[Observer] Provide unused retvals to observers

[SammyK]

This PR ensures that if a retval is not used, it is still available to observer end handlers.

[nikic]

I think this may use after free for the IS_VAR REFERENCE case.

[nikic]

Ah no, retval_ptr is derefed in that case. However the IS_CV case looks problematic, because the value gets moved into return_value there and retval_ptr is changed to a NULL zval.

[SammyK]

Ah, nice catch. I was scanning for dtor's and totally missed that ZVAL_NULL(retval_ptr) for IS_CV. I'll fix that and add some more comprehensive tests.

[SammyK]

I just added a fix for the IS_CV + refcounted return case and added more tests for various VM var types. Thanks again for catching that one!

[nikic]

Might it make sense to just move this to the very start of the function, rather than duplication it in the branches?

[SammyK]

That would make sense and would be simpler. But the main issue is that any errors that are raised in the return handler would trigger after the end handler had fired.

For example, the output from observer_retval_05.phpt would change to this:

  <foo>
+  </foo:NULL>

Warning: Undefined variable $i_do_not_exist in %s on line %d
-  </foo:NULL>

For the PHP tracer extension I'm working on, that would mean that we couldn't attach the E_WARNING to the open foo span that raised the error.

[SammyK]

@nikic Do you have any other issues with this PR? I'm planning on merging this first thing tomorrow morning in time for the RC5 tag.

[nikic]

This looks like a use after free for all the !EX(return_value) cases above, that already free the value.

[SammyK]

Very good catch. I didn't realize that freeing OP1 was freeing the retval from the opline. I fixed this in 0fa78a5.

[nikic]

This needs to be something refcounted to check for use after free.

[SammyK]

A refcounted retval is being tested in observer_retval_04.phpt. In this test I was targeting this branch. Do you think we have sufficient coverage with all the retval tests?

[nikic]

This looks pretty fishy to me, especially in conjunction with the EX(return_value) initialization below.

[SammyK]

You're absolutely right. Retval will always be null with uncaught exceptions. I don't know what I was thinking on this one. 🤦 I reverted this commit in 9332095 and added a proper fix in 95f943a.

[SammyK]

Thanks for another round of review on this @nikic! I think I addressed the main concerns. I also squeezed in two more tests (51d8fd9) to make sure observability was still possible during shutdown.

[nikic]

I think there's still a potential use-after-free here. If retval_ptr is a reference with refcount one, then it will be freed above, but (the new) retval_ptr will still point into it.

Generally I think that you should just do

ZEND_OBSERVER_SAVE_OPLINE();
ZEND_OBSERVER_FCALL_END(execute_data, return_value);

one at the end up the whole if (return_value) branch. There's no need to handle these differently in each case.

[nikic]

Just to offer a possible alternative that might be less fragile, you could do something like this:

zval observer_retval;
if (observer && !return_value) {
    return_value = &observer_retval;
}
...
if (observer && return_value == &observer_retval) {
    zval_ptr_dtor_nogc(&observer_retval);
}

I.e. pretend we always want a return_value if observer if used. Less efficient, but maybe more straightforward?

[SammyK]

Your suggestion is so much better than trying to follow all the branches. Thanks @nikic! 💯 I've applied your suggestion in 7b6572f. If this looks good to you, I'll merge this first thing in the morning Pacific Time in time for the RC5 tag.