Fix CI failures: opcache SHM persistence crashes, optimizer memory leak, compile warning

php-generics · claude · php-generics · commit 72009da7738a · 2026-03-01T19:00:56.000+01:00
- Fix segfault with opcache.protect_memory=1: add zend_accel_in_shm()
  checks before calling zend_shared_memdup_put_free() on generic type
  refs, class refs, wildcard bounds, generic args, params info, and
  bound generic args hash tables that may already be in read-only SHM
  when inheriting from previously-persisted interfaces.

- Fix 28-byte memory leak in static generic calls with opcache optimizer:
  when pass 4 (func_calls) + pass 16 (inline) combine to inline a
  Box&lt;int&gt;::hello() call, the INIT_STATIC_METHOD_CALL opcode is NOPed
  but the generic args literal at op1.constant+2 was never released.
  Release it before zend_delete_call_instructions NOPs the opcode.

- Fix -Werror compile failure: remove unused 'key' variable in
  zend_verify_generic_variance() by switching to ZEND_HASH_MAP_FOREACH_PTR.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Zend/Optimizer/optimize_func_calls.c b/Zend/Optimizer/optimize_func_calls.c
@@ -27,6 +27,7 @@
 #include "zend_constants.h"
 #include "zend_execute.h"
 #include "zend_vm.h"
+#include "zend_generics.h"
 
 typedef struct _optimizer_call_info {
 	zend_function *func;
@@ -131,6 +132,17 @@ static void zend_try_inline_call(zend_op_array *op_array, const zend_op *fcall,
 				MAKE_NOP(opline);
 			}
 
+			/* Release generic args literal before the INIT opcode is NOPed */
+			if (fcall->opcode == ZEND_INIT_STATIC_METHOD_CALL
+					&& fcall->op1_type == IS_CONST
+					&& (fcall->result.num & 0x80000000)) {
+				zval *generic_args_zv = &op_array->literals[fcall->op1.constant + 2];
+				if (Z_TYPE_P(generic_args_zv) == IS_PTR && Z_PTR_P(generic_args_zv) != NULL) {
+					zend_generic_args_release((zend_generic_args *) Z_PTR_P(generic_args_zv));
+					ZVAL_NULL(generic_args_zv);
+				}
+			}
+
 			zend_delete_call_instructions(op_array, opline-1);
 		}
 	}
diff --git a/Zend/tests/generics/generic_static_call_inline.phpt b/Zend/tests/generics/generic_static_call_inline.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Generic static method call inlined by optimizer (no typed params, returns constant)
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=0x7FFEBFFF
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+
+class Box<T> {
+    public static function hello(): string {
+        return "Hello from Box!";
+    }
+
+    public static function getClass(): string {
+        return self::class;
+    }
+}
+
+// These calls are eligible for optimizer inlining (pass 4+16):
+// no typed params + body is just "return constant"
+echo Box<int>::hello() . "\n";
+echo Box<string>::hello() . "\n";
+echo Box<int>::getClass() . "\n";
+
+echo "OK\n";
+?>
+--EXPECT--
+Hello from Box!
+Hello from Box!
+Box
+OK
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -9905,9 +9905,8 @@ static void zend_verify_generic_variance(zend_class_entry *ce) /* {{{ */
 	}
 
 	/* Check all methods */
-	zend_string *key;
 	zend_function *fn;
-	ZEND_HASH_MAP_FOREACH_STR_KEY_PTR(&ce->function_table, key, fn) {
+	ZEND_HASH_MAP_FOREACH_PTR(&ce->function_table, fn) {
 		if (fn->common.scope != ce) {
 			continue; /* Skip inherited methods */
 		}
diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
@@ -364,17 +364,30 @@ uint32_t zend_accel_get_class_name_map_ptr(zend_string *type_name)
 static void zend_persist_generic_args(zend_generic_args **args_ptr);
 
 static void zend_persist_type(zend_type *type) {
-	/* Handle generic type references before the list/name iteration */
+	/* Handle generic type references before the list/name iteration.
+	 * When inheriting from an already-persisted class/interface, the ref
+	 * may already live in SHM — use memdup_put (no free) to avoid efree
+	 * on read-only SHM memory. */
 	if (ZEND_TYPE_IS_GENERIC_PARAM(*type)) {
 		zend_generic_type_ref *ref = ZEND_TYPE_GENERIC_PARAM_REF(*type);
-		zend_generic_type_ref *new_ref = zend_shared_memdup_put_free(ref, sizeof(zend_generic_type_ref));
+		zend_generic_type_ref *new_ref;
+		if (zend_accel_in_shm(ref)) {
+			new_ref = zend_shared_memdup_put(ref, sizeof(zend_generic_type_ref));
+		} else {
+			new_ref = zend_shared_memdup_put_free(ref, sizeof(zend_generic_type_ref));
+		}
 		zend_accel_store_interned_string(new_ref->name);
 		ZEND_TYPE_SET_PTR(*type, new_ref);
 		return;
 	}
 	if (ZEND_TYPE_IS_GENERIC_CLASS(*type)) {
 		zend_generic_class_ref *ref = ZEND_TYPE_GENERIC_CLASS_REF(*type);
-		zend_generic_class_ref *new_ref = zend_shared_memdup_put_free(ref, sizeof(zend_generic_class_ref));
+		zend_generic_class_ref *new_ref;
+		if (zend_accel_in_shm(ref)) {
+			new_ref = zend_shared_memdup_put(ref, sizeof(zend_generic_class_ref));
+		} else {
+			new_ref = zend_shared_memdup_put_free(ref, sizeof(zend_generic_class_ref));
+		}
 		zend_accel_store_interned_string(new_ref->class_name);
 		if (!ZCG(current_persistent_script)->corrupted) {
 			zend_accel_get_class_name_map_ptr(new_ref->class_name);
@@ -383,8 +396,13 @@ static void zend_persist_type(zend_type *type) {
 			zend_persist_generic_args(&new_ref->type_args);
 		}
 		if (new_ref->wildcard_bounds && new_ref->type_args) {
-			new_ref->wildcard_bounds = zend_shared_memdup_put_free(
-				new_ref->wildcard_bounds, new_ref->type_args->num_args * sizeof(zend_generic_bound));
+			if (zend_accel_in_shm(new_ref->wildcard_bounds)) {
+				new_ref->wildcard_bounds = zend_shared_memdup_put(
+					new_ref->wildcard_bounds, new_ref->type_args->num_args * sizeof(zend_generic_bound));
+			} else {
+				new_ref->wildcard_bounds = zend_shared_memdup_put_free(
+					new_ref->wildcard_bounds, new_ref->type_args->num_args * sizeof(zend_generic_bound));
+			}
 		}
 		ZEND_TYPE_SET_PTR(*type, new_ref);
 		return;
@@ -422,7 +440,11 @@ static void zend_persist_generic_args(zend_generic_args **args_ptr)
 {
 	zend_generic_args *args = *args_ptr;
 	size_t size = ZEND_GENERIC_ARGS_SIZE(args->num_args);
-	args = zend_shared_memdup_put_free(args, size);
+	if (zend_accel_in_shm(args)) {
+		args = zend_shared_memdup_put(args, size);
+	} else {
+		args = zend_shared_memdup_put_free(args, size);
+	}
 	args->refcount = 0; /* SHM: unmanaged, never freed via release */
 	for (uint32_t i = 0; i < args->num_args; i++) {
 		zend_persist_type(&args->args[i]);
@@ -434,7 +456,11 @@ static void zend_persist_generic_params_info(zend_generic_params_info **info_ptr
 {
 	zend_generic_params_info *info = *info_ptr;
 	size_t size = ZEND_GENERIC_PARAMS_INFO_SIZE(info->num_params);
-	info = zend_shared_memdup_put_free(info, size);
+	if (zend_accel_in_shm(info)) {
+		info = zend_shared_memdup_put(info, size);
+	} else {
+		info = zend_shared_memdup_put_free(info, size);
+	}
 	for (uint32_t i = 0; i < info->num_params; i++) {
 		zend_accel_store_interned_string(info->params[i].name);
 		zend_persist_type(&info->params[i].constraint);
@@ -1215,28 +1241,38 @@ zend_class_entry *zend_persist_class_entry(zend_class_entry *orig_ce)
 			zend_persist_generic_args(&ce->bound_generic_args);
 		}
 		if (ce->interface_bound_generic_args) {
-			zend_hash_persist(ce->interface_bound_generic_args);
-			ZEND_HASH_MAP_FOREACH_BUCKET(ce->interface_bound_generic_args, p) {
-				ZEND_ASSERT(p->key != NULL);
-				zend_accel_store_interned_string(p->key);
-				zend_generic_args *args = Z_PTR(p->val);
-				zend_persist_generic_args(&args);
-				Z_PTR(p->val) = args;
-			} ZEND_HASH_FOREACH_END();
-			ce->interface_bound_generic_args = zend_shared_memdup_put_free(
-				ce->interface_bound_generic_args, sizeof(HashTable));
+			if (zend_accel_in_shm(ce->interface_bound_generic_args)) {
+				ce->interface_bound_generic_args = zend_shared_memdup_put(
+					ce->interface_bound_generic_args, sizeof(HashTable));
+			} else {
+				zend_hash_persist(ce->interface_bound_generic_args);
+				ZEND_HASH_MAP_FOREACH_BUCKET(ce->interface_bound_generic_args, p) {
+					ZEND_ASSERT(p->key != NULL);
+					zend_accel_store_interned_string(p->key);
+					zend_generic_args *args = Z_PTR(p->val);
+					zend_persist_generic_args(&args);
+					Z_PTR(p->val) = args;
+				} ZEND_HASH_FOREACH_END();
+				ce->interface_bound_generic_args = zend_shared_memdup_put_free(
+					ce->interface_bound_generic_args, sizeof(HashTable));
+			}
 		}
 		if (ce->trait_bound_generic_args) {
-			zend_hash_persist(ce->trait_bound_generic_args);
-			ZEND_HASH_MAP_FOREACH_BUCKET(ce->trait_bound_generic_args, p) {
-				ZEND_ASSERT(p->key != NULL);
-				zend_accel_store_interned_string(p->key);
-				zend_generic_args *args = Z_PTR(p->val);
-				zend_persist_generic_args(&args);
-				Z_PTR(p->val) = args;
-			} ZEND_HASH_FOREACH_END();
-			ce->trait_bound_generic_args = zend_shared_memdup_put_free(
-				ce->trait_bound_generic_args, sizeof(HashTable));
+			if (zend_accel_in_shm(ce->trait_bound_generic_args)) {
+				ce->trait_bound_generic_args = zend_shared_memdup_put(
+					ce->trait_bound_generic_args, sizeof(HashTable));
+			} else {
+				zend_hash_persist(ce->trait_bound_generic_args);
+				ZEND_HASH_MAP_FOREACH_BUCKET(ce->trait_bound_generic_args, p) {
+					ZEND_ASSERT(p->key != NULL);
+					zend_accel_store_interned_string(p->key);
+					zend_generic_args *args = Z_PTR(p->val);
+					zend_persist_generic_args(&args);
+					Z_PTR(p->val) = args;
+				} ZEND_HASH_FOREACH_END();
+				ce->trait_bound_generic_args = zend_shared_memdup_put_free(
+					ce->trait_bound_generic_args, sizeof(HashTable));
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -9905,9 +9905,8 @@ static void zend_verify_generic_variance(zend_class_entry ce) / {{{ */`
`9905`	`9905`	`}`
`9906`	`9906`
`9907`	`9907`	`/* Check all methods */`
`9908`		`- zend_string *key;`
`9909`	`9908`	`zend_function *fn;`
`9910`		`- ZEND_HASH_MAP_FOREACH_STR_KEY_PTR(&ce->function_table, key, fn) {`
	`9909`	`+ ZEND_HASH_MAP_FOREACH_PTR(&ce->function_table, fn) {`
`9911`	`9910`	`if (fn->common.scope != ce) {`
`9912`	`9911`	`continue; /* Skip inherited methods */`
`9913`	`9912`	`}`