Fix caching arg by name

arnaud-lb · arnaud-lb · commit 9ccfb2fcd233 · 2025-09-24T17:10:29.000+02:00
Non-persistent arg infos allocated by pdo_hash_methods() break
zend_get_arg_offset_by_name() again.

Fix zend_get_arg_offset_by_name() by excluding ZEND_ACC_NEVER_CACHE instead of
ZEND_ACC_USER_ARG_INFO. Also flag Closure::__invoke() with ZEND_ACC_NEVER_CACHE
(It was already flagged with ZEND_ACC_CALL_VIA_HANDLER, which is synonymous of
ZEND_ACC_NEVER_CACHE WRT caching).

This would allow to remove ZEND_ACC_USER_ARG_INFO later.
diff --git a/Zend/tests/closures/gh19653_3.phpt b/Zend/tests/closures/gh19653_3.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-19653 (Closure named argument unpacking between temporary closures can cause a crash) - temporary method variation
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+
+function usage1($f) {
+    $f(tmpMethodParamName: null);
+}
+
+usage1([new _ZendTestClass(), 'testTmpMethodWithArgInfo']);
+usage1(eval('return function (string $a, string $b): string { return $a.$b; };'));
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Unknown named parameter $tmpMethodParamName in %s:%d
+Stack trace:
+#0 %s(%d): usage1(Object(Closure))
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
@@ -497,7 +497,7 @@ ZEND_API zend_function *zend_get_closure_invoke_method(zend_object *object) /* {
 	 * ZEND_ACC_USER_ARG_INFO flag to prevent invalid usage by Reflection */
 	invoke->type = ZEND_INTERNAL_FUNCTION;
 	invoke->internal_function.fn_flags =
-		ZEND_ACC_PUBLIC | ZEND_ACC_CALL_VIA_HANDLER | (closure->func.common.fn_flags & keep_flags);
+		ZEND_ACC_PUBLIC | ZEND_ACC_CALL_VIA_HANDLER | ZEND_ACC_NEVER_CACHE | (closure->func.common.fn_flags & keep_flags);
 	if (closure->func.type != ZEND_INTERNAL_FUNCTION || (closure->func.common.fn_flags & ZEND_ACC_USER_ARG_INFO)) {
 		invoke->internal_function.fn_flags |=
 			ZEND_ACC_USER_ARG_INFO;
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -5478,7 +5478,7 @@ static zend_always_inline uint32_t zend_get_arg_offset_by_name(
 			if ((fbc->type == ZEND_USER_FUNCTION
 			  && (!fbc->op_array.refcount || !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)))
 			 || (fbc->type == ZEND_INTERNAL_FUNCTION
-			  && !(fbc->common.fn_flags & ZEND_ACC_USER_ARG_INFO))) {
+			  && !(fbc->common.fn_flags & ZEND_ACC_NEVER_CACHE))) {
 				*cache_slot = unique_id;
 				*(uintptr_t *)(cache_slot + 1) = i;
 			}
@@ -5490,7 +5490,7 @@ static zend_always_inline uint32_t zend_get_arg_offset_by_name(
 		if ((fbc->type == ZEND_USER_FUNCTION
 		  && (!fbc->op_array.refcount || !(fbc->op_array.fn_flags & ZEND_ACC_CLOSURE)))
 		 || (fbc->type == ZEND_INTERNAL_FUNCTION
-		  && !(fbc->common.fn_flags & ZEND_ACC_USER_ARG_INFO))) {
+		  && !(fbc->common.fn_flags & ZEND_ACC_NEVER_CACHE))) {
 			*cache_slot = unique_id;
 			*(uintptr_t *)(cache_slot + 1) = fbc->common.num_args;
 		}
