Reset inheritance_cache pointer of zend_class_entry upon serialization (#12401)

turchanov · web-flow · commit 90f2e7607a7a · 2023-10-11T09:57:18.000+03:00
to opcache filecache. Usually, when a class is being loaded, a dependency
tracking is performed after the call to zend_file_cache_script_store.
But sometimes, when opcache cache is empty and there are many simultaneous
outstanding requests for compilation, some classes do have their
inheritance_cache initialized before the call to zend_file_cache_script_store,
and in that case this pointer is serialized as-is. And when such a class
is loaded from opcache filecache this pointer also loaded as-is, and now
it points to some random location in memory. This causes segfaults occuring
when traversing inheritance_cache of such classes.

We need to reset inheritance_cache pointer of zend_class_entry
upon serialization. This should have been done anyway since it is a sensible
strategy to sanitize any memory pointer upon serialization (either by calling
SERIALIZE_x macros or setting to NULL or any other deterministic value).
diff --git a/ext/opcache/zend_file_cache.c b/ext/opcache/zend_file_cache.c
@@ -867,6 +867,8 @@ static void zend_file_cache_serialize_class(zval                     *zv,
 
 	ZEND_MAP_PTR_INIT(ce->static_members_table, NULL);
 	ZEND_MAP_PTR_INIT(ce->mutable_data, NULL);
+
+	ce->inheritance_cache = NULL;
 }
 
 static void zend_file_cache_serialize_warnings(

Original file line number	Diff line number	Diff line change
`@@ -867,6 +867,8 @@ static void zend_file_cache_serialize_class(zval *zv,`
`867`	`867`
`868`	`868`	`ZEND_MAP_PTR_INIT(ce->static_members_table, NULL);`
`869`	`869`	`ZEND_MAP_PTR_INIT(ce->mutable_data, NULL);`
	`870`	`+`
	`871`	`+ ce->inheritance_cache = NULL;`
`870`	`872`	`}`
`871`	`873`
`872`	`874`	`static void zend_file_cache_serialize_warnings(`