Fix double-free and ZTS-related issues

Building against a ZTS-enabled build of PHP uncovered several issues,
including:

  * Use of missing `tsrm_ls` value. Added calls to TSRMLS_FETCH() where
    needed.
  * String keys returned with `value_array_keys` are now duplicated,
    and as such are correctly passed (and freed) to the caller.
  * Functions `value_array_index_get` and `value_array_key_get`
    incorrectly returned references of, rather than copies to, the
    values required.
  * Method `receiverSet` incorrectly called `Destroy` on the member
    value.

Author: deuill

context/context.c

@@ -76,12 +76,12 @@ void context_exec(engine_context *context, char *filename) {
 
 void *context_eval(engine_context *context, char *script) {
 	int ret;
+	zval *retval;
 
 	#ifdef ZTS
 		void ***tsrm_ls = context->tsrm_ls;
 	#endif
 
-	zval *retval;
 	MAKE_STD_ZVAL(retval);
 
 	// Attempt to evaluate inline script.
@@ -117,6 +117,10 @@ void context_bind(engine_context *context, char *name, void *value) {
 }
 
 void context_destroy(engine_context *context) {
+	#ifdef ZTS
+		void ***tsrm_ls = context->tsrm_ls;
+	#endif
+
 	php_request_shutdown((void *) 0);
 
 	SG(server_context) = NULL;

receiver/receiver.c

@@ -223,6 +223,10 @@ static zend_object_value receiver_create(zend_class_entry *class_type TSRMLS_DC)
 }
 
 void receiver_define(char *name, void *rcvr) {
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	zend_class_entry tmp;
 	INIT_CLASS_ENTRY_EX(tmp, name, strlen(name), NULL);
 

receiver/receiver.go

@@ -129,7 +129,6 @@ func receiverSet(obj unsafe.Pointer, name *C.char, val unsafe.Pointer) {
 	}
 
 	o.values[n].Set(reflect.ValueOf(v.Interface()))
-	v.Destroy()
 }
 
 //export receiverExists

receiver/receiver.h

@@ -11,11 +11,12 @@ typedef struct _engine_receiver {
 } engine_receiver;
 
 #define receiver_get_pointer(ce, name) \
-	(void *) Z_LVAL_P(zend_read_static_property(ce, name, sizeof(name) - 1, 1))
+	(void *) Z_LVAL_P(zend_read_static_property(ce, name, sizeof(name) - 1, 1 \
+	TSRMLS_CC))
 
 #define receiver_set_pointer(ce, name, ptr) \
 	zend_declare_property_long(ce, name, sizeof(name) - 1, (long int) ptr, \
-	ZEND_ACC_STATIC | ZEND_ACC_PRIVATE TSRMLS_CC);
+	ZEND_ACC_STATIC | ZEND_ACC_PRIVATE TSRMLS_CC)
 
 void receiver_define(char *name, void *rcvr);
 

value/value.c

@@ -146,13 +146,21 @@ void value_array_key_set(engine_value *arr, const char *key, engine_value *val)
 engine_value *value_create_object() {
 	zval *zv;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	MAKE_STD_ZVAL(zv);
 	object_init(zv);
 
 	return value_new(zv);
 }
 
 void value_object_property_add(engine_value *obj, const char *key, engine_value *val) {
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	add_property_zval(obj->value, key, val->value);
 }
 
@@ -208,6 +216,10 @@ char *value_get_string(engine_value *val) {
 	zval *tmp;
 	int result;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	switch (val->kind) {
 	case KIND_STRING:
 		tmp = val->value;
@@ -237,6 +249,10 @@ char *value_get_string(engine_value *val) {
 }
 
 unsigned int value_array_size(engine_value *arr) {
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	switch (arr->kind) {
 	case KIND_ARRAY:
 	case KIND_MAP:
@@ -259,6 +275,10 @@ engine_value *value_array_keys(engine_value *arr) {
 	char *k = NULL;
 	unsigned long i = 0;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	HashTable *h = NULL;
 	engine_value *keys = value_create_array(value_array_size(arr));
 
@@ -279,7 +299,7 @@ engine_value *value_array_keys(engine_value *arr) {
 				add_next_index_long(keys->value, i);
 				break;
 			case HASH_KEY_IS_STRING:
-				add_next_index_string(keys->value, k, 0);
+				add_next_index_string(keys->value, k, 1);
 				break;
 			}
 
@@ -301,6 +321,10 @@ engine_value *value_array_keys(engine_value *arr) {
 void value_array_reset(engine_value *arr) {
 	HashTable *h = NULL;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	switch (arr->kind) {
 	case KIND_ARRAY:
 	case KIND_MAP:
@@ -320,6 +344,10 @@ engine_value *value_array_next_get(engine_value *arr) {
 	zval **tmp = NULL;
 	HashTable *h = NULL;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	switch (arr->kind) {
 	case KIND_ARRAY:
 	case KIND_MAP:
@@ -347,6 +375,10 @@ engine_value *value_array_index_get(engine_value *arr, unsigned long idx) {
 	zval **zv = NULL;
 	HashTable *h = NULL;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	switch (arr->kind) {
 	case KIND_ARRAY:
 	case KIND_MAP:
@@ -367,7 +399,7 @@ engine_value *value_array_index_get(engine_value *arr, unsigned long idx) {
 	}
 
 	if (zend_hash_index_find(h, idx, (void **) &zv) == SUCCESS) {
-		return value_new(*zv);
+		return value_new_copy(*zv);
 	}
 
 	return value_create_null();
@@ -377,6 +409,10 @@ engine_value *value_array_key_get(engine_value *arr, char *key) {
 	zval **zv = NULL;
 	HashTable *h = NULL;
 
+	#ifdef ZTS
+		TSRMLS_FETCH();
+	#endif
+
 	switch (arr->kind) {
 	case KIND_ARRAY:
 	case KIND_MAP:
@@ -390,7 +426,7 @@ engine_value *value_array_key_get(engine_value *arr, char *key) {
 	}
 
 	if (zend_hash_find(h, key, strlen(key) + 1, (void **) &zv) == SUCCESS) {
-		return value_new(*zv);
+		return value_new_copy(*zv);
 	}
 
 	return value_create_null();