Don't try to clean up generator stack on unclean shutdown

nikic · nikic · commit 0f36224beb61 · 2013-06-29T21:51:54.000+02:00
This fixes bugs #65035 and #65161. In one of the bugs the issue is
that function_state.arguments is NULL, but the arg count is pushed
to the stack and the code tries to free it. In the other bug the
stack of the generator is freed twice, once in generator_close and
later during shutdown.

It's rather hard (if at all possible) to do a proper stack cleanup
on an unclean shutdown, so I'm just disabling it in this case.
diff --git a/NEWS b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
     (Adam)
   . Fixed bug #65108 (is_callable() triggers Fatal Error). 
     (David Soria Parra, Laruence)
+  . Fixed bug #65035 (yield / exit segfault). (Nikita)
+  . Fixed bug #65161 (Generator + autoload + syntax error = segfault). (Nikita)
 
 - OPcache
   . Fixed bug #64827 (Segfault in zval_mark_grey (zend_gc.c)). (Laruence)
diff --git a/Zend/tests/generators/bug65035.phpt b/Zend/tests/generators/bug65035.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #65035: yield / exit segfault
+--FILE--
+<?php
+
+function gen() {
+    fn();
+    yield;
+}
+
+function fn() {
+    exit('Done');
+}
+
+$gen = gen();
+$gen->current();
+
+?>
+--EXPECT--
+Done
diff --git a/Zend/tests/generators/bug65161.phpt b/Zend/tests/generators/bug65161.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #65161: Generator + autoload + syntax error = segfault
+--FILE--
+<?php
+
+function autoload() {
+    foo();
+}
+spl_autoload_register('autoload');
+
+function testGenerator() {
+    new SyntaxError('param');
+    yield;
+}
+
+foreach (testGenerator() as $i);
+
+?>
+--EXPECTF--
+Fatal error: Call to undefined function foo() in %s on line %d
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
@@ -55,6 +55,12 @@ ZEND_API void zend_generator_close(zend_generator *generator, zend_bool finished
 			zval_ptr_dtor(&execute_data->current_this);
 		}
 
+		/* A fatal error / die occured during the generator execution. Trying to clean
+		 * up the stack may not be safe in this case. */
+		if (CG(unclean_shutdown)) {
+			return;
+		}
+
 		/* If the generator is closed before it can finish execution (reach
 		 * a return statement) we have to free loop variables manually, as
 		 * we don't know whether the SWITCH_FREE / FREE opcodes have run */
