Fix GH-12837: Combination of phpdbg and Generator method causes memory leak

nielsdos · nielsdos · commit 4d72bd730404 · 2024-12-30T16:46:11.000+01:00
The fix for bug #72523 (d1dd474) added a check on `zend_execute_ex` to add an extra refcount to `This`. This is necessary because the VM does a re-entry here: https://github.com/php/php-src/blob/ecb90c1db7efe9d87c07e31336185fc393281035/Zend/zend_vm_def.h#L4294-L4299 and then cleans up `This` here: https://github.com/php/php-src/blob/ecb90c1db7efe9d87c07e31336185fc393281035/Zend/zend_vm_def.h#L4358-L4360 So if we don't add the refcount, we destroy `This` both in the VM and in `zend_generator_close`. The reason this causes a leak in phpdbg is because it changes the `zend_execute_ex` temporarily back to the default here for `ZEND_DO_FCALL`: https://github.com/php/php-src/blob/ecb90c1db7efe9d87c07e31336185fc393281035/sapi/phpdbg/phpdbg_prompt.c#L1820-L1827 which means that we only execute `OBJ_RELEASE` on the `This` object once in `zend_generator_close` instead of also doing it in the `ZEND_DO_FCALL` handler. To solve this, we make sure the check for the re-entrancy is consistently done by checking the `ZEND_CALL_TOP` flag instead of relying solely on `execute_ex` pointer: https://github.com/php/php-src/blob/ecb90c1db7efe9d87c07e31336185fc393281035/Zend/zend_vm_def.h#L4298
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -4534,7 +4534,7 @@ ZEND_VM_HANDLER(139, ZEND_GENERATOR_CREATE, ANY, ANY)
 		if ((call_info & Z_TYPE_MASK) == IS_OBJECT
 		 && (!(call_info & (ZEND_CALL_CLOSURE|ZEND_CALL_RELEASE_THIS))
 			 /* Bug #72523 */
-			|| UNEXPECTED(zend_execute_ex != execute_ex))) {
+			|| (call_info & ZEND_CALL_TOP))) {
 			ZEND_ADD_CALL_FLAG_EX(call_info, ZEND_CALL_RELEASE_THIS);
 			Z_ADDREF(gen_execute_data->This);
 		}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
diff --git a/sapi/phpdbg/tests/gh12837.phpt b/sapi/phpdbg/tests/gh12837.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GH-12837 (Combination of phpdbg and Generator method causes memory leak)
+--CREDITS--
+ngyuki
+--FILE--
+<?php
+class A
+{
+    public function __construct()
+    {
+        var_dump('__construct');
+    }
+
+    public function __destruct()
+    {
+        var_dump('__destruct');
+    }
+
+    public function iterate()
+    {
+        yield 1;
+    }
+}
+
+$arr = iterator_to_array((new A())->iterate()); gc_collect_cycles();
+$arr = iterator_to_array((new A())->iterate()); gc_collect_cycles();
+$arr = iterator_to_array((new A())->iterate()); gc_collect_cycles();
+
+var_dump('exit');
+?>
+--PHPDBG--
+r
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> string(11) "__construct"
+string(10) "__destruct"
+string(11) "__construct"
+string(10) "__destruct"
+string(11) "__construct"
+string(10) "__destruct"
+string(4) "exit"
+[Script ended normally]
+prompt>

Original file line number	Diff line number	Diff line change
`@@ -4534,7 +4534,7 @@ ZEND_VM_HANDLER(139, ZEND_GENERATOR_CREATE, ANY, ANY)`
`4534`	`4534`	`if ((call_info & Z_TYPE_MASK) == IS_OBJECT`
`4535`	`4535`	`&& (!(call_info & (ZEND_CALL_CLOSURE\|ZEND_CALL_RELEASE_THIS))`
`4536`	`4536`	`/* Bug #72523 */`
`4537`		`- \|\| UNEXPECTED(zend_execute_ex != execute_ex))) {`
	`4537`	`+ \|\| (call_info & ZEND_CALL_TOP))) {`
`4538`	`4538`	`ZEND_ADD_CALL_FLAG_EX(call_info, ZEND_CALL_RELEASE_THIS);`
`4539`	`4539`	`Z_ADDREF(gen_execute_data->This);`
`4540`	`4540`	`}`