Clean up frameless reentry copies after handler return

prateekbhujel · prateekbhujel · commit 28d83f6d0f87 · 2026-04-21T22:22:20.000+05:45
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -1673,11 +1673,6 @@ ZEND_API bool zend_frameless_protect_args_for_reentry(void)
 	return true;
 }
 
-ZEND_API void zend_frameless_schedule_reentry_cleanup(void)
-{
-	zend_atomic_bool_store_ex(&EG(vm_interrupt), true);
-}
-
 static bool zend_frameless_reentry_copies_in_use(zend_frameless_reentry_copies *copies)
 {
 	for (zend_execute_data *execute_data = EG(current_execute_data);
@@ -1691,31 +1686,48 @@ static bool zend_frameless_reentry_copies_in_use(zend_frameless_reentry_copies *
 	return false;
 }
 
-static void zend_frameless_cleanup_reentry_copies_ex(bool force)
+static void zend_frameless_free_reentry_copies(zend_frameless_reentry_copies *copies)
+{
+	for (uint32_t i = 0; i < 3; i++) {
+		if (copies->copied_args & (1u << i)) {
+			zval_ptr_dtor(&copies->args[i]);
+		}
+	}
+
+	efree(copies);
+}
+
+ZEND_API void zend_frameless_cleanup_reentry_copies_for_handler(zend_execute_data *execute_data, const zend_op *opline)
 {
 	zend_frameless_reentry_copies **next = &EG(frameless_reentry_copies);
 
 	while (*next) {
 		zend_frameless_reentry_copies *copies = *next;
 
-		if (!force && zend_frameless_reentry_copies_in_use(copies)) {
+		if (copies->execute_data != execute_data || copies->opline != opline) {
 			next = &copies->prev;
 			continue;
 		}
 
 		*next = copies->prev;
+		zend_frameless_free_reentry_copies(copies);
+	}
+}
 
-		for (uint32_t i = 0; i < 3; i++) {
-			if (copies->copied_args & (1u << i)) {
-				zval_ptr_dtor(&copies->args[i]);
-			}
-		}
+static void zend_frameless_cleanup_reentry_copies_ex(bool force)
+{
+	zend_frameless_reentry_copies **next = &EG(frameless_reentry_copies);
 
-		efree(copies);
-	}
+	while (*next) {
+		zend_frameless_reentry_copies *copies = *next;
 
-	if (EG(frameless_reentry_copies)) {
-		zend_atomic_bool_store_ex(&EG(vm_interrupt), true);
+		if (!force && zend_frameless_reentry_copies_in_use(copies)) {
+			next = &copies->prev;
+			continue;
+		}
+
+		*next = copies->prev;
+		zend_frameless_free_reentry_copies(copies);
 	}
 }
 
diff --git a/Zend/zend_execute.h b/Zend/zend_execute.h
@@ -429,7 +429,7 @@ ZEND_API user_opcode_handler_t zend_get_user_opcode_handler(uint8_t opcode);
 
 ZEND_API zval *zend_get_zval_ptr(const zend_op *opline, int op_type, const znode_op *node, const zend_execute_data *execute_data);
 ZEND_API bool zend_frameless_protect_args_for_reentry(void);
-ZEND_API void zend_frameless_schedule_reentry_cleanup(void);
+ZEND_API void zend_frameless_cleanup_reentry_copies_for_handler(zend_execute_data *execute_data, const zend_op *opline);
 ZEND_API void zend_frameless_cleanup_reentry_copies(void);
 ZEND_API void zend_frameless_cleanup_reentry_copies_force(void);
 
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -2558,13 +2558,10 @@ ZEND_API zend_result zend_std_cast_object_tostring(zend_object *readobj, zval *w
 			zend_class_entry *ce = readobj->ce;
 			if (ce->__tostring) {
 				zval retval;
-				bool frameless_reentry = zend_frameless_protect_args_for_reentry();
+				zend_frameless_protect_args_for_reentry();
 				GC_ADDREF(readobj);
 				zend_call_known_instance_method_with_0_params(ce->__tostring, readobj, &retval);
 				zend_object_release(readobj);
-				if (frameless_reentry) {
-					zend_frameless_schedule_reentry_cleanup();
-				}
 				if (EXPECTED(Z_TYPE(retval) == IS_STRING)) {
 					ZVAL_COPY_VALUE(writeobj, &retval);
 					return SUCCESS;
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -9690,6 +9690,9 @@ ZEND_VM_HANDLER(204, ZEND_FRAMELESS_ICALL_0, UNUSED, UNUSED, SPEC(OBSERVER))
 		zend_frameless_function_0 function = (zend_frameless_function_0)ZEND_FLF_HANDLER(opline);
 		function(EX_VAR(opline->result.var));
 	}
+	if (UNEXPECTED(EG(frameless_reentry_copies))) {
+		zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);
+	}
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
 }
 
@@ -9715,6 +9718,9 @@ ZEND_VM_HANDLER(205, ZEND_FRAMELESS_ICALL_1, ANY, UNUSED, SPEC(OBSERVER))
 		zend_frameless_function_1 function = (zend_frameless_function_1)ZEND_FLF_HANDLER(opline);
 		function(result, arg1);
 	}
+	if (UNEXPECTED(EG(frameless_reentry_copies))) {
+		zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);
+	}
 	FREE_OP1();
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
 }
@@ -9743,6 +9749,9 @@ ZEND_VM_HANDLER(206, ZEND_FRAMELESS_ICALL_2, ANY, ANY, SPEC(OBSERVER))
 		zend_frameless_function_2 function = (zend_frameless_function_2)ZEND_FLF_HANDLER(opline);
 		function(result, arg1, arg2);
 	}
+	if (UNEXPECTED(EG(frameless_reentry_copies))) {
+		zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);
+	}
 
 	FREE_OP1();
 	/* Set OP1 to UNDEF in case FREE_OP2() throws. */
@@ -9779,6 +9788,9 @@ ZEND_VM_HANDLER(207, ZEND_FRAMELESS_ICALL_3, ANY, ANY, SPEC(OBSERVER))
 		zend_frameless_function_3 function = (zend_frameless_function_3)ZEND_FLF_HANDLER(opline);
 		function(result, arg1, arg2, arg3);
 	}
+	if (UNEXPECTED(EG(frameless_reentry_copies))) {
+		zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);
+	}
 
 	FREE_OP1();
 	/* Set to UNDEF in case FREE_OP2() throws. */
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -17513,6 +17513,15 @@ static ir_ref jit_frameless_observer(zend_jit_ctx *jit, const zend_op *opline) {
 	return skip;
 }
 
+static void jit_frameless_cleanup_reentry_copies(zend_jit_ctx *jit, const zend_op *opline)
+{
+	ir_ref if_copies = ir_IF(ir_LOAD_A(jit_EG(frameless_reentry_copies)));
+	ir_IF_TRUE_cold(if_copies);
+	ir_CALL_2(IR_VOID, ir_CONST_ADDR((size_t)zend_frameless_cleanup_reentry_copies_for_handler),
+		jit_FP(jit), ir_CONST_ADDR((size_t)opline));
+	ir_MERGE_WITH_EMPTY_FALSE(if_copies);
+}
+
 static void jit_frameless_icall0(zend_jit_ctx *jit, const zend_op *opline)
 {
 	jit_SET_EX_OPLINE(jit, opline);
@@ -17533,6 +17542,7 @@ static void jit_frameless_icall0(zend_jit_ctx *jit, const zend_op *opline)
 		ir_MERGE_WITH(skip_observer);
 	}
 
+	jit_frameless_cleanup_reentry_copies(jit, opline);
 	zend_jit_check_exception(jit);
 }
 
@@ -17572,6 +17582,7 @@ static void jit_frameless_icall1(zend_jit_ctx *jit, const zend_op *opline, uint3
 		ir_MERGE_WITH(skip_observer);
 	}
 
+	jit_frameless_cleanup_reentry_copies(jit, opline);
 	jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);
 	zend_jit_check_exception(jit);
 }
@@ -17626,6 +17637,7 @@ static void jit_frameless_icall2(zend_jit_ctx *jit, const zend_op *opline, uint3
 		ir_MERGE_WITH(skip_observer);
 	}
 
+	jit_frameless_cleanup_reentry_copies(jit, opline);
 	jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);
 	/* Set OP1 to UNDEF in case FREE_OP2() throws. */
 	if ((opline->op1_type & (IS_VAR|IS_TMP_VAR)) != 0
@@ -17707,6 +17719,7 @@ static void jit_frameless_icall3(zend_jit_ctx *jit, const zend_op *opline, uint3
 		ir_MERGE_WITH(skip_observer);
 	}
 
+	jit_frameless_cleanup_reentry_copies(jit, opline);
 	jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);
 	/* Set OP1 to UNDEF in case FREE_OP2() throws. */
 	bool op1_undef = false;

Original file line number	Diff line number	Diff line change
`@@ -9690,6 +9690,9 @@ ZEND_VM_HANDLER(204, ZEND_FRAMELESS_ICALL_0, UNUSED, UNUSED, SPEC(OBSERVER))`
`9690`	`9690`	`zend_frameless_function_0 function = (zend_frameless_function_0)ZEND_FLF_HANDLER(opline);`
`9691`	`9691`	`function(EX_VAR(opline->result.var));`
`9692`	`9692`	`}`
	`9693`	`+ if (UNEXPECTED(EG(frameless_reentry_copies))) {`
	`9694`	`+ zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);`
	`9695`	`+ }`
`9693`	`9696`	`ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();`
`9694`	`9697`	`}`
`9695`	`9698`
`@@ -9715,6 +9718,9 @@ ZEND_VM_HANDLER(205, ZEND_FRAMELESS_ICALL_1, ANY, UNUSED, SPEC(OBSERVER))`
`9715`	`9718`	`zend_frameless_function_1 function = (zend_frameless_function_1)ZEND_FLF_HANDLER(opline);`
`9716`	`9719`	`function(result, arg1);`
`9717`	`9720`	`}`
	`9721`	`+ if (UNEXPECTED(EG(frameless_reentry_copies))) {`
	`9722`	`+ zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);`
	`9723`	`+ }`
`9718`	`9724`	`FREE_OP1();`
`9719`	`9725`	`ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();`
`9720`	`9726`	`}`
`@@ -9743,6 +9749,9 @@ ZEND_VM_HANDLER(206, ZEND_FRAMELESS_ICALL_2, ANY, ANY, SPEC(OBSERVER))`
`9743`	`9749`	`zend_frameless_function_2 function = (zend_frameless_function_2)ZEND_FLF_HANDLER(opline);`
`9744`	`9750`	`function(result, arg1, arg2);`
`9745`	`9751`	`}`
	`9752`	`+ if (UNEXPECTED(EG(frameless_reentry_copies))) {`
	`9753`	`+ zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);`
	`9754`	`+ }`
`9746`	`9755`
`9747`	`9756`	`FREE_OP1();`
`9748`	`9757`	`/* Set OP1 to UNDEF in case FREE_OP2() throws. */`
`@@ -9779,6 +9788,9 @@ ZEND_VM_HANDLER(207, ZEND_FRAMELESS_ICALL_3, ANY, ANY, SPEC(OBSERVER))`
`9779`	`9788`	`zend_frameless_function_3 function = (zend_frameless_function_3)ZEND_FLF_HANDLER(opline);`
`9780`	`9789`	`function(result, arg1, arg2, arg3);`
`9781`	`9790`	`}`
	`9791`	`+ if (UNEXPECTED(EG(frameless_reentry_copies))) {`
	`9792`	`+ zend_frameless_cleanup_reentry_copies_for_handler(execute_data, opline);`
	`9793`	`+ }`
`9782`	`9794`
`9783`	`9795`	`FREE_OP1();`
`9784`	`9796`	`/* Set to UNDEF in case FREE_OP2() throws. */`
Original file line number	Diff line number	Diff line change
`@@ -17513,6 +17513,15 @@ static ir_ref jit_frameless_observer(zend_jit_ctx jit, const zend_op opline) {`
`17513`	`17513`	`return skip;`
`17514`	`17514`	`}`
`17515`	`17515`
	`17516`	`+static void jit_frameless_cleanup_reentry_copies(zend_jit_ctx jit, const zend_op opline)`
	`17517`	`+{`
	`17518`	`+ ir_ref if_copies = ir_IF(ir_LOAD_A(jit_EG(frameless_reentry_copies)));`
	`17519`	`+ ir_IF_TRUE_cold(if_copies);`
	`17520`	`+ ir_CALL_2(IR_VOID, ir_CONST_ADDR((size_t)zend_frameless_cleanup_reentry_copies_for_handler),`
	`17521`	`+ jit_FP(jit), ir_CONST_ADDR((size_t)opline));`
	`17522`	`+ ir_MERGE_WITH_EMPTY_FALSE(if_copies);`
	`17523`	`+}`
	`17524`	`+`
`17516`	`17525`	`static void jit_frameless_icall0(zend_jit_ctx jit, const zend_op opline)`
`17517`	`17526`	`{`
`17518`	`17527`	`jit_SET_EX_OPLINE(jit, opline);`
`@@ -17533,6 +17542,7 @@ static void jit_frameless_icall0(zend_jit_ctx jit, const zend_op opline)`
`17533`	`17542`	`ir_MERGE_WITH(skip_observer);`
`17534`	`17543`	`}`
`17535`	`17544`
	`17545`	`+ jit_frameless_cleanup_reentry_copies(jit, opline);`
`17536`	`17546`	`zend_jit_check_exception(jit);`
`17537`	`17547`	`}`
`17538`	`17548`
`@@ -17572,6 +17582,7 @@ static void jit_frameless_icall1(zend_jit_ctx jit, const zend_op opline, uint3`
`17572`	`17582`	`ir_MERGE_WITH(skip_observer);`
`17573`	`17583`	`}`
`17574`	`17584`
	`17585`	`+ jit_frameless_cleanup_reentry_copies(jit, opline);`
`17575`	`17586`	`jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);`
`17576`	`17587`	`zend_jit_check_exception(jit);`
`17577`	`17588`	`}`
`@@ -17626,6 +17637,7 @@ static void jit_frameless_icall2(zend_jit_ctx jit, const zend_op opline, uint3`
`17626`	`17637`	`ir_MERGE_WITH(skip_observer);`
`17627`	`17638`	`}`
`17628`	`17639`
	`17640`	`+ jit_frameless_cleanup_reentry_copies(jit, opline);`
`17629`	`17641`	`jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);`
`17630`	`17642`	`/* Set OP1 to UNDEF in case FREE_OP2() throws. */`
`17631`	`17643`	`if ((opline->op1_type & (IS_VAR\|IS_TMP_VAR)) != 0`
`@@ -17707,6 +17719,7 @@ static void jit_frameless_icall3(zend_jit_ctx jit, const zend_op opline, uint3`
`17707`	`17719`	`ir_MERGE_WITH(skip_observer);`
`17708`	`17720`	`}`
`17709`	`17721`
	`17722`	`+ jit_frameless_cleanup_reentry_copies(jit, opline);`
`17710`	`17723`	`jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);`
`17711`	`17724`	`/* Set OP1 to UNDEF in case FREE_OP2() throws. */`
`17712`	`17725`	`bool op1_undef = false;`