Patch bug62991.patch for Reproducible crash Bug #62991

Patch version 2012-09-02 09:54 UTC

Obsoleted by patches:

• bug62991.patch, revision 2012-09-02 09:58 UTC
• bug62991.patch, revision 2012-09-02 11:45 UTC
• bug62991.patch, revision 2012-09-04 06:56 UTC

• 2012-09-04 06:56 UTC [diff to current]
• 2012-09-02 11:45 UTC [diff to current]
• 2012-09-02 09:58 UTC [diff to current]
• 2012-09-02 09:54 UTC [diff to current]

Developer: laruence@php.net

diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
index c7527b4..bfc9857 100644
--- a/Zend/zend_closures.c
+++ b/Zend/zend_closures.c
@@ -36,7 +36,7 @@
 
 typedef struct _zend_closure {
 	zend_object    std;
-	zend_function  func;
+	zend_function *func;
 	zval          *this_ptr;
 	HashTable     *debug_info;
 } zend_closure;
@@ -90,7 +90,7 @@ ZEND_METHOD(Closure, bind)
 
 	closure = (zend_closure *)zend_object_store_get_object(zclosure TSRMLS_CC);	
 
-	if ((newthis != NULL) && (closure->func.common.fn_flags & ZEND_ACC_STATIC)) {
+	if ((newthis != NULL) && (closure->func->common.fn_flags & ZEND_ACC_STATIC)) {
 		zend_error(E_WARNING, "Cannot bind an instance to a static closure");
 	}
 
@@ -118,7 +118,7 @@ ZEND_METHOD(Closure, bind)
 
 			if ((class_name_len == sizeof("static") - 1) &&
 				(memcmp("static", class_name, sizeof("static") - 1) == 0)) {
-				ce = closure->func.common.scope;
+				ce = closure->func->common.scope;
 			}
 			else if (zend_lookup_class_ex(class_name, class_name_len, NULL, 1, &ce_p TSRMLS_CC) == FAILURE) {
 				zend_error(E_WARNING, "Class '%s' not found", class_name);
@@ -130,10 +130,10 @@ ZEND_METHOD(Closure, bind)
 			zval_dtor(&tmp_zval);
 		}
 	} else { /* scope argument not given; do not change the scope by default */
-		ce = closure->func.common.scope;
+		ce = closure->func->common.scope;
 	}
 
-	zend_create_closure(return_value, &closure->func, ce, newthis TSRMLS_CC);
+	zend_create_closure(return_value, closure->func, ce, newthis TSRMLS_CC);
 }
 /* }}} */
 
@@ -155,9 +155,9 @@ ZEND_API zend_function *zend_get_closure_invoke_method(zval *obj TSRMLS_DC) /* {
 	zend_closure *closure = (zend_closure *)zend_object_store_get_object(obj TSRMLS_CC);	
 	zend_function *invoke = (zend_function*)emalloc(sizeof(zend_function));
 
-	invoke->common = closure->func.common;
+	invoke->common = closure->func->common;
 	invoke->type = ZEND_INTERNAL_FUNCTION;
-	invoke->internal_function.fn_flags = ZEND_ACC_PUBLIC | ZEND_ACC_CALL_VIA_HANDLER | (closure->func.common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
+	invoke->internal_function.fn_flags = ZEND_ACC_PUBLIC | ZEND_ACC_CALL_VIA_HANDLER | (closure->func->common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
 	invoke->internal_function.handler = ZEND_MN(Closure___invoke);
 	invoke->internal_function.module = 0;
 	invoke->internal_function.scope = zend_ce_closure;
@@ -169,7 +169,7 @@ ZEND_API zend_function *zend_get_closure_invoke_method(zval *obj TSRMLS_DC) /* {
 ZEND_API const zend_function *zend_get_closure_method_def(zval *obj TSRMLS_DC) /* {{{ */
 {
 	zend_closure *closure = (zend_closure *)zend_object_store_get_object(obj TSRMLS_CC);	
-	return &closure->func;
+	return closure->func;
 }
 /* }}} */
 
@@ -240,15 +240,18 @@ static void zend_closure_free_storage(void *object TSRMLS_DC) /* {{{ */
 
 	zend_object_std_dtor(&closure->std TSRMLS_CC);
 
-	if (closure->func.type == ZEND_USER_FUNCTION) {
+	if (closure->func->type == ZEND_USER_FUNCTION) {
 		zend_execute_data *ex = EG(current_execute_data);
 		while (ex) {
-			if (ex->op_array == &closure->func.op_array) {
+			if (ex->op_array == &closure->func->op_array) {
 				zend_error(E_ERROR, "Cannot destroy active lambda function");
 			}
 			ex = ex->prev_execute_data;
 		}
-		destroy_op_array(&closure->func.op_array TSRMLS_CC);
+        if (!(closure->func->common.fn_flags & ZEND_ACC_GENERATOR)) {
+            destroy_op_array(&closure->func->op_array TSRMLS_CC);
+            efree(closure->func);
+        }
 	}
 
 	if (closure->debug_info != NULL) {
@@ -286,12 +289,11 @@ static zend_object_value zend_closure_clone(zval *zobject TSRMLS_DC) /* {{{ */
 	zend_closure *closure = (zend_closure *)zend_object_store_get_object(zobject TSRMLS_CC);
 	zval result;
 
-	zend_create_closure(&result, &closure->func, closure->func.common.scope, closure->this_ptr TSRMLS_CC);
+	zend_create_closure(&result, closure->func, closure->func->common.scope, closure->this_ptr TSRMLS_CC);
 	return Z_OBJVAL(result);
 }
 /* }}} */
 
-
 int zend_closure_get_closure(zval *obj, zend_class_entry **ce_ptr, zend_function **fptr_ptr, zval **zobj_ptr TSRMLS_DC) /* {{{ */
 {
 	zend_closure *closure;
@@ -301,7 +303,7 @@ int zend_closure_get_closure(zval *obj, zend_class_entry **ce_ptr, zend_function
 	}
 
 	closure = (zend_closure *)zend_object_store_get_object(obj TSRMLS_CC);
-	*fptr_ptr = &closure->func;
+	*fptr_ptr = closure->func;
 
 	if (closure->this_ptr) {
 		if (zobj_ptr) {
@@ -312,7 +314,7 @@ int zend_closure_get_closure(zval *obj, zend_class_entry **ce_ptr, zend_function
 		if (zobj_ptr) {
 			*zobj_ptr = NULL;
 		}
-		*ce_ptr = closure->func.common.scope;
+		*ce_ptr = closure->func->common.scope;
 	}
 	return SUCCESS;
 }
@@ -322,7 +324,7 @@ static HashTable *zend_closure_get_debug_info(zval *object, int *is_temp TSRMLS_
 {
 	zend_closure *closure = (zend_closure *)zend_object_store_get_object(object TSRMLS_CC);
 	zval *val;
-	struct _zend_arg_info *arg_info = closure->func.common.arg_info;
+	struct _zend_arg_info *arg_info = closure->func->common.arg_info;
 
 	*is_temp = 0;
 
@@ -331,8 +333,8 @@ static HashTable *zend_closure_get_debug_info(zval *object, int *is_temp TSRMLS_
 		zend_hash_init(closure->debug_info, 1, NULL, ZVAL_PTR_DTOR, 0);
 	}
 	if (closure->debug_info->nApplyCount == 0) {
-		if (closure->func.type == ZEND_USER_FUNCTION && closure->func.op_array.static_variables) {
-			HashTable *static_variables = closure->func.op_array.static_variables;
+		if (closure->func->type == ZEND_USER_FUNCTION && closure->func->op_array.static_variables) {
+			HashTable *static_variables = closure->func->op_array.static_variables;
 			MAKE_STD_ZVAL(val);
 			array_init(val);
 			zend_hash_copy(Z_ARRVAL_P(val), static_variables, (copy_ctor_func_t)zval_add_ref, NULL, sizeof(zval*));
@@ -345,12 +347,12 @@ static HashTable *zend_closure_get_debug_info(zval *object, int *is_temp TSRMLS_
 		}
 
 		if (arg_info) {
-			zend_uint i, required = closure->func.common.required_num_args;
+			zend_uint i, required = closure->func->common.required_num_args;
 
 			MAKE_STD_ZVAL(val);
 			array_init(val);
 
-			for (i = 0; i < closure->func.common.num_args; i++) {
+			for (i = 0; i < closure->func->common.num_args; i++) {
 				char *name, *info;
 				int name_len, info_len;
 				if (arg_info->name) {
@@ -382,8 +384,8 @@ static HashTable *zend_closure_get_gc(zval *obj, zval ***table, int *n TSRMLS_DC
 
 	*table = closure->this_ptr ? &closure->this_ptr : NULL;
 	*n = closure->this_ptr ? 1 : 0;
-	return (closure->func.type == ZEND_USER_FUNCTION) ?
-		closure->func.op_array.static_variables : NULL;
+	return (closure->func->type == ZEND_USER_FUNCTION) ?
+		closure->func->op_array.static_variables : NULL;
 }
 /* }}} */
 
@@ -448,8 +450,9 @@ ZEND_API void zend_create_closure(zval *res, zend_function *func, zend_class_ent
 
 	closure = (zend_closure *)zend_object_store_get_object(res TSRMLS_CC);
 
-	closure->func = *func;
-	closure->func.common.prototype = NULL;
+	closure->func = emalloc(sizeof(zend_function));
+    *closure->func = *func;
+	closure->func->common.prototype = NULL;
 
 	if ((scope == NULL) && (this_ptr != NULL)) {
 		/* use dummy scope if we're binding an object without specifying a scope */
@@ -457,16 +460,16 @@ ZEND_API void zend_create_closure(zval *res, zend_function *func, zend_class_ent
 		scope = zend_ce_closure;
 	}
 
-	if (closure->func.type == ZEND_USER_FUNCTION) {
-		if (closure->func.op_array.static_variables) {
-			HashTable *static_variables = closure->func.op_array.static_variables;
+	if (closure->func->type == ZEND_USER_FUNCTION) {
+		if (closure->func->op_array.static_variables) {
+			HashTable *static_variables = closure->func->op_array.static_variables;
 
-			ALLOC_HASHTABLE(closure->func.op_array.static_variables);
-			zend_hash_init(closure->func.op_array.static_variables, zend_hash_num_elements(static_variables), NULL, ZVAL_PTR_DTOR, 0);
-			zend_hash_apply_with_arguments(static_variables TSRMLS_CC, (apply_func_args_t)zval_copy_static_var, 1, closure->func.op_array.static_variables);
+			ALLOC_HASHTABLE(closure->func->op_array.static_variables);
+			zend_hash_init(closure->func->op_array.static_variables, zend_hash_num_elements(static_variables), NULL, ZVAL_PTR_DTOR, 0);
+			zend_hash_apply_with_arguments(static_variables TSRMLS_CC, (apply_func_args_t)zval_copy_static_var, 1, closure->func->op_array.static_variables);
 		}
-		closure->func.op_array.run_time_cache = NULL;
-		(*closure->func.op_array.refcount)++;
+		closure->func->op_array.run_time_cache = NULL;
+		(*closure->func->op_array.refcount)++;
 	} else {
 		/* verify that we aren't binding internal function to a wrong scope */
 		if(func->common.scope != NULL) {
@@ -475,7 +478,7 @@ ZEND_API void zend_create_closure(zval *res, zend_function *func, zend_class_ent
 				scope = NULL;
 			}
 			if(scope && this_ptr && (func->common.fn_flags & ZEND_ACC_STATIC) == 0 && 
-					!instanceof_function(Z_OBJCE_P(this_ptr), closure->func.common.scope TSRMLS_CC)) {
+					!instanceof_function(Z_OBJCE_P(this_ptr), closure->func->common.scope TSRMLS_CC)) {
 				zend_error(E_WARNING, "Cannot bind function %s::%s to object of class %s", func->common.scope->name, func->common.function_name, Z_OBJCE_P(this_ptr)->name);
 				scope = NULL;
 				this_ptr = NULL;
@@ -490,14 +493,14 @@ ZEND_API void zend_create_closure(zval *res, zend_function *func, zend_class_ent
 	/* Invariants:
 	 * If the closure is unscoped, it has no bound object.
 	 * The the closure is scoped, it's either static or it's bound */
-	closure->func.common.scope = scope;
+	closure->func->common.scope = scope;
 	if (scope) {
-		closure->func.common.fn_flags |= ZEND_ACC_PUBLIC;
-		if (this_ptr && (closure->func.common.fn_flags & ZEND_ACC_STATIC) == 0) {
+		closure->func->common.fn_flags |= ZEND_ACC_PUBLIC;
+		if (this_ptr && (closure->func->common.fn_flags & ZEND_ACC_STATIC) == 0) {
 			closure->this_ptr = this_ptr;
 			Z_ADDREF_P(this_ptr);
 		} else {
-			closure->func.common.fn_flags |= ZEND_ACC_STATIC;
+			closure->func->common.fn_flags |= ZEND_ACC_STATIC;
 			closure->this_ptr = NULL;
 		}
 	} else {
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
index c22d745..bcd19b2 100644
--- a/Zend/zend_generators.c
+++ b/Zend/zend_generators.c
@@ -154,6 +154,10 @@ void zend_generator_close(zend_generator *generator, zend_bool finished_executio
 			efree(prev_execute_data);
 		}
 
+        if (execute_data->op_array->fn_flags & ZEND_ACC_CLOSURE) {
+            destroy_op_array(execute_data->op_array);
+            efree(execute_data->op_array);
+        }
 		efree(execute_data);
 		generator->execute_data = NULL;
 	}