Deprecate returning non-string values from a user output handler (php#18932)

https://wiki.php.net/rfc/deprecations_php_8_4

Author: DanielEScherzer

UPGRADING

@@ -259,6 +259,13 @@ PHP 8.5 UPGRADE NOTES
 4. Deprecated Functionality
 ========================================
 
+- Core:
+  . Returning a non-string from a user output handler is deprecated. The
+    deprecation warning will bypass the handler with the bad return to ensure
+    it is visible; if there are nested output handlers the next one will still
+    be used.
+    RFC: https://wiki.php.net/rfc/deprecations_php_8_4
+
 - Hash:
   . The MHASH_* constants have been deprecated.  These have been overlooked
     when the mhash*() function family has been deprecated per

Zend/tests/concat/bug79836.phpt

@@ -8,6 +8,7 @@ $counter = 0;
 ob_start(function ($buffer) use (&$c, &$counter) {
 	$c = 0;
 	++$counter;
+	return '';
 }, 1);
 $c .= [];
 $c .= [];

Zend/tests/concat/bug79836_1.phpt

@@ -7,6 +7,7 @@ opcache.optimization_level = 0x7FFEBFFF & ~0x400
 $x = 'non-empty';
 ob_start(function () use (&$c) {
 	$c = 0;
+	return '';
 }, 1);
 $c = [];
 $x = $c . $x;

Zend/tests/concat/bug79836_2.phpt

@@ -6,6 +6,7 @@ $c = str_repeat("abcd", 10);
 
 ob_start(function () use (&$c) {
 	$c = 0;
+	return '';
 }, 1);
 
 class X {

Zend/tests/declare/gh18033_2.phpt

@@ -11,6 +11,7 @@ ob_start(function() {
     register_tick_function(
        function() { }
     );
+    return '';
 });
 ?>
 --EXPECT--

Zend/tests/gh11189.phpt

@@ -18,6 +18,7 @@ ob_start(function() {
         $a[] = 2;
     }
     fwrite(STDOUT, "Success");
+    return '';
 });
 
 $a = [];

Zend/tests/gh11189_1.phpt

@@ -18,6 +18,7 @@ ob_start(function() {
         $a[] = 2;
     }
     fwrite(STDOUT, "Success");
+    return '';
 });
 
 $a = ["not packed" => 1];

Zend/tests/gh16408.phpt

@@ -6,6 +6,7 @@ $counter = 0;
 ob_start(function ($buffer) use (&$c, &$counter) {
         $c = 0;
         ++$counter;
+        return '';
 }, 1);
 $c .= [];
 $c .= [];

ext/session/tests/user_session_module/bug61728.phpt

@@ -5,7 +5,7 @@ session
 --FILE--
 <?php
 function output_html($ext) {
-    return strlen($ext);
+    return (string)strlen($ext);
 }
 
 class MySessionHandler implements SessionHandlerInterface {

main/output.c

@@ -934,6 +934,7 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 		return PHP_OUTPUT_HANDLER_FAILURE;
 	}
 
+	bool still_have_handler = true;
 	/* storable? */
 	if (php_output_handler_append(handler, &context->in) && !context->op) {
 		context->op = original_op;
@@ -948,6 +949,7 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 		if (handler->flags & PHP_OUTPUT_HANDLER_USER) {
 			zval ob_args[2];
 			zval retval;
+			ZVAL_UNDEF(&retval);
 
 			/* ob_data */
 			ZVAL_STRINGL(&ob_args[0], handler->buffer.data, handler->buffer.used);
@@ -959,17 +961,48 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 			handler->func.user->fci.params = ob_args;
 			handler->func.user->fci.retval = &retval;
 
-#define PHP_OUTPUT_USER_SUCCESS(retval) ((Z_TYPE(retval) != IS_UNDEF) && !(Z_TYPE(retval) == IS_FALSE))
-			if (SUCCESS == zend_call_function(&handler->func.user->fci, &handler->func.user->fcc) && PHP_OUTPUT_USER_SUCCESS(retval)) {
-				/* user handler may have returned TRUE */
-				status = PHP_OUTPUT_HANDLER_NO_DATA;
-				if (Z_TYPE(retval) != IS_FALSE && Z_TYPE(retval) != IS_TRUE) {
-					convert_to_string(&retval);
-					if (Z_STRLEN(retval)) {
-						context->out.data = estrndup(Z_STRVAL(retval), Z_STRLEN(retval));
-						context->out.used = Z_STRLEN(retval);
-						context->out.free = 1;
-						status = PHP_OUTPUT_HANDLER_SUCCESS;
+			if (SUCCESS == zend_call_function(&handler->func.user->fci, &handler->func.user->fcc) && Z_TYPE(retval) != IS_UNDEF) {
+				if (Z_TYPE(retval) != IS_STRING) {
+					// Make sure that we don't get lost in the current output buffer
+					// by disabling it
+					handler->flags |= PHP_OUTPUT_HANDLER_DISABLED;
+					php_error_docref(
+						NULL,
+						E_DEPRECATED,
+						"Returning a non-string result from user output handler %s is deprecated",
+						ZSTR_VAL(handler->name)
+					);
+					// Check if the handler is still in the list of handlers to
+					// determine if the PHP_OUTPUT_HANDLER_DISABLED flag can
+					// be removed
+					still_have_handler = false;
+					int handler_count = php_output_get_level();
+					if (handler_count) {
+						php_output_handler **handlers = (php_output_handler **) zend_stack_base(&OG(handlers));
+						for (int handler_num = 0; handler_num < handler_count; ++handler_num) {
+							php_output_handler *curr_handler = handlers[handler_num];
+							if (curr_handler == handler) {
+								handler->flags &= (~PHP_OUTPUT_HANDLER_DISABLED);
+								still_have_handler = true;
+								break;
+							}
+						}
+					}
+				}
+				if (Z_TYPE(retval) == IS_FALSE) {
+					/* call failed, pass internal buffer along */
+					status = PHP_OUTPUT_HANDLER_FAILURE;
+				} else {
+					/* user handler may have returned TRUE */
+					status = PHP_OUTPUT_HANDLER_NO_DATA;
+					if (Z_TYPE(retval) != IS_FALSE && Z_TYPE(retval) != IS_TRUE) {
+						convert_to_string(&retval);
+						if (Z_STRLEN(retval)) {
+							context->out.data = estrndup(Z_STRVAL(retval), Z_STRLEN(retval));
+							context->out.used = Z_STRLEN(retval);
+							context->out.free = 1;
+							status = PHP_OUTPUT_HANDLER_SUCCESS;
+						}
 					}
 				}
 			} else {
@@ -996,10 +1029,17 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 				status = PHP_OUTPUT_HANDLER_FAILURE;
 			}
 		}
-		handler->flags |= PHP_OUTPUT_HANDLER_STARTED;
+		if (still_have_handler) {
+			handler->flags |= PHP_OUTPUT_HANDLER_STARTED;
+		}
 		OG(running) = NULL;
 	}
 
+	if (!still_have_handler) {
+		// Handler and context will have both already been freed
+		return status;
+	}
+
 	switch (status) {
 		case PHP_OUTPUT_HANDLER_FAILURE:
 			/* disable this handler */
@@ -1225,6 +1265,19 @@ static int php_output_stack_pop(int flags)
 			}
 			php_output_handler_op(orphan, &context);
 		}
+		// If it isn't still in the stack, cannot free it
+		bool still_have_handler = false;
+		int handler_count = php_output_get_level();
+		if (handler_count) {
+			php_output_handler **handlers = (php_output_handler **) zend_stack_base(&OG(handlers));
+			for (int handler_num = 0; handler_num < handler_count; ++handler_num) {
+				php_output_handler *curr_handler = handlers[handler_num];
+				if (curr_handler == orphan) {
+					still_have_handler = true;
+					break;
+				}
+			}
+		}
 
 		/* pop it off the stack */
 		zend_stack_del_top(&OG(handlers));
@@ -1240,7 +1293,9 @@ static int php_output_stack_pop(int flags)
 		}
 
 		/* destroy the handler (after write!) */
-		php_output_handler_free(&orphan);
+		if (still_have_handler) {
+			php_output_handler_free(&orphan);
+		}
 		php_output_context_dtor(&context);
 
 		return 1;