Fixed bug #80045

Applying the obvious fix ... however, I think we may need to
rething how we handle trampoline fcc for "f" zpp. It might make
sense to use fcc->function_handler == NULL for that case and
force it to be fetched in zend_call_function instead (it will
be reset to that after the call anyway). Otherwise we will keep
chasing these leaks, as it's the only instance where it's
necessary to free a zpp result.

Author: nikic

NEWS

@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Implement #[Attr] Attribute syntax as per final vote in RFC
     https://wiki.php.net/rfc/shorter_attribute_syntax_change
+  . Fixed bug #80045 (memleak after two set_exception_handler calls with
+    __call). (Nikita)
 
 03 Sep 2020, PHP 8.0.0beta3
 

Zend/tests/bug80045.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Bug #80045: memleak after two set_exception_handler calls with __call
+--FILE--
+<?php
+
+class x {
+    public function __construct(){
+        set_exception_handler([$this, 'dummyExceptionHandler']);
+        set_exception_handler([$this, 'dummyExceptionHandler']);
+        set_error_handler([$this, 'dummyErrorHandler']);
+        set_error_handler([$this, 'dummyErrorHandler']);
+    }
+
+    public function __call($m, $p) {}
+}
+
+new x;
+
+?>
+===DONE===
+--EXPECT--
+===DONE===

Zend/zend_builtin_functions.c

@@ -1198,6 +1198,7 @@ ZEND_FUNCTION(set_error_handler)
 
 	ZVAL_COPY(&EG(user_error_handler), &(fci.function_name));
 	EG(user_error_handler_error_reporting) = (int)error_type;
+	zend_release_fcall_info_cache(&fcc);
 }
 /* }}} */
 
@@ -1253,6 +1254,7 @@ ZEND_FUNCTION(set_exception_handler)
 	}
 
 	ZVAL_COPY(&EG(user_exception_handler), &(fci.function_name));
+	zend_release_fcall_info_cache(&fcc);
 }
 /* }}} */