Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-17246: GC during SCCP causes segfault
2026-03-24 08:12:21 +01:00 · 2024-12-24 14:23:33 +01:00
parent d1ed8beb2f df6db27580
commit e45fdd2f89
4 changed files with 51 additions and 0 deletions
--- a/1
+++ b/1
@@ -64,6 +64,7 @@ PHP                                                                        NEWS
    ZEND_FETCH_DIM_FUNC_ARG). (nielsdos, Dmitry)
  . Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and
    INIT_METHOD_CALL). (Dmitry, ilutov)
+  . Fixed bug GH-17246 (GC during SCCP causes segfault). (Dmitry)

 - PCNTL:
  . Fix memory leak in cleanup code of pcntl_exec() when a non stringable
--- a/ext/opcache/ZendAccelerator.c
+++ b/ext/opcache/ZendAccelerator.c
@@ -2164,7 +2164,10 @@ zend_op_array *persistent_compile_file(zend_file_handle *file_handle, int type)
 		 */
 		from_shared_memory = false;
 		if (persistent_script) {
+			/* See GH-17246: we disable GC so that user code cannot be executed during the optimizer run. */
+			bool orig_gc_state = gc_enable(false);
 			persistent_script = cache_script_in_shared_memory(persistent_script, key, &from_shared_memory);
+			gc_enable(orig_gc_state);
 		}

 		/* Caching is disabled, returning op_array;
--- a/ext/opcache/tests/jit/gh17246.inc
+++ b/ext/opcache/tests/jit/gh17246.inc
@@ -0,0 +1,8 @@
+<?php
+
+// Need to cause a trace exit, so extend non existent class
+class MyXSLTProcessor extends NonExistentClass {
+    public function registerCycle() {
+        [[$this]]; // Non trivial array
+    }
+}
--- a/ext/opcache/tests/jit/gh17246.phpt
+++ b/ext/opcache/tests/jit/gh17246.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GH-17246 (Nested shm protections cause segfault)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.protect_memory=1
+opcache.jit_buffer_size=32M
+opcache.jit=1254
+--FILE--
+<?php
+
+class Test
+{
+    private $field;
+
+    public function __construct()
+    {
+        $this->field = function() {};
+    }
+
+    public function __destruct()
+    {
+        // Necessary because we need to invoke tracing JIT during destruction
+    }
+}
+
+for ($i = 0; $i < 10000; ++$i) {
+    $obj = new Test();
+}
+
+require __DIR__.'/gh17246.inc';
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Class "NonExistentClass" not found in %s:%d
+Stack trace:
+#0 %s(%d): require()
+#1 {main}
+  thrown in %s on line %d