Check for NULL GC type in objects_store_del

nikic · nikic · commit 4dc0662eca4d · 2019-03-01T14:32:11.000+01:00
This might happen if OBJ_RELEASE is used on an object that was already released by GC. Specific cases of this issue were previously fixed in ffaee27 and 72104d2, however the issue still affects 3rd-party extensions using OBJ_RELEASE. The whole GC type NULL + OBJ_IS_VALID + IS_FREE_CALLED system seems overly complicated and can probably be simplified in 7.4.
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
@@ -123,8 +123,7 @@ ZEND_API void zend_generator_close(zend_generator *generator, zend_bool finished
 		/* always free the CV's, in the symtable are only not-free'd IS_INDIRECT's */
 		zend_free_compiled_variables(execute_data);
 
-		if ((EX_CALL_INFO() & ZEND_CALL_RELEASE_THIS) &&
-			EXPECTED(GC_TYPE(Z_OBJ(execute_data->This)) == IS_OBJECT)) {
+		if (EX_CALL_INFO() & ZEND_CALL_RELEASE_THIS) {
 			OBJ_RELEASE(Z_OBJ(execute_data->This));
 		}
 
@@ -144,8 +143,7 @@ ZEND_API void zend_generator_close(zend_generator *generator, zend_bool finished
 		}
 
 		/* Free closure object */
-		if ((EX_CALL_INFO() & ZEND_CALL_CLOSURE) &&
-			EXPECTED(GC_TYPE(ZEND_CLOSURE_OBJECT(EX(func))) == IS_OBJECT)) {
+		if (EX_CALL_INFO() & ZEND_CALL_CLOSURE) {
 			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));
 		}
 
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
@@ -152,14 +152,17 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_put(zend_object *object)
 
 ZEND_API void ZEND_FASTCALL zend_objects_store_del(zend_object *object) /* {{{ */
 {
+	ZEND_ASSERT(GC_REFCOUNT(object) == 0);
+
+	/* GC might have released this object already. */
+	if (UNEXPECTED(GC_TYPE(object) == IS_NULL)) {
+		return;
+	}
+
 	/*	Make sure we hold a reference count during the destructor call
 		otherwise, when the destructor ends the storage might be freed
 		when the refcount reaches 0 a second time
 	 */
-	ZEND_ASSERT(EG(objects_store).object_buckets != NULL);
-	ZEND_ASSERT(IS_OBJ_VALID(EG(objects_store).object_buckets[object->handle]));
-	ZEND_ASSERT(GC_REFCOUNT(object) == 0);
-
 	if (!(OBJ_FLAGS(object) & IS_OBJ_DESTRUCTOR_CALLED)) {
 		GC_ADD_FLAGS(object, IS_OBJ_DESTRUCTOR_CALLED);
 
@@ -176,6 +179,8 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_del(zend_object *object) /* {{{ *
 		uint32_t handle = object->handle;
 		void *ptr;
 
+		ZEND_ASSERT(EG(objects_store).object_buckets != NULL);
+		ZEND_ASSERT(IS_OBJ_VALID(EG(objects_store).object_buckets[object->handle]));
 		EG(objects_store).object_buckets[handle] = SET_OBJ_INVALID(object);
 		if (!(OBJ_FLAGS(object) & IS_OBJ_FREE_CALLED)) {
 			GC_ADD_FLAGS(object, IS_OBJ_FREE_CALLED);

Original file line number	Diff line number	Diff line change
`@@ -123,8 +123,7 @@ ZEND_API void zend_generator_close(zend_generator *generator, zend_bool finished`
`123`	`123`	`/* always free the CV's, in the symtable are only not-free'd IS_INDIRECT's */`
`124`	`124`	`zend_free_compiled_variables(execute_data);`
`125`	`125`
`126`		`- if ((EX_CALL_INFO() & ZEND_CALL_RELEASE_THIS) &&`
`127`		`- EXPECTED(GC_TYPE(Z_OBJ(execute_data->This)) == IS_OBJECT)) {`
	`126`	`+ if (EX_CALL_INFO() & ZEND_CALL_RELEASE_THIS) {`
`128`	`127`	`OBJ_RELEASE(Z_OBJ(execute_data->This));`
`129`	`128`	`}`
`130`	`129`
`@@ -144,8 +143,7 @@ ZEND_API void zend_generator_close(zend_generator *generator, zend_bool finished`
`144`	`143`	`}`
`145`	`144`
`146`	`145`	`/* Free closure object */`
`147`		`- if ((EX_CALL_INFO() & ZEND_CALL_CLOSURE) &&`
`148`		`- EXPECTED(GC_TYPE(ZEND_CLOSURE_OBJECT(EX(func))) == IS_OBJECT)) {`
	`146`	`+ if (EX_CALL_INFO() & ZEND_CALL_CLOSURE) {`
`149`	`147`	`OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));`
`150`	`148`	`}`
`151`	`149`