fix(zend, opcache): refcount strings

azjezz · azjezz · commit 8d8a55ce1002 · 2026-05-09T15:28:22.000+01:00
Signed-off-by: azjezz &lt;azjezz@protonmail.com&gt;
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
@@ -1934,10 +1934,22 @@ static void do_inherit_property(zend_property_info *parent_info, zend_string *ke
 
 								uint32_t num_args = orig->op_array.num_args;
 								if (orig->op_array.fn_flags & ZEND_ACC_VARIADIC) num_args++;
-								size_t arg_info_block = sizeof(zend_arg_info) * (num_args + 1);
+								uint32_t total = num_args + 1;
+								size_t arg_info_block = sizeof(zend_arg_info) * total;
 
 								zend_arg_info *new_arg_info = zend_arena_alloc(&CG(arena), arg_info_block);
 								memcpy(new_arg_info, orig->op_array.arg_info - 1, arg_info_block);
+
+								for (uint32_t i = 0; i < total; i++) {
+									if (new_arg_info[i].name) {
+										zend_string_addref(new_arg_info[i].name);
+									}
+
+									if (new_arg_info[i].doc_comment) {
+										zend_string_addref(new_arg_info[i].doc_comment);
+									}
+								}
+
 								uint32_t slot = (hi == ZEND_PROPERTY_HOOK_GET) ? 0 : 1;
 								new_arg_info[slot].type = sub;
 								zend_type_copy_ctor(&new_arg_info[slot].type, true, false);
@@ -2797,6 +2809,17 @@ static void zend_substitute_trait_method_arg_info(
 	zend_arg_info *new_block = zend_arena_alloc(&CG(arena), sizeof(zend_arg_info) * total);
 	memcpy(new_block, orig_block, sizeof(zend_arg_info) * total);
 
+	/* The clone shares name/doc_comment string pointers with the parent's arg_info; bump refcount
+	 * so opcache's interning pass on the parent doesn't release strings the clone still references. */
+	for (uint32_t i = 0; i < total; i++) {
+		if (new_block[i].name) {
+			zend_string_addref(new_block[i].name);
+		}
+		if (new_block[i].doc_comment) {
+			zend_string_addref(new_block[i].doc_comment);
+		}
+	}
+
 	uint32_t return_slot_offset = has_return ? 1 : 0;
 
 	if (has_return && orig_op->generic_types->return_type) {
diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
@@ -1211,7 +1211,7 @@ zend_class_entry *zend_persist_class_entry(zend_class_entry *orig_ce)
 				zend_property_info *xlat_prop = zend_shared_alloc_get_xlat_entry(prop);
 				if (xlat_prop) {
 					Z_PTR(p->val) = xlat_prop;
-				} else if (prop->ce->type == ZEND_USER_CLASS && zend_hash_find_ptr(&prop->ce->properties_info, p->key) != prop) {
+				} else if (!zend_accel_in_shm(prop) && prop->ce->type == ZEND_USER_CLASS) {
 					Z_PTR(p->val) = zend_persist_substituted_property_info(prop);
 				} else {
 					/* This can happen if preloading is used and we inherit a property from an
diff --git a/ext/opcache/zend_persist_calc.c b/ext/opcache/zend_persist_calc.c
@@ -662,9 +662,7 @@ void zend_persist_class_entry_calc(zend_class_entry *ce)
 			ADD_INTERNED_STRING(p->key);
 			if (prop->ce == ce) {
 				zend_persist_property_info_calc(prop);
-			} else if (prop->ce->type == ZEND_USER_CLASS
-					&& !zend_shared_alloc_get_xlat_entry(prop)
-					&& zend_hash_find_ptr(&prop->ce->properties_info, p->key) != prop) {
+			} else if (!zend_accel_in_shm(prop) && prop->ce->type == ZEND_USER_CLASS && !zend_shared_alloc_get_xlat_entry(prop)) {
 				zend_shared_alloc_register_xlat_entry(prop, prop);
 				zend_persist_substituted_property_info_calc(prop);
 			}
