Fix GH-21639: Protect frameless args during __toString() reentry

[prateekbhujel]

Fixes GH-21639.

Frameless internal calls borrow CV operands from the caller frame. If an argument is converted through __toString(), that call can re-enter userland and change those CVs while the frameless handler is still using them.

This keeps copies only when __toString() is entered from an active frameless opcode, and releases them at the frameless handler cleanup point. The JIT frameless path uses the same cleanup point.

Normal frameless calls only keep the cold pending-copy check after the handler.

Tests run:

env PATH=/opt/homebrew/opt/bison/bin:$PATH make -j8
git diff --check
sapi/cli/php run-tests.php -q Zend/tests/gh21639.phpt ext/pcre/tests/gh21639.phpt ext/standard/tests/strings/bug22224.phpt ext/standard/tests/strings/implode_variation.phpt ext/standard/tests/array/in_array_variation1.phpt ext/standard/tests/strings/strtr_basic.phpt ext/standard/tests/strings/str_replace_basic.phpt ext/pcre/tests/preg_replace.phpt
sapi/cli/php -d zend_extension=$PWD/modules/opcache.so -d opcache.enable_cli=1 -d opcache.jit=tracing -d opcache.protect_memory=1 -d opcache.jit_buffer_size=64M run-tests.php -q Zend/tests/gh21639.phpt ext/pcre/tests/gh21639.phpt Zend/tests/frameless_undefined_var.phpt

[iluuu1994]

Thanks for the PR. implode() is just one example, this applies to:

• preg_replace
• in_array (with strict: false)
• strtr
• str_replace

I'm afraid this will need a more general solution. My hope was to avoid overhead in the VM, but it might be unavoidable for a proper fix, even if this is a largely artificial issue.

[iluuu1994]

The Symfony benchmark IC increases by 0.64%, the Wordpress one by 1.15%. This removes much of the benefit of frameless calls, so I'm not to keen on solving this issue in that way. As long as other engine bugs aren't solved (#20001 and #20018) I don't think this needs to be rushed.

[bwoebi]

The other alternative would be checking inside the tostring handler whether the parent frame is currently at a frameless opcode and then safely copy its CV args to a buffer, set EG(vm_interrupt) and free them on the next EG(vm_interrupt), completely moving the overhead off the main paths and be a truly generic solution.
(Not necessarily vm_interrupt, it can rather be like the delayed error handler solution.)

Obviously comes at a small tostring handler cost, but I'd really rather see overhead there...?

[prateekbhujel]

@bwoebi I pushed the __toString() side version.

It only creates copies when __toString() is reached from a frameless opcode. Cleanup happens after the frameless handler returns; doing it from vm_interrupt can run too early, while the parent frame still points at the same opline.

So normal frameless calls only keep the cold pending-copy check after the handler.

[prateekbhujel]

Pushed one small cleanup on top.

The copies are now only cleaned up from the frameless handler cleanup point, with executor shutdown as the fallback. I dropped the extra vm_interrupt cleanup path because it made the lifetime rules harder to follow and wasn't needed for the normal handler return path.

I also updated the PR body with the exact local test commands I ran.