zend_execute_data *execute_data, zend_exe
 			} while (!do_exit);
 		}
 
+		if (skip_current_call) {
+			skip_current_call = false;
+			continue;
+		}
+
 		if (EXPECTED(num_args > 0)) {
 			zval *p = ZEND_CALL_ARG(call, 1);
 			do {
