Fix refcounting

Author: arnaud-lb

Zend/zend_partial.c

@@ -917,6 +917,9 @@ zend_result zend_partial_init_call(zend_execute_data *call)
 	uint32_t orig_call_info = ZEND_CALL_INFO(call);
 	uint32_t call_info = orig_call_info & (ZEND_CALL_NESTED | ZEND_CALL_TOP | ZEND_CALL_ALLOCATED | ZEND_CALL_FREE_EXTRA_ARGS | ZEND_CALL_HAS_EXTRA_NAMED_PARAMS);
 	void *object_or_called_scope;
+	if (!ZEND_PARTIAL_FUNC_FLAG(&partial->func, ZEND_ACC_CALL_VIA_TRAMPOLINE)) {
+		call_info |= ZEND_CALL_FAKE_CLOSURE;
+	}
 	if (Z_TYPE(partial->This) == IS_OBJECT) {
 		object_or_called_scope = Z_OBJ(partial->This);
 		ZEND_ADD_CALL_FLAG_EX(call_info, ZEND_CALL_HAS_THIS);
@@ -960,10 +963,9 @@ zend_result zend_partial_init_call(zend_execute_data *call)
 
 	if (ZEND_PARTIAL_FUNC_FLAG(&partial->func, ZEND_ACC_CALL_VIA_TRAMPOLINE)) {
 		zend_string_addref(partial->func.common.function_name);
+		OBJ_RELEASE(&partial->std);
 	}
 
-	OBJ_RELEASE(&partial->std);
-
 	return SUCCESS;
 }
 
@@ -975,6 +977,8 @@ void zend_partial_create(zval *result, uint32_t info, zval *this_ptr, zend_funct
 
 	zend_partial *applied, *partial = (zend_partial*) Z_OBJ_P(result);
 
+	ZEND_ASSERT(ZEND_PARTIAL_OBJECT(&partial->func) == &partial->std);
+
 	if ((applied = zend_partial_fetch(this_ptr))) {
 		ZEND_ADD_CALL_FLAG(partial, ZEND_CALL_INFO(applied) & ~ZEND_APPLY_VARIADIC);
 

Zend/zend_partial.h

@@ -23,6 +23,10 @@
 
 BEGIN_EXTERN_C()
 
+/* This macro depends on zend_closure structure layout */
+#define ZEND_PARTIAL_OBJECT(func) \
+	((zend_object*)((char*)(func) - XtOffsetOf(struct{uint32_t a; zend_function b;}, b) - sizeof(zval) - sizeof(zend_function) - sizeof(zend_object)))
+
 typedef struct _zend_partial zend_partial;
 
 void zend_partial_startup(void);

Zend/zend_vm_def.h

@@ -2978,6 +2978,8 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 			OBJ_RELEASE(Z_OBJ(execute_data->This));
 		} else if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
 			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));
+		} else if (UNEXPECTED(call_info & ZEND_CALL_FAKE_CLOSURE)) {
+			OBJ_RELEASE(ZEND_PARTIAL_OBJECT(EX(func)));
 		}
 		EG(vm_stack_top) = (zval*)execute_data;
 		execute_data = EX(prev_execute_data);
@@ -3012,6 +3014,8 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 			OBJ_RELEASE(Z_OBJ(execute_data->This));
 		} else if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
 			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));
+		} else if (UNEXPECTED(call_info & ZEND_CALL_FAKE_CLOSURE)) {
+			OBJ_RELEASE(ZEND_PARTIAL_OBJECT(EX(func)));
 		}
 
 		old_execute_data = execute_data;
@@ -3069,6 +3073,8 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 			}
 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
 				OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));
+			} else if (UNEXPECTED(call_info & ZEND_CALL_FAKE_CLOSURE)) {
+				OBJ_RELEASE(ZEND_PARTIAL_OBJECT(EX(func)));
 			}
 			ZEND_VM_RETURN();
 		} else /* if (call_kind == ZEND_CALL_TOP_CODE) */ {
@@ -9328,6 +9334,10 @@ ZEND_VM_HANDLER(214, ZEND_CALL_PARTIAL, ANY, ANY, SPEC(OBSERVER))
 		if (ret == &retval) {
 			zval_ptr_dtor(ret);
 		}
+
+		if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_FAKE_CLOSURE)) {
+			OBJ_RELEASE(ZEND_PARTIAL_OBJECT(fbc));
+		}
 	}
 
 	execute_data = EG(current_execute_data);

ext/reflection/php_reflection.c

@@ -902,7 +902,7 @@ static void _function_string(smart_str *str, zend_function *fptr, zend_class_ent
 
 	smart_str_appendl(str, indent, strlen(indent));
 	const char *prefix = "Function [ ";
-	if (fptr->common.fn_flags & ZEND_ACC_CLOSURE) {
+	if (fptr->common.fn_flags & (ZEND_ACC_CLOSURE|ZEND_ACC_FAKE_CLOSURE)) {
 		if (zend_is_partial_function(fptr)) {
 			prefix = "Partial [ ";
 		} else {