php#53: Fix ref_count management for async event callbacks

EdmondDantes · EdmondDantes · commit b98f746a1e9a · 2025-09-20T08:42:35.000+03:00
This commit fixes a critical memory management issue in the async event
        callback system where callbacks were created with ref_count=1 but add
        methods didn't increment the counter, leading to premature deallocation.

        Changes:
        - Initialize all callbacks with ref_count=0 instead of 1
        - Add ref_count increment in callback registration methods
        - Remove incorrect ref_count validation in zend_async_resume_when

        Modified files:
        * Zend/zend_async_API.c: Fix zend_async_coroutine_callback_new and
          waker_trigger_add_callback
        * Zend/zend_async_API.h: Fix zend_async_callbacks_push
        * main/network_async.c: Fix 5 direct callback initializations for
          poll_callback_t, select_callback_t, async_stream_callback_t, and
          dns_callback_t structures

        This ensures proper lifetime management for all async callback types
        including socket, DNS, stream, and scope callbacks.
diff --git a/Zend/zend_async_API.c b/Zend/zend_async_API.c
@@ -451,7 +451,7 @@ ZEND_API zend_coroutine_event_callback_t *zend_async_coroutine_callback_new(
 	zend_coroutine_event_callback_t *coroutine_callback
 			= ecalloc(1, size != 0 ? size : sizeof(zend_coroutine_event_callback_t));
 
-	coroutine_callback->base.ref_count = 1;
+	coroutine_callback->base.ref_count = 0;
 	coroutine_callback->base.callback = callback;
 	coroutine_callback->coroutine = coroutine;
 	coroutine_callback->base.dispose = coroutine_event_callback_dispose;
@@ -773,7 +773,7 @@ ZEND_API void zend_async_resume_when(zend_coroutine_t *coroutine, zend_async_eve
 {
 	zend_exception_save();
 
-	bool locally_allocated_callback = false;
+	bool callback_should_dispose = false;
 
 	if (UNEXPECTED(ZEND_ASYNC_EVENT_IS_CLOSED(event))) {
 		zend_throw_error(NULL, "The event cannot be used after it has been terminated");
@@ -794,11 +794,14 @@ ZEND_API void zend_async_resume_when(zend_coroutine_t *coroutine, zend_async_eve
 
 	if (event_callback == NULL) {
 		event_callback = emalloc(sizeof(zend_coroutine_event_callback_t));
-		event_callback->base.ref_count = 1;
+		event_callback->base.ref_count = 0;
 		event_callback->base.callback = callback;
 		event_callback->base.dispose = coroutine_event_callback_dispose;
 		event_callback->event = event;
-		locally_allocated_callback = true;
+		callback_should_dispose = true;
+	} else if (event_callback->base.ref_count == 0) {
+		// Refcount is 0 means someone is transfer of ownership
+		callback_should_dispose = true;
 	}
 
 	// Set up the default dispose function if not set
@@ -811,17 +814,14 @@ ZEND_API void zend_async_resume_when(zend_coroutine_t *coroutine, zend_async_eve
 		event_callback->event = event;
 	}
 
-	if (event_callback->base.ref_count == 0) {
-		event_callback->base.ref_count = 1;
-	}
-
-	ZEND_ASSERT(event_callback->base.ref_count > 0 && "Callback ref_count must be greater than 0.");
+	ZEND_ASSERT(event_callback->base.ref_count >= 0 && "Callback ref_count must be non-negative.");
 
 	event_callback->coroutine = coroutine;
 	event->add_callback(event, &event_callback->base);
 
 	if (UNEXPECTED(EG(exception) != NULL)) {
-		if (locally_allocated_callback) {
+		if (callback_should_dispose) {
+			event_callback->base.ref_count = 1;
 			event_callback->base.dispose(&event_callback->base, event);
 		}
 
@@ -860,7 +860,8 @@ ZEND_API void zend_async_resume_when(zend_coroutine_t *coroutine, zend_async_eve
 				event_callback->coroutine = NULL;
 				event->del_callback(event, &event_callback->base);
 
-				if (locally_allocated_callback) {
+				if (callback_should_dispose) {
+					event_callback->base.ref_count = 1;
 					event_callback->base.dispose(&event_callback->base, event);
 				}
 
diff --git a/Zend/zend_async_API.h b/Zend/zend_async_API.h
@@ -674,6 +674,7 @@ static zend_always_inline void zend_async_callbacks_push(
 				vector->data, vector->capacity, sizeof(zend_async_event_callback_t *), 0);
 	}
 
+	callback->ref_count++;
 	vector->data[vector->length++] = callback;
 }
 
diff --git a/main/network_async.c b/main/network_async.c
@@ -529,7 +529,7 @@ ZEND_API int php_poll2_async(php_pollfd *ufds, unsigned int nfds, int timeout)
 		// so it can update the revents field when the event occurs.
 		poll_callback_t * callback = ecalloc(1, sizeof(poll_callback_t));
 		callback->callback.coroutine = coroutine;
-		callback->callback.base.ref_count = 1;
+		callback->callback.base.ref_count = 0;
 		callback->callback.base.callback = poll_callback_resolve;
 		callback->ufd = &ufds[i];
 
@@ -746,7 +746,7 @@ ZEND_API int php_select_async(php_socket_t max_fd, fd_set *rfds, fd_set *wfds, f
 
 		select_callback_t * callback = ecalloc(1, sizeof(select_callback_t));
 		callback->callback.coroutine = coroutine;
-		callback->callback.base.ref_count = 1;
+		callback->callback.base.ref_count = 0;
 		callback->callback.base.callback = select_callback_resolve;
 		callback->fd = i;
 		callback->rfds = &aread;
@@ -952,7 +952,7 @@ static zend_always_inline bool process_stream_array(
 
 		async_stream_callback_t *callback = ecalloc(1, sizeof(async_stream_callback_t));
 		callback->callback.coroutine = coroutine;
-		callback->callback.base.ref_count = 1;
+		callback->callback.base.ref_count = 0;
 		callback->callback.base.callback = async_stream_callback_resolve;
 		callback->stream = stream;
 		callback->event = poll_event;
@@ -1419,6 +1419,8 @@ static void dns_nameinfo_callback_resolve(
 
 		if (dns_callback->hostname_result != NULL) {
 			*(dns_callback->hostname_result) = dns_event->hostname;
+			// Should be free by the caller using zend_string_release (php_network_gethostbyaddr_async)
+			zend_string_addref(dns_event->hostname);
 		}
 
 		ZVAL_TRUE(&coroutine->waker->result);
@@ -1456,7 +1458,7 @@ ZEND_API int php_network_getaddrinfo_async(const char *node, const char *service
 
 	dns_callback_t *callback = ecalloc(1, sizeof(dns_callback_t));
 	callback->callback.coroutine = coroutine;
-	callback->callback.base.ref_count = 1;
+	callback->callback.base.ref_count = 0;
 	callback->callback.base.callback = dns_callback_resolve;
 	callback->result = res;
 
@@ -1639,7 +1641,7 @@ ZEND_API zend_string* php_network_gethostbyaddr_async(const char *ip)
 	zend_string *hostname_result = NULL;
 	dns_callback_t *callback = ecalloc(1, sizeof(dns_callback_t));
 	callback->callback.coroutine = coroutine;
-	callback->callback.base.ref_count = 1;
+	callback->callback.base.ref_count = 0;
 	callback->callback.base.callback = dns_nameinfo_callback_resolve;
 	callback->hostname_result = &hostname_result;
 
@@ -1659,16 +1661,16 @@ ZEND_API zend_string* php_network_gethostbyaddr_async(const char *ip)
 
 	IF_EXCEPTION_GOTO_ERROR;
 
-	if (hostname_result != NULL) {
-		zend_string_addref(hostname_result);
-	}
-
 	if (Z_TYPE(coroutine->waker->result) == IS_TRUE) {
 		zend_async_waker_clean(coroutine);
 		return hostname_result;
 	}
 
 error:
+	if (hostname_result != NULL) {
+		zend_string_release(hostname_result);
+	}
+
 	zend_async_waker_clean(coroutine);
 	dns_handle_exception_and_errno();
 	return NULL;

Original file line number	Diff line number	Diff line change
`@@ -674,6 +674,7 @@ static zend_always_inline void zend_async_callbacks_push(`
`674`	`674`	`vector->data, vector->capacity, sizeof(zend_async_event_callback_t *), 0);`
`675`	`675`	`}`
`676`	`676`
	`677`	`+ callback->ref_count++;`
`677`	`678`	`vector->data[vector->length++] = callback;`
`678`	`679`	`}`
`679`	`680`