7 files changed, 49 insertions, 9 deletions

diff --git a/NEWS b/NEWS
index a22512429c..293ff51d0a 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP                                                                        NEWS
 
 - COM:
   . Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
+  . Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
 
 - GD:
   . Fixed bug #50194 (imagettftext broken on transparent background w/o
diff --git a/Zend/tests/traits/bug69579.phpt b/Zend/tests/traits/bug69579.phpt
new file mode 100644
index 0000000000..421734e74e
--- /dev/null
+++ b/Zend/tests/traits/bug69579.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #69579 (Internal trait double-free)
+--SKIPIF--
+<?php
+if (!PHP_DEBUG) die("skip only run in debug version");
+?>
+--FILE--
+<?php
+
+class Bar{
+  use _ZendTestTrait;
+}
+
+$bar = new Bar();
+var_dump($bar->testMethod());
+// destruction causes a double-free and explodes
+
+?>
+--EXPECT--
+bool(true)
diff --git a/Zend/tests/traits/get_declared_traits_001.phpt b/Zend/tests/traits/get_declared_traits_001.phpt
index 91f6b3d20a..b1faec3de8 100644
--- a/Zend/tests/traits/get_declared_traits_001.phpt
+++ b/Zend/tests/traits/get_declared_traits_001.phpt
@@ -12,8 +12,8 @@ final class e { }
 var_dump(get_declared_traits());
 
 ?>
---EXPECT--
-array(1) {
-  [0]=>
+--EXPECTF--
+array(%d) {%A
+  [%d]=>
   string(1) "c"
 }
diff --git a/Zend/tests/traits/get_declared_traits_002.phpt b/Zend/tests/traits/get_declared_traits_002.phpt
index 74fdcc4082..73dd73c927 100644
--- a/Zend/tests/traits/get_declared_traits_002.phpt
+++ b/Zend/tests/traits/get_declared_traits_002.phpt
@@ -13,8 +13,8 @@ namespace test {
 }
 
 ?>
---EXPECT--
-array(1) {
-  [0]=>
+--EXPECTF--
+array(%d) {%A
+  [%d]=>
   string(6) "test\c"
 }
diff --git a/Zend/tests/traits/get_declared_traits_003.phpt b/Zend/tests/traits/get_declared_traits_003.phpt
index 4a687467f2..edae3f1933 100644
--- a/Zend/tests/traits/get_declared_traits_003.phpt
+++ b/Zend/tests/traits/get_declared_traits_003.phpt
@@ -13,13 +13,15 @@ var_dump(get_declared_traits());
 
 ?>
 --EXPECTF--
-%astring(1) "a"
+array(%d) {%A
+  [%d]=>
+  string(1) "a"
   [%d]=>
   string(1) "d"
   [%d]=>
   string(1) "e"
 }
-array(1) {
-  [0]=>
+array(%d) {%A
+  [%d]=>
   string(1) "c"
 }
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index f118ebd12a..3943c73fd3 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -34,6 +34,7 @@
 #if ZEND_DEBUG
 static zend_class_entry *zend_test_interface;
 static zend_class_entry *zend_test_class;
+static zend_class_entry *zend_test_trait;
 static zend_object_handlers zend_test_class_handlers;
 #endif
 
@@ -306,6 +307,16 @@ static int zend_test_class_call_method(zend_string *method, zend_object *object,
 	return 0;
 }
 /* }}} */
+
+static ZEND_METHOD(_ZendTestTrait, testMethod) /* {{{ */ {
+	RETURN_TRUE;
+}
+/* }}} */
+
+static zend_function_entry zend_test_trait_methods[] = {
+    ZEND_ME(_ZendTestTrait, testMethod, arginfo_zend__void, ZEND_ACC_PUBLIC)
+    ZEND_FE_END
+};
 #endif
 
 static const zend_function_entry builtin_functions[] = { /* {{{ */
@@ -403,6 +414,11 @@ ZEND_MINIT_FUNCTION(core) { /* {{{ */
 	memcpy(&zend_test_class_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers));
 	zend_test_class_handlers.get_method = zend_test_class_method_get;
 	zend_test_class_handlers.call_method = zend_test_class_call_method;
+
+	INIT_CLASS_ENTRY(class_entry, "_ZendTestTrait", zend_test_trait_methods);
+	zend_test_trait = zend_register_internal_class(&class_entry);
+	zend_test_trait->ce_flags |= ZEND_ACC_TRAIT;
+	zend_declare_property_null(zend_test_trait, "testProp", sizeof("testProp")-1, ZEND_ACC_PUBLIC);
 #endif
 
 	return SUCCESS;
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index a76fb6c285..47f6eb2e0d 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -1227,6 +1227,7 @@ static void zend_add_trait_method(zend_class_entry *ce, const char *name, zend_s
 	function_add_ref(fn);
 	new_fn = zend_arena_alloc(&CG(arena), sizeof(zend_op_array));
 	memcpy(new_fn, fn, sizeof(zend_op_array));
+	new_fn->common.fn_flags |= ZEND_ACC_ARENA_ALLOCATED;
 	fn = zend_hash_update_ptr(&ce->function_table, key, new_fn);
 	zend_add_magic_methods(ce, key, fn);
 }