ext/pdo: Convert def_stmt_ctor_args field from zval to Hashtable pointer

Author: Girgias

ext/pdo/pdo_dbh.c

@@ -434,11 +434,9 @@ PHP_METHOD(PDO, __construct)
 }
 /* }}} */
 
-static zval *pdo_stmt_instantiate(pdo_dbh_t *dbh, zval *object, zend_class_entry *dbstmt_ce, zval *ctor_args) /* {{{ */
+static zval *pdo_stmt_instantiate(pdo_dbh_t *dbh, zval *object, zend_class_entry *dbstmt_ce, const HashTable *ctor_args) /* {{{ */
 {
-	if (!Z_ISUNDEF_P(ctor_args)) {
-		/* This implies an error within PDO if this does not hold */
-		ZEND_ASSERT(Z_TYPE_P(ctor_args) == IS_ARRAY);
+	if (ctor_args) {
 		if (!dbstmt_ce->constructor) {
 			zend_throw_error(NULL, "User-supplied statement does not accept constructor arguments");
 			return NULL;
@@ -475,8 +473,9 @@ PHP_METHOD(PDO, prepare)
 {
 	pdo_stmt_t *stmt;
 	zend_string *statement;
-	zval *options = NULL, *value, *item, ctor_args;
+	zval *options = NULL, *value, *item;
 	zend_class_entry *dbstmt_ce, *pce;
+	/* const */ HashTable *ctor_args = NULL;
 	pdo_dbh_object_t *dbh_obj = Z_PDO_OBJECT_P(ZEND_THIS);
 	pdo_dbh_t *dbh = dbh_obj->inner;
 
@@ -525,16 +524,14 @@ PHP_METHOD(PDO, prepare)
 					zend_zval_value_name(value));
 				RETURN_THROWS();
 			}
-			ZVAL_COPY_VALUE(&ctor_args, item);
-		} else {
-			ZVAL_UNDEF(&ctor_args);
+			ctor_args = Z_ARRVAL_P(item);
 		}
 	} else {
 		dbstmt_ce = dbh->def_stmt_ce;
-		ZVAL_COPY_VALUE(&ctor_args, &dbh->def_stmt_ctor_args);
+		ctor_args = dbh->def_stmt_ctor_args;
 	}
 
-	if (!pdo_stmt_instantiate(dbh, return_value, dbstmt_ce, &ctor_args)) {
+	if (!pdo_stmt_instantiate(dbh, return_value, dbstmt_ce, ctor_args)) {
 		RETURN_THROWS();
 	}
 	stmt = Z_PDO_STMT_P(return_value);
@@ -549,11 +546,7 @@ PHP_METHOD(PDO, prepare)
 	ZVAL_UNDEF(&stmt->lazy_object_ref);
 
 	if (dbh->methods->preparer(dbh, statement, stmt, options)) {
-		if (Z_TYPE(ctor_args) == IS_ARRAY) {
-			pdo_stmt_construct(stmt, return_value, dbstmt_ce, Z_ARRVAL(ctor_args));
-		} else {
-			pdo_stmt_construct(stmt, return_value, dbstmt_ce, /* ctor_args */ NULL);
-		}
+		pdo_stmt_construct(stmt, return_value, dbstmt_ce, ctor_args);
 		return;
 	}
 
@@ -817,17 +810,19 @@ static bool pdo_dbh_attribute_set(pdo_dbh_t *dbh, zend_long attr, zval *value) /
 				return false;
 			}
 			dbh->def_stmt_ce = pce;
-			if (!Z_ISUNDEF(dbh->def_stmt_ctor_args)) {
-				zval_ptr_dtor(&dbh->def_stmt_ctor_args);
-				ZVAL_UNDEF(&dbh->def_stmt_ctor_args);
+			if (dbh->def_stmt_ctor_args) {
+				zend_array_release(dbh->def_stmt_ctor_args);
+				dbh->def_stmt_ctor_args = NULL;
 			}
 			if ((item = zend_hash_index_find(Z_ARRVAL_P(value), 1)) != NULL) {
 				if (Z_TYPE_P(item) != IS_ARRAY) {
 					zend_type_error("PDO::ATTR_STATEMENT_CLASS constructor_args must be of type ?array, %s given",
 						zend_zval_value_name(value));
 					return false;
 				}
-				ZVAL_COPY(&dbh->def_stmt_ctor_args, item);
+				dbh->def_stmt_ctor_args = Z_ARRVAL_P(item);
+				/* Increase refcount */
+				GC_TRY_ADDREF(dbh->def_stmt_ctor_args);
 			}
 			return true;
 		}
@@ -906,9 +901,10 @@ PHP_METHOD(PDO, getAttribute)
 		case PDO_ATTR_STATEMENT_CLASS:
 			array_init(return_value);
 			add_next_index_str(return_value, zend_string_copy(dbh->def_stmt_ce->name));
-			if (!Z_ISUNDEF(dbh->def_stmt_ctor_args)) {
-				Z_TRY_ADDREF(dbh->def_stmt_ctor_args);
-				add_next_index_zval(return_value, &dbh->def_stmt_ctor_args);
+			if (dbh->def_stmt_ctor_args) {
+				/* Increment refcount of constructor arguments */
+				GC_TRY_ADDREF(dbh->def_stmt_ctor_args);
+				add_next_index_array(return_value, dbh->def_stmt_ctor_args);
 			}
 			return;
 		case PDO_ATTR_DEFAULT_FETCH_MODE:
@@ -1093,7 +1089,7 @@ PHP_METHOD(PDO, query)
 
 	PDO_DBH_CLEAR_ERR();
 
-	if (!pdo_stmt_instantiate(dbh, return_value, dbh->def_stmt_ce, &dbh->def_stmt_ctor_args)) {
+	if (!pdo_stmt_instantiate(dbh, return_value, dbh->def_stmt_ce, dbh->def_stmt_ctor_args)) {
 		RETURN_THROWS();
 	}
 	stmt = Z_PDO_STMT_P(return_value);
@@ -1122,11 +1118,7 @@ PHP_METHOD(PDO, query)
 					stmt->executed = 1;
 				}
 				if (ret) {
-					if (Z_TYPE(dbh->def_stmt_ctor_args) == IS_ARRAY) {
-						pdo_stmt_construct(stmt, return_value, dbh->def_stmt_ce, Z_ARRVAL(dbh->def_stmt_ctor_args));
-					} else {
-						pdo_stmt_construct(stmt, return_value, dbh->def_stmt_ce, /* ctor_args */ NULL);
-					}
+					pdo_stmt_construct(stmt, return_value, dbh->def_stmt_ce, dbh->def_stmt_ctor_args);
 					return;
 				}
 			}
@@ -1320,7 +1312,9 @@ static HashTable *dbh_get_gc(zend_object *object, zval **gc_data, int *gc_count)
 {
 	pdo_dbh_t *dbh = php_pdo_dbh_fetch_inner(object);
 	zend_get_gc_buffer *gc_buffer = zend_get_gc_buffer_create();
-	zend_get_gc_buffer_add_zval(gc_buffer, &dbh->def_stmt_ctor_args);
+	if (dbh->def_stmt_ctor_args) {
+		zend_get_gc_buffer_add_ht(gc_buffer, dbh->def_stmt_ctor_args);
+	}
 	if (dbh->methods && dbh->methods->get_gc) {
 		dbh->methods->get_gc(dbh, gc_buffer);
 	}
@@ -1382,8 +1376,18 @@ static void dbh_free(pdo_dbh_t *dbh, bool free_persistent)
 		pefree((char *)dbh->persistent_id, dbh->is_persistent);
 	}
 
-	if (!Z_ISUNDEF(dbh->def_stmt_ctor_args)) {
-		zval_ptr_dtor(&dbh->def_stmt_ctor_args);
+	/* When the GC is running, the ctor_args will be added to the GC buffer marked to be released.
+	 * However, before freeing the buffer, it will release the object by calling zend_objects_store_del()
+	 * which calls pdo_dbh_free_storage() which in turn calls this function.
+	 * Thus we must not free the ctor_args when the GC is running. */
+	if (dbh->def_stmt_ctor_args) {
+		zend_gc_status gc_status;
+		zend_gc_get_status(&gc_status);
+
+		if (EXPECTED(!gc_status.active)) {
+			zend_array_release(dbh->def_stmt_ctor_args);
+			dbh->def_stmt_ctor_args = NULL;
+		}
 	}
 
 	for (i = 0; i < PDO_DBH_DRIVER_METHOD_KIND__MAX; i++) {
@@ -1413,6 +1417,7 @@ static void pdo_dbh_free_storage(zend_object *std)
 	if (dbh->is_persistent && dbh->methods && dbh->methods->persistent_shutdown) {
 		dbh->methods->persistent_shutdown(dbh);
 	}
+
 	zend_object_std_dtor(std);
 	dbh_free(dbh, 0);
 }
@@ -1427,6 +1432,7 @@ zend_object *pdo_dbh_new(zend_class_entry *ce)
 	rebuild_object_properties(&dbh->std);
 	dbh->inner = ecalloc(1, sizeof(pdo_dbh_t));
 	dbh->inner->def_stmt_ce = pdo_dbstmt_ce;
+	dbh->inner->def_stmt_ctor_args = NULL;
 
 	return &dbh->std;
 }

ext/pdo/php_pdo_driver.h

@@ -487,7 +487,7 @@ struct _pdo_dbh_t {
 
 	zend_class_entry *def_stmt_ce;
 
-	zval def_stmt_ctor_args;
+	HashTable *def_stmt_ctor_args;
 
 	/* when calling PDO::query(), we need to keep the error
 	 * context from the statement around until we next clear it.

ext/pdo/tests/pdo_ATTR_STATEMENT_CLASS_ctor_arg_gc.phpt

@@ -0,0 +1,47 @@
+--TEST--
+PDO: Set PDOStatement class with ctor_args that are freed with GC intervention
+--EXTENSIONS--
+pdo
+--SKIPIF--
+<?php
+$dir = getenv('REDIR_TEST_DIR');
+if (false == $dir) die('skip no driver');
+require_once $dir . 'pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
+require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
+
+class Foo extends PDOStatement {
+    private function __construct($v) {
+        var_dump($v);
+    }
+}
+
+class Bar extends PDO {
+    public $statementClass = 'Foo';
+    function __construct($dsn, $username, $password, $driver_options = []) {
+        $driver_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
+        parent::__construct($dsn, $username, $password, $driver_options);
+
+        $this->setAttribute(PDO::ATTR_STATEMENT_CLASS, [$this->statementClass, [$this]]);
+    }
+}
+
+$db = PDOTest::factory(Bar::class);
+
+$stmt = $db->query('SELECT 1');
+var_dump($stmt);
+
+?>
+--EXPECT--
+object(Bar)#1 (1) {
+  ["statementClass"]=>
+  string(3) "Foo"
+}
+object(Foo)#2 (1) {
+  ["queryString"]=>
+  string(8) "SELECT 1"
+}

ext/pdo/tests/pdo_ATTR_STATEMENT_CLASS_ctor_arg_no-gc.phpt

@@ -0,0 +1,35 @@
+--TEST--
+PDO: Set PDOStatement class with ctor_args that are freed without GC intervention
+--EXTENSIONS--
+pdo
+--SKIPIF--
+<?php
+$dir = getenv('REDIR_TEST_DIR');
+if (false == $dir) die('skip no driver');
+require_once $dir . 'pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
+require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
+
+class Foo extends PDOStatement {
+    private function __construct($v) {
+        var_dump($v);
+    }
+}
+
+$db = PDOTest::factory();
+
+$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('Foo', ['param1']));
+$stmt = $db->query('SELECT 1');
+var_dump($stmt);
+
+?>
+--EXPECT--
+string(6) "param1"
+object(Foo)#2 (1) {
+  ["queryString"]=>
+  string(8) "SELECT 1"
+}

ext/pdo/tests/pdo_prepare_ATTR_STATEMENT_CLASS_ctor_arg_gc.phpt

@@ -0,0 +1,50 @@
+--TEST--
+PDO: Set PDOStatement class with ctor_args that are freed with GC intervention in PDO::prepare()
+--EXTENSIONS--
+pdo
+--SKIPIF--
+<?php
+$dir = getenv('REDIR_TEST_DIR');
+if (false == $dir) die('skip no driver');
+require_once $dir . 'pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
+require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
+
+class Foo extends PDOStatement {
+    private function __construct($v) {
+        var_dump($v);
+    }
+}
+
+class Bar extends PDO {
+    public $statementClass = 'Foo';
+    function __construct($dsn, $username, $password, $driver_options = []) {
+        $driver_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
+        parent::__construct($dsn, $username, $password, $driver_options);
+
+        $this->setAttribute(PDO::ATTR_STATEMENT_CLASS, [$this->statementClass, [$this]]);
+    }
+}
+
+$db = PDOTest::factory(Bar::class);
+
+$stmt = $db->prepare('SELECT 1');
+var_dump($stmt);
+$r = $stmt->execute();
+var_dump($r);
+
+?>
+--EXPECT--
+object(Bar)#1 (1) {
+  ["statementClass"]=>
+  string(3) "Foo"
+}
+object(Foo)#2 (1) {
+  ["queryString"]=>
+  string(8) "SELECT 1"
+}
+bool(true)

ext/pdo/tests/pdo_prepare_ATTR_STATEMENT_CLASS_ctor_arg_no-gc.phpt

@@ -0,0 +1,39 @@
+--TEST--
+PDO: Set PDOStatement class with ctor_args that are freed without GC intervention in PDO::prepare()
+--EXTENSIONS--
+pdo
+--SKIPIF--
+<?php
+$dir = getenv('REDIR_TEST_DIR');
+if (false == $dir) die('skip no driver');
+require_once $dir . 'pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+if (getenv('REDIR_TEST_DIR') === false) putenv('REDIR_TEST_DIR='.__DIR__ . '/../../pdo/tests/');
+require_once getenv('REDIR_TEST_DIR') . 'pdo_test.inc';
+
+class Foo extends PDOStatement {
+    private function __construct($v) {
+        var_dump($v);
+    }
+}
+
+$db = PDOTest::factory();
+$db->setAttribute(PDO::ATTR_STATEMENT_CLASS, ['Foo', ['param1']]);
+
+//$stmt = $db->prepare('SELECT 1', [PDO::ATTR_STATEMENT_CLASS => ['Foo', ['param1']] ]);
+$stmt = $db->prepare('SELECT 1');
+var_dump($stmt);
+$r = $stmt->execute();
+var_dump($r);
+
+?>
+--EXPECT--
+string(6) "param1"
+object(Foo)#2 (1) {
+  ["queryString"]=>
+  string(8) "SELECT 1"
+}
+bool(true)