Fix GH-21639: Protect frameless call args

prateekbhujel · prateekbhujel · commit 15ec47bef2fd · 2026-04-21T03:49:36.000+05:45
diff --git a/Zend/tests/gh21639.phpt b/Zend/tests/gh21639.phpt
@@ -0,0 +1,115 @@
+--TEST--
+GH-21639: Frameless calls keep volatile arguments alive
+--FILE--
+<?php
+class ImplodeElement {
+    public function __toString(): string {
+        global $separator, $pieces;
+
+        $separator = null;
+        $pieces = null;
+
+        return "C";
+    }
+}
+
+$separator = str_repeat(",", 1) . " ";
+$pieces = [new ImplodeElement(), 42];
+
+var_dump(implode($separator, $pieces));
+var_dump($separator, $pieces);
+
+class MutatingSeparator {
+    public function __toString(): string {
+        global $piecesFromSeparator;
+
+        $piecesFromSeparator = null;
+
+        return ", ";
+    }
+}
+
+$piecesFromSeparator = ["A", "B"];
+
+var_dump(implode(new MutatingSeparator(), $piecesFromSeparator));
+var_dump($piecesFromSeparator);
+
+class ImplodeElementWithoutSeparator {
+    public function __toString(): string {
+        global $oneArgPieces;
+
+        $oneArgPieces = null;
+
+        return "D";
+    }
+}
+
+$oneArgPieces = [new ImplodeElementWithoutSeparator(), 42];
+
+var_dump(implode($oneArgPieces));
+var_dump($oneArgPieces);
+
+class InArrayNeedle {
+    public function __toString(): string {
+        global $inArrayHaystack;
+
+        $inArrayHaystack = null;
+
+        return "needle";
+    }
+}
+
+$inArrayHaystack = [new InArrayNeedle()];
+
+var_dump(in_array("needle", $inArrayHaystack));
+var_dump($inArrayHaystack);
+
+class StrtrReplacement {
+    public function __toString(): string {
+        global $strtrReplacements;
+
+        $strtrReplacements = null;
+
+        return "b";
+    }
+}
+
+$strtrReplacements = ["a" => new StrtrReplacement()];
+
+var_dump(strtr("a", $strtrReplacements));
+var_dump($strtrReplacements);
+
+class StrReplaceSubject {
+    public function __toString(): string {
+        global $strReplaceSubject;
+
+        $strReplaceSubject = null;
+
+        return "a";
+    }
+}
+
+$strReplaceSubject = [new StrReplaceSubject(), "aa"];
+
+var_dump(str_replace("a", "b", $strReplaceSubject));
+var_dump($strReplaceSubject);
+?>
+--EXPECT--
+string(5) "C, 42"
+NULL
+NULL
+string(4) "A, B"
+NULL
+string(3) "D42"
+NULL
+bool(true)
+NULL
+string(1) "b"
+NULL
+array(2) {
+  [0]=>
+  string(1) "b"
+  [1]=>
+  string(2) "bb"
+}
+NULL
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -1582,15 +1582,20 @@ static zend_never_inline void zend_assign_to_object_dim(zend_object *obj, zval *
 	}
 }
 
-static void frameless_observed_call_copy(zend_execute_data *call, uint32_t arg, zval *zv)
+static zend_always_inline void zend_frameless_copy_arg(zval *dst, zval *src)
 {
-	if (Z_ISUNDEF_P(zv)) {
-		ZVAL_NULL(ZEND_CALL_VAR_NUM(call, arg));
+	if (Z_ISUNDEF_P(src)) {
+		ZVAL_NULL(dst);
 	} else {
-		ZVAL_COPY_DEREF(ZEND_CALL_VAR_NUM(call, arg), zv);
+		ZVAL_COPY_DEREF(dst, src);
 	}
 }
 
+static void frameless_observed_call_copy(zend_execute_data *call, uint32_t arg, zval *zv)
+{
+	zend_frameless_copy_arg(ZEND_CALL_VAR_NUM(call, arg), zv);
+}
+
 ZEND_API void zend_frameless_observed_call(zend_execute_data *execute_data)
 {
 	const zend_op *opline = EX(opline);
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -9712,8 +9712,11 @@ ZEND_VM_HANDLER(205, ZEND_FRAMELESS_ICALL_1, ANY, UNUSED, SPEC(OBSERVER))
 	} else
 #endif
 	{
+		zval arg1_copy;
 		zend_frameless_function_1 function = (zend_frameless_function_1)ZEND_FLF_HANDLER(opline);
-		function(result, arg1);
+		zend_frameless_copy_arg(&arg1_copy, arg1);
+		function(result, &arg1_copy);
+		zval_ptr_dtor_nogc(&arg1_copy);
 	}
 	FREE_OP1();
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
@@ -9740,8 +9743,13 @@ ZEND_VM_HANDLER(206, ZEND_FRAMELESS_ICALL_2, ANY, ANY, SPEC(OBSERVER))
 	} else
 #endif
 	{
+		zval arg1_copy, arg2_copy;
 		zend_frameless_function_2 function = (zend_frameless_function_2)ZEND_FLF_HANDLER(opline);
-		function(result, arg1, arg2);
+		zend_frameless_copy_arg(&arg1_copy, arg1);
+		zend_frameless_copy_arg(&arg2_copy, arg2);
+		function(result, &arg1_copy, &arg2_copy);
+		zval_ptr_dtor_nogc(&arg1_copy);
+		zval_ptr_dtor_nogc(&arg2_copy);
 	}
 
 	FREE_OP1();
@@ -9776,8 +9784,15 @@ ZEND_VM_HANDLER(207, ZEND_FRAMELESS_ICALL_3, ANY, ANY, SPEC(OBSERVER))
 	} else
 #endif
 	{
+		zval arg1_copy, arg2_copy, arg3_copy;
 		zend_frameless_function_3 function = (zend_frameless_function_3)ZEND_FLF_HANDLER(opline);
-		function(result, arg1, arg2, arg3);
+		zend_frameless_copy_arg(&arg1_copy, arg1);
+		zend_frameless_copy_arg(&arg2_copy, arg2);
+		zend_frameless_copy_arg(&arg3_copy, arg3);
+		function(result, &arg1_copy, &arg2_copy, &arg3_copy);
+		zval_ptr_dtor_nogc(&arg1_copy);
+		zval_ptr_dtor_nogc(&arg2_copy);
+		zval_ptr_dtor_nogc(&arg3_copy);
 	}
 
 	FREE_OP1();
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
diff --git a/ext/pcre/tests/gh21639.phpt b/ext/pcre/tests/gh21639.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-21639: Frameless preg_replace keeps volatile arguments alive
+--EXTENSIONS--
+pcre
+--FILE--
+<?php
+class PregReplaceSubject {
+    public function __toString(): string {
+        global $pregReplaceSubject;
+
+        $pregReplaceSubject = null;
+
+        return "a";
+    }
+}
+
+$pregReplaceSubject = [new PregReplaceSubject(), "aa"];
+
+var_dump(preg_replace("/a/", "b", $pregReplaceSubject));
+var_dump($pregReplaceSubject);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(1) "b"
+  [1]=>
+  string(2) "bb"
+}
+NULL

Original file line number	Diff line number	Diff line change
`@@ -1582,15 +1582,20 @@ static zend_never_inline void zend_assign_to_object_dim(zend_object obj, zval `
`1582`	`1582`	`}`
`1583`	`1583`	`}`
`1584`	`1584`
`1585`		`-static void frameless_observed_call_copy(zend_execute_data call, uint32_t arg, zval zv)`
	`1585`	`+static zend_always_inline void zend_frameless_copy_arg(zval dst, zval src)`
`1586`	`1586`	`{`
`1587`		`- if (Z_ISUNDEF_P(zv)) {`
`1588`		`- ZVAL_NULL(ZEND_CALL_VAR_NUM(call, arg));`
	`1587`	`+ if (Z_ISUNDEF_P(src)) {`
	`1588`	`+ ZVAL_NULL(dst);`
`1589`	`1589`	`} else {`
`1590`		`- ZVAL_COPY_DEREF(ZEND_CALL_VAR_NUM(call, arg), zv);`
	`1590`	`+ ZVAL_COPY_DEREF(dst, src);`
`1591`	`1591`	`}`
`1592`	`1592`	`}`
`1593`	`1593`
	`1594`	`+static void frameless_observed_call_copy(zend_execute_data call, uint32_t arg, zval zv)`
	`1595`	`+{`
	`1596`	`+ zend_frameless_copy_arg(ZEND_CALL_VAR_NUM(call, arg), zv);`
	`1597`	`+}`
	`1598`	`+`
`1594`	`1599`	`ZEND_API void zend_frameless_observed_call(zend_execute_data *execute_data)`
`1595`	`1600`	`{`
`1596`	`1601`	`const zend_op *opline = EX(opline);`