Fix GH-21639: Protect frameless call args

Author: prateekbhujel

Zend/tests/gh21639.phpt

@@ -0,0 +1,151 @@
+--TEST--
+GH-21639: Frameless calls keep volatile arguments alive
+--FILE--
+<?php
+class ImplodeElement {
+    public function __toString(): string {
+        global $separator, $pieces;
+
+        $separator = null;
+        $pieces = null;
+
+        return "C";
+    }
+}
+
+$separator = str_repeat(",", 1) . " ";
+$pieces = [new ImplodeElement(), 42];
+
+var_dump(implode($separator, $pieces));
+var_dump($separator, $pieces);
+
+class MutatingSeparator {
+    public function __toString(): string {
+        global $piecesFromSeparator;
+
+        $piecesFromSeparator = null;
+
+        return ", ";
+    }
+}
+
+$piecesFromSeparator = ["A", "B"];
+
+var_dump(implode(new MutatingSeparator(), $piecesFromSeparator));
+var_dump($piecesFromSeparator);
+
+class ImplodeElementWithoutSeparator {
+    public function __toString(): string {
+        global $oneArgPieces;
+
+        $oneArgPieces = null;
+
+        return "D";
+    }
+}
+
+$oneArgPieces = [new ImplodeElementWithoutSeparator(), 42];
+
+var_dump(implode($oneArgPieces));
+var_dump($oneArgPieces);
+
+class InArrayNeedle {
+    public function __toString(): string {
+        global $inArrayHaystack;
+
+        $inArrayHaystack = null;
+
+        return "needle";
+    }
+}
+
+$inArrayHaystack = [new InArrayNeedle()];
+
+var_dump(in_array("needle", $inArrayHaystack));
+var_dump($inArrayHaystack);
+
+class StrtrReplacement {
+    public function __toString(): string {
+        global $strtrReplacements;
+
+        $strtrReplacements = null;
+
+        return "b";
+    }
+}
+
+$strtrReplacements = ["a" => new StrtrReplacement()];
+
+var_dump(strtr("a", $strtrReplacements));
+var_dump($strtrReplacements);
+
+class StrReplaceSubject {
+    public function __toString(): string {
+        global $strReplaceSubject;
+
+        $strReplaceSubject = null;
+
+        return "a";
+    }
+}
+
+$strReplaceSubject = [new StrReplaceSubject(), "aa"];
+
+var_dump(str_replace("a", "b", $strReplaceSubject));
+var_dump($strReplaceSubject);
+
+class MinArg {
+    public function __toString(): string {
+        global $minArg;
+
+        $minArg = null;
+
+        return "a";
+    }
+}
+
+$minArg = new MinArg();
+$minResult = min($minArg, "b");
+
+var_dump($minResult instanceof MinArg);
+var_dump($minArg);
+
+class MaxArg {
+    public function __toString(): string {
+        global $maxArg;
+
+        $maxArg = null;
+
+        return "a";
+    }
+}
+
+$maxArg = new MaxArg();
+$maxResult = max("0", $maxArg);
+
+var_dump($maxResult instanceof MaxArg);
+var_dump($maxArg);
+?>
+--EXPECT--
+string(5) "C, 42"
+NULL
+NULL
+string(4) "A, B"
+NULL
+string(3) "D42"
+NULL
+bool(true)
+NULL
+string(1) "b"
+NULL
+array(2) {
+  [0]=>
+  string(1) "b"
+  [1]=>
+  string(2) "bb"
+}
+NULL
+bool(true)
+NULL
+bool(true)
+NULL

Zend/zend_builtin_functions.stub.php

@@ -75,13 +75,13 @@ function method_exists($object_or_class, string $method): bool {}
 
 /**
  * @param object|string $object_or_class
- * @frameless-function {"arity": 2}
+ * @frameless-function {"arity": 2, "needs_arg_copy": true}
  */
 function property_exists($object_or_class, string $property): bool {}
 
 /**
- * @frameless-function {"arity": 1}
- * @frameless-function {"arity": 2}
+ * @frameless-function {"arity": 1, "needs_arg_copy": true}
+ * @frameless-function {"arity": 2, "needs_arg_copy": true}
  */
 function class_exists(string $class, bool $autoload = true): bool {}
 

Zend/zend_builtin_functions_arginfo.h

@@ -4668,11 +4668,11 @@ static const zend_frameless_function_info *find_frameless_function_info(zend_ast
 	}
 
 	while (frameless_function_info->handler) {
-		if (frameless_function_info->num_args >= args->children
+		uint32_t num_args = ZEND_FLF_INFO_NUM_ARGS(frameless_function_info);
+		if (num_args >= args->children
 		 && fbc->common.required_num_args <= args->children
 		 && (!(fbc->common.fn_flags & ZEND_ACC_VARIADIC)
-		  || frameless_function_info->num_args == args->children)) {
-			uint32_t num_args = frameless_function_info->num_args;
+		  || num_args == args->children)) {
 			uint32_t offset = find_frameless_function_offset(num_args, frameless_function_info->handler);
 			if (offset == (uint32_t)-1) {
 				continue;
@@ -4688,7 +4688,7 @@ static const zend_frameless_function_info *find_frameless_function_info(zend_ast
 static uint32_t zend_compile_frameless_icall_ex(znode *result, zend_ast_list *args, zend_function *fbc, const zend_frameless_function_info *frameless_function_info, uint32_t type)
 {
 	int lineno = CG(zend_lineno);
-	uint32_t num_args = frameless_function_info->num_args;
+	uint32_t num_args = ZEND_FLF_INFO_NUM_ARGS(frameless_function_info);
 	uint32_t offset = find_frameless_function_offset(num_args, frameless_function_info->handler);
 	znode arg_zvs[3];
 	for (uint32_t i = 0; i < num_args; i++) {
@@ -4705,7 +4705,7 @@ static uint32_t zend_compile_frameless_icall_ex(znode *result, zend_ast_list *ar
 	uint8_t opcode = ZEND_FRAMELESS_ICALL_0 + num_args;
 	uint32_t opnum = get_next_op_number();
 	zend_op *opline = zend_emit_op_tmp(result, opcode, NULL, NULL);
-	opline->extended_value = offset;
+	opline->extended_value = offset | ZEND_FLF_INFO_FLAGS(frameless_function_info);
 	opline->lineno = lineno;
 	if (num_args >= 1) {
 		SET_NODE(opline->op1, &arg_zvs[0]);

Zend/zend_compile.c

@@ -1582,15 +1582,20 @@ static zend_never_inline void zend_assign_to_object_dim(zend_object *obj, zval *
 	}
 }
 
-static void frameless_observed_call_copy(zend_execute_data *call, uint32_t arg, zval *zv)
+static zend_always_inline void zend_frameless_copy_arg(zval *dst, zval *src)
 {
-	if (Z_ISUNDEF_P(zv)) {
-		ZVAL_NULL(ZEND_CALL_VAR_NUM(call, arg));
+	if (Z_ISUNDEF_P(src)) {
+		ZVAL_NULL(dst);
 	} else {
-		ZVAL_COPY_DEREF(ZEND_CALL_VAR_NUM(call, arg), zv);
+		ZVAL_COPY_DEREF(dst, src);
 	}
 }
 
+static void frameless_observed_call_copy(zend_execute_data *call, uint32_t arg, zval *zv)
+{
+	zend_frameless_copy_arg(ZEND_CALL_VAR_NUM(call, arg), zv);
+}
+
 ZEND_API void zend_frameless_observed_call(zend_execute_data *execute_data)
 {
 	const zend_op *opline = EX(opline);

Zend/zend_execute.c

@@ -36,8 +36,14 @@
 #define ZEND_FRAMELESS_FUNCTION_NAME(name, arity) zflf_##name##_##arity
 #define ZEND_OP_IS_FRAMELESS_ICALL(opcode) ((opcode) >= ZEND_FRAMELESS_ICALL_0 && (opcode) <= ZEND_FRAMELESS_ICALL_3)
 #define ZEND_FLF_NUM_ARGS(opcode) ((opcode) - ZEND_FRAMELESS_ICALL_0)
-#define ZEND_FLF_FUNC(opline) (zend_flf_functions[(opline)->extended_value])
-#define ZEND_FLF_HANDLER(opline) (zend_flf_handlers[(opline)->extended_value])
+#define ZEND_FLF_ARG_COPY (1u << 31)
+#define ZEND_FLF_NUM_ARGS_MASK (~ZEND_FLF_ARG_COPY)
+#define ZEND_FLF_INFO_NUM_ARGS(info) ((info)->num_args & ZEND_FLF_NUM_ARGS_MASK)
+#define ZEND_FLF_INFO_FLAGS(info) ((info)->num_args & ZEND_FLF_ARG_COPY)
+#define ZEND_FLF_OFFSET(opline) ((opline)->extended_value & ZEND_FLF_NUM_ARGS_MASK)
+#define ZEND_FLF_USES_ARG_COPY(opline) ((opline)->extended_value & ZEND_FLF_ARG_COPY)
+#define ZEND_FLF_FUNC(opline) (zend_flf_functions[ZEND_FLF_OFFSET(opline)])
+#define ZEND_FLF_HANDLER(opline) (zend_flf_handlers[ZEND_FLF_OFFSET(opline)])
 
 #define ZEND_FRAMELESS_FUNCTION(name, arity) \
 	void ZEND_FRAMELESS_FUNCTION_NAME(name, arity)(ZEND_FRAMELESS_FUNCTION_PARAMETERS_##arity)

Zend/zend_frameless_function.h

@@ -9713,7 +9713,14 @@ ZEND_VM_HANDLER(205, ZEND_FRAMELESS_ICALL_1, ANY, UNUSED, SPEC(OBSERVER))
 #endif
 	{
 		zend_frameless_function_1 function = (zend_frameless_function_1)ZEND_FLF_HANDLER(opline);
-		function(result, arg1);
+		if (UNEXPECTED(ZEND_FLF_USES_ARG_COPY(opline))) {
+			zval arg1_copy;
+			zend_frameless_copy_arg(&arg1_copy, arg1);
+			function(result, &arg1_copy);
+			zval_ptr_dtor_nogc(&arg1_copy);
+		} else {
+			function(result, arg1);
+		}
 	}
 	FREE_OP1();
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
@@ -9741,7 +9748,16 @@ ZEND_VM_HANDLER(206, ZEND_FRAMELESS_ICALL_2, ANY, ANY, SPEC(OBSERVER))
 #endif
 	{
 		zend_frameless_function_2 function = (zend_frameless_function_2)ZEND_FLF_HANDLER(opline);
-		function(result, arg1, arg2);
+		if (UNEXPECTED(ZEND_FLF_USES_ARG_COPY(opline))) {
+			zval arg1_copy, arg2_copy;
+			zend_frameless_copy_arg(&arg1_copy, arg1);
+			zend_frameless_copy_arg(&arg2_copy, arg2);
+			function(result, &arg1_copy, &arg2_copy);
+			zval_ptr_dtor_nogc(&arg1_copy);
+			zval_ptr_dtor_nogc(&arg2_copy);
+		} else {
+			function(result, arg1, arg2);
+		}
 	}
 
 	FREE_OP1();
@@ -9777,7 +9793,18 @@ ZEND_VM_HANDLER(207, ZEND_FRAMELESS_ICALL_3, ANY, ANY, SPEC(OBSERVER))
 #endif
 	{
 		zend_frameless_function_3 function = (zend_frameless_function_3)ZEND_FLF_HANDLER(opline);
-		function(result, arg1, arg2, arg3);
+		if (UNEXPECTED(ZEND_FLF_USES_ARG_COPY(opline))) {
+			zval arg1_copy, arg2_copy, arg3_copy;
+			zend_frameless_copy_arg(&arg1_copy, arg1);
+			zend_frameless_copy_arg(&arg2_copy, arg2);
+			zend_frameless_copy_arg(&arg3_copy, arg3);
+			function(result, &arg1_copy, &arg2_copy, &arg3_copy);
+			zval_ptr_dtor_nogc(&arg1_copy);
+			zval_ptr_dtor_nogc(&arg2_copy);
+			zval_ptr_dtor_nogc(&arg3_copy);
+		} else {
+			function(result, arg1, arg2, arg3);
+		}
 	}
 
 	FREE_OP1();