Fix GH-10709: UAF in recursive AST evaluation

Zend/tests/gh10709.phpt

@@ -0,0 +1,21 @@
+--TEST--
+GH-10709: Recursive class constant evaluation
+--FILE--
+<?php
+
+class B { const C = A::C . "B"; }
+
+spl_autoload_register(function ($class) {
+    class A { const C = "A"; }
+    var_dump(B::C);
+});
+
+try {
+    new B();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+string(2) "AB"

Zend/tests/gh10709_2.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-10709: Recursive class constant evaluation
+--FILE--
+<?php
+
+class B {
+    public $prop = A::C;
+}
+
+spl_autoload_register(function ($class) {
+    class A { const C = "A"; }
+    var_dump(new B());
+});
+
+try {
+    var_dump(new B());
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+object(B)#2 (1) {
+  ["prop"]=>
+  string(1) "A"
+}
+object(B)#2 (1) {
+  ["prop"]=>
+  string(1) "A"
+}

Zend/tests/gh10709_3.phpt

@@ -0,0 +1,42 @@
+--TEST--
+GH-10709: Recursive class constant evaluation with outer call failing
+--FILE--
+<?php
+
+class S {
+    public function __toString() {
+        static $i = 0;
+        $i++;
+        if ($i === 1) {
+            return 'S';
+        } else {
+            throw new \Exception('Thrown from S');
+        }
+    }
+}
+
+const S = new S();
+
+class B {
+    public $prop = A::C . S;
+}
+
+spl_autoload_register(function ($class) {
+    class A { const C = "A"; }
+    var_dump(new B());
+});
+
+var_dump(new B());
+
+?>
+--EXPECTF--
+object(B)#3 (1) {
+  ["prop"]=>
+  string(2) "AS"
+}
+
+Fatal error: Uncaught Exception: Thrown from S in %s:%d
+Stack trace:
+#0 %s(%d): S->__toString()
+#1 {main}
+  thrown in %s on line %d

Zend/zend_execute_API.c

@@ -680,9 +680,23 @@ ZEND_API zend_result ZEND_FASTCALL zval_update_constant_ex(zval *p, zend_class_e
 		} else {
 			zval tmp;
 
+			// Increase the refcount during zend_ast_evaluate to avoid releasing the ast too early
+			// on nested calls to zval_update_constant_ex which can happen when retriggering ast
+			// evaluation during autoloading.
+			zend_ast_ref *ast_ref = Z_AST_P(p);
+			bool ast_is_refcounted = !(GC_FLAGS(ast_ref) & GC_IMMUTABLE);
+			if (ast_is_refcounted) {
+				GC_ADDREF(ast_ref);
+			}
 			if (UNEXPECTED(zend_ast_evaluate(&tmp, ast, scope) != SUCCESS)) {
+				if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
+					rc_dtor_func((zend_refcounted *)ast_ref);
+				}
 				return FAILURE;
 			}
+			if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
+				rc_dtor_func((zend_refcounted *)ast_ref);
+			}
 			zval_ptr_dtor_nogc(p);
 			ZVAL_COPY_VALUE(p, &tmp);
 		}

ext/opcache/jit/zend_jit_helpers.c

@@ -3035,9 +3035,23 @@ static zend_result ZEND_FASTCALL zval_jit_update_constant_ex(zval *p, zend_class
 		} else {
 			zval tmp;
 
+			// Increase the refcount during zend_ast_evaluate to avoid releasing the ast too early
+			// on nested calls to zval_update_constant_ex which can happen when retriggering ast
+			// evaluation during autoloading.
+			zend_ast_ref *ast_ref = Z_AST_P(p);
+			bool ast_is_refcounted = !(GC_FLAGS(ast_ref) & GC_IMMUTABLE);
+			if (ast_is_refcounted) {
+				GC_ADDREF(ast_ref);
+			}
 			if (UNEXPECTED(zend_ast_evaluate(&tmp, ast, scope) != SUCCESS)) {
+				if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
+					rc_dtor_func((zend_refcounted *)ast_ref);
+				}
 				return FAILURE;
 			}
+			if (ast_is_refcounted && !GC_DELREF(ast_ref)) {
+				rc_dtor_func((zend_refcounted *)ast_ref);
+			}
 			zval_ptr_dtor_nogc(p);
 			ZVAL_COPY_VALUE(p, &tmp);
 		}

ext/opcache/zend_persist.c

@@ -248,6 +248,7 @@ static void zend_persist_zval(zval *z)
 				zend_persist_ast(GC_AST(old_ref));
 				Z_TYPE_FLAGS_P(z) = 0;
 				GC_SET_REFCOUNT(Z_COUNTED_P(z), 1);
+				GC_ADD_FLAGS(Z_COUNTED_P(z), GC_IMMUTABLE);
 				efree(old_ref);
 			}
 			break;