Attempt to not alias on autoloading non qualified namespace call

Girgias · Girgias · commit 060bab7d1d4b · 2024-08-17T20:03:00.000+02:00
OpCache doesn't work properly as the local function gets bound to a global one.
diff --git a/Zend/Optimizer/compact_literals.c b/Zend/Optimizer/compact_literals.c
@@ -603,7 +603,6 @@ void zend_optimizer_compact_literals(zend_op_array *op_array, zend_optimizer_ctx
 					break;
 				case ZEND_INIT_FCALL:
 				case ZEND_INIT_FCALL_BY_NAME:
-				case ZEND_INIT_NS_FCALL_BY_NAME:
 					// op2 func
 					if (func_slot[opline->op2.constant] >= 0) {
 						opline->result.num = func_slot[opline->op2.constant];
@@ -613,6 +612,13 @@ void zend_optimizer_compact_literals(zend_op_array *op_array, zend_optimizer_ctx
 						func_slot[opline->op2.constant] = opline->result.num;
 					}
 					break;
+				/* Do not compact runtime function cache for non qualified namespace calls */
+				case ZEND_INIT_NS_FCALL_BY_NAME:
+					// op2 func
+					opline->result.num = cache_size;
+					cache_size += sizeof(void *);
+					func_slot[opline->op2.constant] = opline->result.num;
+					break;
 				case ZEND_INIT_METHOD_CALL:
 					if (opline->op2_type == IS_CONST) {
 						// op2 method
diff --git a/Zend/Optimizer/dfa_pass.c b/Zend/Optimizer/dfa_pass.c
@@ -408,14 +408,19 @@ int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
 
 		do {
 			if (call_info->caller_call_opline
-			 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
-			 && call_info->callee_func
-			 && zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
-			 && (call_info->caller_init_opline->extended_value == 2
-			  || (call_info->caller_init_opline->extended_value == 3
-			   && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
-			   && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
-
+				&& call_info->caller_call_opline->opcode == ZEND_DO_ICALL
+				&& call_info->callee_func
+				&& call_info->callee_func->common.function_name /* Ignore fake "pass" function */
+				&& zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
+				&& (
+					call_info->caller_init_opline->extended_value == 2
+					|| (
+						call_info->caller_init_opline->extended_value == 3
+						&& (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
+						&& (call_info->caller_call_opline - 1)->op1_type == IS_CONST
+					)
+				)
+			) {
 				zend_op *send_array;
 				zend_op *send_needly;
 				bool strict = 0;
diff --git a/Zend/Optimizer/zend_optimizer.c b/Zend/Optimizer/zend_optimizer.c
@@ -812,7 +812,13 @@ static bool zend_optimizer_ignore_function(zval *fbc_zv, zend_string *filename)
 	zend_function *fbc = Z_PTR_P(fbc_zv);
 
 	if (fbc->type == ZEND_INTERNAL_FUNCTION) {
-		return false;
+		/* For ZEND_INIT_NS_FCALL_BY_NAME, the function may be the "fake" pass function
+		 * to indicate that the global function should be used instead */
+		if (UNEXPECTED(fbc == (zend_function *) &zend_pass_function)) {
+			return true;
+		} else {
+			return false;
+		}
 	} else if (fbc->type == ZEND_USER_FUNCTION) {
 		if (fbc->op_array.fn_flags & ZEND_ACC_PRELOADED) {
 			Bucket *fbc_bucket = (Bucket*)((uintptr_t)fbc_zv - XtOffsetOf(Bucket, val));
diff --git a/Zend/tests/autoloading/function/dynamic_local_function_pinned-to_global.phpt b/Zend/tests/autoloading/function/dynamic_local_function_pinned-to_global.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Local function which falls back to global is NOT aliased to the global one, dynamic string
+--FILE--
+<?php
+
+namespace Foo {
+     var_dump(strlen('hello')); // triggers name pinning
+}
+namespace Bar {
+    $v = 'Foo\strlen';
+    var_dump($v('hello'));
+}
+
+?>
+--EXPECTF--
+int(5)
+
+Fatal error: Uncaught Error: Call to undefined function Foo\strlen() in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/tests/autoloading/function/local_function_defined_after_pinned_to_global.phpt b/Zend/tests/autoloading/function/local_function_defined_after_pinned_to_global.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Local function must be able to be defined after it got pinned to the global one
+--FILE--
+<?php
+
+namespace Foo;
+
+var_dump(strlen('hello')); // triggers name pinning
+if (!function_exists('Foo\strlen') ) {
+    function strlen(string $s) {
+        return 42;
+    }
+   var_dump(\Foo\strlen('hello'));
+   var_dump(strlen('hello'));
+}
+
+
+?>
+--EXPECT--
+int(5)
+int(42)
+int(42)
diff --git a/Zend/tests/autoloading/function/local_function_pinned-to_global.phpt b/Zend/tests/autoloading/function/local_function_pinned-to_global.phpt
@@ -1,13 +1,8 @@
 --TEST--
-Local function which falls back to global is aliased to the global one
+Local function which falls back to global is NOT aliased to the global one, function_exists
 --FILE--
 <?php
 
-namespace Bar {
-    if ( function_exists('Foo\strlen') ) {
-        var_dump(\Foo\strlen('hello'));
-    }
-}
 namespace Foo {
      var_dump(strlen('hello')); // triggers name pinning
 }
@@ -21,5 +16,3 @@ namespace Bar {
 ?>
 --EXPECT--
 int(5)
-\Foo\strlen() was bound to global \strlen()
-int(5)
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
@@ -1165,8 +1165,8 @@ ZEND_FUNCTION(function_exists)
 {
 	zend_string *name;
 	bool autoload = true;
-	bool exists;
 	zend_string *lcname;
+	zend_function *fbc;
 
 	ZEND_PARSE_PARAMETERS_START(1, 2)
 		Z_PARAM_STR(name)
@@ -1183,14 +1183,18 @@ ZEND_FUNCTION(function_exists)
 			lcname = zend_string_tolower(name);
 		}
 
-		exists = zend_hash_exists(EG(function_table), lcname);
+		fbc = (zend_function*) zend_hash_find_ptr(EG(function_table), lcname);
 		zend_string_release_ex(lcname, 0);
 	} else {
-		zend_function *fbc = zend_lookup_function(name);
-		exists = fbc;
+		fbc = zend_lookup_function(name);
 	}
 
-	RETURN_BOOL(exists);
+	/* If the function was marked as using the global function, indicate it doesn't exist */
+	if (!fbc || fbc == (zend_function *) &zend_pass_function) {
+		RETURN_FALSE;
+	}
+
+	RETURN_TRUE;
 }
 /* }}} */
 
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -1261,6 +1261,20 @@ ZEND_API zend_result do_bind_function(zend_function *func, zval *lcname) /* {{{
 {
 	zend_function *added_func = zend_hash_add_ptr(EG(function_table), Z_STR_P(lcname), func);
 	if (UNEXPECTED(!added_func)) {
+		/* If a function name was marked as using the global name, properly declare the namespaced function */
+		zend_function *old_func = zend_hash_find_ptr(EG(function_table), Z_STR_P(lcname));
+		if (old_func == (zend_function *) &zend_pass_function) {
+			zend_hash_update_ptr(EG(function_table), Z_STR_P(lcname), func);
+			if (func->op_array.refcount) {
+				++*func->op_array.refcount;
+			}
+			if (func->common.function_name) {
+				zend_string_addref(func->common.function_name);
+			}
+			zend_observer_function_declared_notify(&func->op_array, Z_STR_P(lcname));
+			return SUCCESS;
+		}
+
 		do_bind_function_error(Z_STR_P(lcname), &func->op_array, 0);
 		return FAILURE;
 	}
@@ -1271,7 +1285,9 @@ ZEND_API zend_result do_bind_function(zend_function *func, zval *lcname) /* {{{
 	if (func->common.function_name) {
 		zend_string_addref(func->common.function_name);
 	}
-	zend_observer_function_declared_notify(&func->op_array, Z_STR_P(lcname));
+	if (EXPECTED(func != (zend_function *) &zend_pass_function)) {
+		zend_observer_function_declared_notify(&func->op_array, Z_STR_P(lcname));
+	}
 	return SUCCESS;
 }
 /* }}} */
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -4865,7 +4865,10 @@ static zend_never_inline zend_execute_data *zend_init_dynamic_call_string(zend_s
 			init_func_run_time_cache(&fbc->op_array);
 		}
 	} else {
-		if (UNEXPECTED((fbc = zend_lookup_function(function)) == NULL)) {
+		if (UNEXPECTED(
+			((fbc = zend_lookup_function(function)) == NULL)
+			|| (fbc == (zend_function *) &zend_pass_function)
+		)) {
 			zend_throw_error(NULL, "Call to undefined function %s()", ZSTR_VAL(function));
 			return NULL;
 		}
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
@@ -149,6 +149,9 @@ ZEND_API void zend_function_dtor(zval *zv)
 		ZEND_ASSERT(function->common.function_name);
 		destroy_op_array(&function->op_array);
 		/* op_arrays are allocated on arena, so we don't have to free them */
+	} else if (UNEXPECTED(function == (zend_function *) &zend_pass_function)) {
+		/* Ignore fake pass function */
+		return;
 	} else {
 		ZEND_ASSERT(function->type == ZEND_INTERNAL_FUNCTION);
 		ZEND_ASSERT(function->common.function_name);
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -3843,6 +3843,8 @@ ZEND_VM_HOT_HANDLER(59, ZEND_INIT_FCALL_BY_NAME, ANY, CONST, NUM|CACHE_SLOT)
 		}
 		CACHE_PTR(opline->result.num, fbc);
 	}
+
+	ZEND_ASSERT(fbc != (zend_function*)&zend_pass_function);
 	call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
 	call->prev_execute_data = EX(call);
@@ -3958,6 +3960,7 @@ ZEND_VM_HANDLER(118, ZEND_INIT_USER_CALL, CONST, CONST|TMPVAR|CV, NUM)
 		HANDLE_EXCEPTION();
 	}
 
+	ZEND_ASSERT(func != (zend_function*)&zend_pass_function);
 	call = zend_vm_stack_push_call_frame(call_info,
 		func, opline->extended_value, object_or_called_scope);
 	call->prev_execute_data = EX(call);
@@ -3990,18 +3993,27 @@ ZEND_VM_HOT_HANDLER(69, ZEND_INIT_NS_FCALL_BY_NAME, ANY, CONST, NUM|CACHE_SLOT)
 				}
 				ZEND_VM_DISPATCH_TO_HELPER(zend_undefined_function_helper);
 			}
-			/* We bind the unqualified name to the global function
+			/* We bind the unqualified name to the internal "zend_pass_function" for it to indicate that it
+			 * should use the global function.
 			 * Use the lowercase name of the function stored in the first cache slot as
 			 * function names are case insensitive */
 			else {
 				zval tmp;
 				ZVAL_STR(&tmp, Z_STR_P(function_name+1));
-				do_bind_function(fbc, &tmp);
+				do_bind_function((zend_function *) &zend_pass_function, &tmp);
 			}
+		} else if (fbc == (zend_function *) &zend_pass_function) {
+			/* Unqualified call was marked as using the global function
+			 * Thus we need to replace the pass function with the actual function.
+			 * Use the lowercase name of the function without tha namespace which is stored in the second cache slot */
+			fbc = (zend_function *) zend_hash_find_ptr(EG(function_table), Z_STR_P(function_name+2));
+			ZEND_ASSERT(fbc);
 		}
 		if (EXPECTED(fbc->type == ZEND_USER_FUNCTION) && UNEXPECTED(!RUN_TIME_CACHE(&fbc->op_array))) {
 			init_func_run_time_cache(&fbc->op_array);
 		}
+
+		ZEND_ASSERT(fbc != (zend_function*)&zend_pass_function);
 		CACHE_PTR(opline->result.num, fbc);
 	}
 
@@ -4031,6 +4043,7 @@ ZEND_VM_HOT_HANDLER(61, ZEND_INIT_FCALL, NUM, CONST, NUM|CACHE_SLOT)
 		CACHE_PTR(opline->result.num, fbc);
 	}
 
+	ZEND_ASSERT(fbc != (zend_function*)&zend_pass_function);
 	call = _zend_vm_stack_push_call_frame_ex(
 		opline->op1.num, ZEND_CALL_NESTED_FUNCTION,
 		fbc, opline->extended_value, NULL);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

Original file line number	Diff line number	Diff line change
`@@ -4865,7 +4865,10 @@ static zend_never_inline zend_execute_data *zend_init_dynamic_call_string(zend_s`
`4865`	`4865`	`init_func_run_time_cache(&fbc->op_array);`
`4866`	`4866`	`}`
`4867`	`4867`	`} else {`
`4868`		`- if (UNEXPECTED((fbc = zend_lookup_function(function)) == NULL)) {`
	`4868`	`+ if (UNEXPECTED(`
	`4869`	`+ ((fbc = zend_lookup_function(function)) == NULL)`
	`4870`	`+ \|\| (fbc == (zend_function *) &zend_pass_function)`
	`4871`	`+ )) {`
`4869`	`4872`	`zend_throw_error(NULL, "Call to undefined function %s()", ZSTR_VAL(function));`
`4870`	`4873`	`return NULL;`
`4871`	`4874`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3843,6 +3843,8 @@ ZEND_VM_HOT_HANDLER(59, ZEND_INIT_FCALL_BY_NAME, ANY, CONST, NUM\|CACHE_SLOT)`
`3843`	`3843`	`}`
`3844`	`3844`	`CACHE_PTR(opline->result.num, fbc);`
`3845`	`3845`	`}`
	`3846`	`+`
	`3847`	`+ ZEND_ASSERT(fbc != (zend_function*)&zend_pass_function);`
`3846`	`3848`	`call = _zend_vm_stack_push_call_frame(ZEND_CALL_NESTED_FUNCTION,`
`3847`	`3849`	`fbc, opline->extended_value, NULL);`
`3848`	`3850`	`call->prev_execute_data = EX(call);`
`@@ -3958,6 +3960,7 @@ ZEND_VM_HANDLER(118, ZEND_INIT_USER_CALL, CONST, CONST\|TMPVAR\|CV, NUM)`
`3958`	`3960`	`HANDLE_EXCEPTION();`
`3959`	`3961`	`}`
`3960`	`3962`
	`3963`	`+ ZEND_ASSERT(func != (zend_function*)&zend_pass_function);`
`3961`	`3964`	`call = zend_vm_stack_push_call_frame(call_info,`
`3962`	`3965`	`func, opline->extended_value, object_or_called_scope);`
`3963`	`3966`	`call->prev_execute_data = EX(call);`
`@@ -3990,18 +3993,27 @@ ZEND_VM_HOT_HANDLER(69, ZEND_INIT_NS_FCALL_BY_NAME, ANY, CONST, NUM\|CACHE_SLOT)`
`3990`	`3993`	`}`
`3991`	`3994`	`ZEND_VM_DISPATCH_TO_HELPER(zend_undefined_function_helper);`
`3992`	`3995`	`}`
`3993`		`- /* We bind the unqualified name to the global function`
	`3996`	`+ /* We bind the unqualified name to the internal "zend_pass_function" for it to indicate that it`
	`3997`	`+ * should use the global function.`
`3994`	`3998`	`* Use the lowercase name of the function stored in the first cache slot as`
`3995`	`3999`	`* function names are case insensitive */`
`3996`	`4000`	`else {`
`3997`	`4001`	`zval tmp;`
`3998`	`4002`	`ZVAL_STR(&tmp, Z_STR_P(function_name+1));`
`3999`		`- do_bind_function(fbc, &tmp);`
	`4003`	`+ do_bind_function((zend_function *) &zend_pass_function, &tmp);`
`4000`	`4004`	`}`
	`4005`	`+ } else if (fbc == (zend_function *) &zend_pass_function) {`
	`4006`	`+ /* Unqualified call was marked as using the global function`
	`4007`	`+ * Thus we need to replace the pass function with the actual function.`
	`4008`	`+ * Use the lowercase name of the function without tha namespace which is stored in the second cache slot */`
	`4009`	`+ fbc = (zend_function *) zend_hash_find_ptr(EG(function_table), Z_STR_P(function_name+2));`
	`4010`	`+ ZEND_ASSERT(fbc);`
`4001`	`4011`	`}`
`4002`	`4012`	`if (EXPECTED(fbc->type == ZEND_USER_FUNCTION) && UNEXPECTED(!RUN_TIME_CACHE(&fbc->op_array))) {`
`4003`	`4013`	`init_func_run_time_cache(&fbc->op_array);`
`4004`	`4014`	`}`
	`4015`	`+`
	`4016`	`+ ZEND_ASSERT(fbc != (zend_function*)&zend_pass_function);`
`4005`	`4017`	`CACHE_PTR(opline->result.num, fbc);`
`4006`	`4018`	`}`
`4007`	`4019`
`@@ -4031,6 +4043,7 @@ ZEND_VM_HOT_HANDLER(61, ZEND_INIT_FCALL, NUM, CONST, NUM\|CACHE_SLOT)`
`4031`	`4043`	`CACHE_PTR(opline->result.num, fbc);`
`4032`	`4044`	`}`
`4033`	`4045`
	`4046`	`+ ZEND_ASSERT(fbc != (zend_function*)&zend_pass_function);`
`4034`	`4047`	`call = _zend_vm_stack_push_call_frame_ex(`
`4035`	`4048`	`opline->op1.num, ZEND_CALL_NESTED_FUNCTION,`
`4036`	`4049`	`fbc, opline->extended_value, NULL);`