Use consumed_args for array_reduce and some other callback-using functions

Author: drealecs

ext/pcre/php_pcre.c

@@ -1570,6 +1570,7 @@ static zend_string *preg_do_repl_func(zend_fcall_info *fci, zend_fcall_info_cach
 	fci->retval = &retval;
 	fci->param_count = 1;
 	fci->params = &arg;
+	fci->consumed_args = zend_fci_consumed_arg(0);
 	zend_call_function(fci, fcc);
 	zval_ptr_dtor(&arg);
 	if (EXPECTED(Z_TYPE(retval) == IS_STRING)) {

ext/pcre/tests/preg_replace_callback_matches_refcount.phpt

@@ -0,0 +1,37 @@
+--TEST--
+preg_replace_callback(): capture match array refcount stays low during callback
+--FILE--
+<?php
+var_dump(preg_replace_callback('/(.)(.)(.)/', static function ($matches) {
+    debug_zval_dump($matches);
+    return '';
+}, 'abc'));
+
+var_dump(preg_replace_callback_array(['/(.)(.)(.)/' => static function ($matches) {
+    debug_zval_dump($matches);
+    return '';
+}], 'abc'));
+?>
+--EXPECTF--
+array(4) packed refcount(2){
+  [0]=>
+  string(3) "abc"%s
+  [1]=>
+  string(1) "a" interned
+  [2]=>
+  string(1) "b" interned
+  [3]=>
+  string(1) "c" interned
+}
+string(0) ""
+array(4) packed refcount(2){
+  [0]=>
+  string(3) "abc"%s
+  [1]=>
+  string(1) "a" interned
+  [2]=>
+  string(1) "b" interned
+  [3]=>
+  string(1) "c" interned
+}
+string(0) ""

ext/standard/array.c

@@ -6414,6 +6414,7 @@ PHP_FUNCTION(array_reduce)
 	fci.retval = return_value;
 	fci.param_count = 2;
 	fci.params = args;
+	fci.consumed_args = zend_fci_consumed_arg(0);
 
 	ZEND_HASH_FOREACH_VAL(htbl, operand) {
 		ZVAL_COPY_VALUE(&args[0], return_value);

ext/standard/tests/array/array_reduce_accumulator_refcount.phpt

@@ -0,0 +1,35 @@
+--TEST--
+array_reduce(): accumulator refcount stays low during callback
+--FILE--
+<?php
+
+$result = array_reduce([1, 2, 3], function ($acc, $val) {
+    debug_zval_dump($acc);
+    $acc[] = $val;
+    return $acc;
+}, []);
+
+debug_zval_dump($result);
+
+?>
+--EXPECT--
+array(0) interned {
+}
+array(1) packed refcount(2){
+  [0]=>
+  int(1)
+}
+array(2) packed refcount(2){
+  [0]=>
+  int(1)
+  [1]=>
+  int(2)
+}
+array(3) packed refcount(2){
+  [0]=>
+  int(1)
+  [1]=>
+  int(2)
+  [2]=>
+  int(3)
+}

main/output.c

@@ -972,6 +972,7 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 			handler->func.user->fci.param_count = 2;
 			handler->func.user->fci.params = ob_args;
 			handler->func.user->fci.retval = &retval;
+			handler->func.user->fci.consumed_args = zend_fci_consumed_arg(0);
 
 			if (SUCCESS == zend_call_function(&handler->func.user->fci, &handler->func.user->fcc) && Z_TYPE(retval) != IS_UNDEF) {
 				if (handler->flags & PHP_OUTPUT_HANDLER_PRODUCED_OUTPUT) {

tests/output/ob_start_callback_buffer_cow.phpt

@@ -0,0 +1,46 @@
+--TEST--
+ob_start(): callback buffer is consumed to avoid unnecessary COW
+--SKIPIF--
+<?php
+if (getenv('USE_ZEND_ALLOC') === '0') {
+    die('skip Zend MM disabled');
+}
+?>
+--INI--
+memory_limit=4M
+--FILE--
+<?php
+
+const PAYLOAD_SIZE = 256 * 1024;
+
+function run_handler(bool $force_copy): int {
+    $callback = static function ($buffer) use ($force_copy) {
+        if ($force_copy) {
+            $copy = $buffer;
+        }
+        $buffer .= 'x';
+        return '';
+    };
+    $payload = str_repeat('A', PAYLOAD_SIZE);
+
+    gc_collect_cycles();
+    gc_mem_caches();
+    memory_reset_peak_usage();
+    $start = memory_get_peak_usage();
+
+    ob_start($callback);
+
+    echo $payload;
+    $output = ob_get_flush();
+
+    return memory_get_peak_usage() - $start;
+}
+
+$without_copy = run_handler(false);
+$with_copy = run_handler(true);
+
+var_dump($with_copy >= $without_copy + PAYLOAD_SIZE / 2);
+
+?>
+--EXPECT--
+bool(true)