Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

Author: nielsdos

NEWS

@@ -35,6 +35,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
   . Fixed bug GH-15960 (Foreach edge cases with lazy objects). (Arnaud)
   . Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c). (Arnaud)
+  . Fixed bug GH-16233 (Observer segfault when calling user function in
+    internal function via trampoline). (nielsdos)
 
 - DOM:
   . Fixed bug GH-16039 (Segmentation fault (access null pointer) in

Zend/zend_object_handlers.c

@@ -32,6 +32,7 @@
 #include "zend_compile.h"
 #include "zend_hash.h"
 #include "zend_property_hooks.h"
+#include "zend_observer.h"
 
 #define DEBUG_OBJECT_HANDLERS 0
 
@@ -1627,7 +1628,8 @@ ZEND_API zend_function *zend_get_call_trampoline_func(const zend_class_entry *ce
 	 * value so that it doesn't contain garbage when the engine allocates space for the next stack
 	 * frame. This didn't cause any issues until now due to "lucky" structure layout. */
 	func->last_var = 0;
-	func->T = (fbc->type == ZEND_USER_FUNCTION)? MAX(fbc->op_array.last_var + fbc->op_array.T, 2) : 2;
+	uint32_t min_T = 2 + ZEND_OBSERVER_ENABLED;
+	func->T = (fbc->type == ZEND_USER_FUNCTION)? MAX(fbc->op_array.last_var + fbc->op_array.T, min_T) : min_T;
 	func->filename = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.filename : ZSTR_EMPTY_ALLOC();
 	func->line_start = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_start : 0;
 	func->line_end = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_end : 0;

ext/zend_test/test.c

@@ -1091,6 +1091,23 @@ static ZEND_METHOD(_ZendTestMagicCall, __call)
 	RETURN_ARR(zend_new_pair(&name_zv, arguments));
 }
 
+static ZEND_METHOD(_ZendTestMagicCallForward, __call)
+{
+	zend_string *name;
+	zval *arguments;
+
+	ZEND_PARSE_PARAMETERS_START(2, 2)
+		Z_PARAM_STR(name)
+		Z_PARAM_ARRAY(arguments)
+	ZEND_PARSE_PARAMETERS_END();
+
+	ZEND_IGNORE_VALUE(arguments);
+
+	zval func;
+	ZVAL_STR(&func, name);
+	call_user_function(NULL, NULL, &func, return_value, 0, NULL);
+}
+
 PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("zend_test.replace_zend_execute_ex", "0", PHP_INI_SYSTEM, OnUpdateBool, replace_zend_execute_ex, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.register_passes", "0", PHP_INI_SYSTEM, OnUpdateBool, register_passes, zend_zend_test_globals, zend_test_globals)
@@ -1280,6 +1297,8 @@ PHP_MINIT_FUNCTION(zend_test)
 
 	zend_test_magic_call = register_class__ZendTestMagicCall();
 
+	register_class__ZendTestMagicCallForward();
+
 	zend_register_functions(NULL, ext_function_legacy, NULL, EG(current_module)->type);
 
 	// Loading via dl() not supported with the observer API

ext/zend_test/test.stub.php

@@ -75,6 +75,11 @@ class _ZendTestMagicCall
         public function __call(string $name, array $args): mixed {}
     }
 
+    class _ZendTestMagicCallForward
+    {
+        public function __call(string $name, array $args): mixed {}
+    }
+
     class _ZendTestChildClass extends _ZendTestClass
     {
         public function returnsThrowable(): Exception {}

ext/zend_test/test_arginfo.h

@@ -0,0 +1,32 @@
+--TEST--
+GH-16233 (Observer segfault when calling user function in internal function via trampoline)
+--EXTENSIONS--
+zend_test
+--INI--
+zend_test.observer.enabled=1
+zend_test.observer.show_output=1
+zend_test.observer.observe_all=1
+--FILE--
+<?php
+
+function callee() {
+    echo "in callee\n";
+}
+
+$test = new _ZendTestMagicCallForward;
+$test->callee();
+echo "done\n";
+
+?>
+--EXPECTF--
+<!-- init '%sgh16233.php' -->
+<file '%sgh16233.php'>
+  <!-- init _ZendTestMagicCallForward::__call() -->
+  <_ZendTestMagicCallForward::__call>
+    <!-- init callee() -->
+    <callee>
+in callee
+    </callee>
+  </_ZendTestMagicCallForward::__call>
+done
+</file '%sgh16233.php'>