From 185304a61e08c07228e718139ef5284a7021bbbd Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 10 Feb 2017 14:24:01 +0800
Subject: [PATCH] Fixed bug #74019 (Segfault with list)

---
 NEWS                                   |  3 +++
 ext/opcache/Optimizer/zend_optimizer.c | 22 ++++++++++++++++++----
 ext/opcache/tests/bug74019.phpt        | 25 +++++++++++++++++++++++++
 3 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 ext/opcache/tests/bug74019.phpt

diff --git a/NEWS b/NEWS
index 5ff0ee7f638..ccd6c851da7 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,9 @@ PHP                                                                        NEWS
   . Fixed bug #74031 (ReflectionFunction for imagepng is missing last two
     parameters). (finwe)
 
+- Opcache:
+  . Fixed bug #74019 (Segfault with list). (Laruence)
+
 - OpenSSL:
   . Fixed bug #74022 (PHP Fast CGI crashes when reading from a pfx file).
     (Anatol)
diff --git a/ext/opcache/Optimizer/zend_optimizer.c b/ext/opcache/Optimizer/zend_optimizer.c
index dd3b6bd03a5..7ae0e061277 100644
--- a/ext/opcache/Optimizer/zend_optimizer.c
+++ b/ext/opcache/Optimizer/zend_optimizer.c
@@ -406,12 +406,26 @@ int zend_optimizer_replace_by_const(zend_op_array *op_array,
 					break;
 				/* In most cases IS_TMP_VAR operand may be used only once.
 				 * The operands are usually destroyed by the opcode handler.
-				 * ZEND_CASE is an exception, that keeps operand unchanged,
-				 * and allows its reuse. The number of ZEND_CASE instructions
+				 * ZEND_CASE and ZEND_FETCH_LIST are exceptions, they keeps operand
+				 * unchanged, and allows its reuse. these instructions
 				 * usually terminated by ZEND_FREE that finally kills the value.
 				 */
-				case ZEND_FREE:
-				case ZEND_CASE: {
+				case ZEND_FETCH_LIST: {
+					zend_op *m = opline;
+					do {
+						if (m->opcode == ZEND_FETCH_LIST &&
+							ZEND_OP1_TYPE(m) == type &&
+							ZEND_OP1(m).var == var) {
+							zend_optimizer_update_op1_const(op_array, m, val);
+						}
+						m++;
+					} while (m->opcode != ZEND_FREE || ZEND_OP1_TYPE(m) != type || ZEND_OP1(m).var != var);
+					ZEND_ASSERT(m->opcode == ZEND_FREE && ZEND_OP1_TYPE(m) == type && ZEND_OP1(m).var == var);
+					MAKE_NOP(m);
+					return 1;
+				}
+				case ZEND_CASE:
+				case ZEND_FREE: {
 					zend_op *m, *n;
 					int brk = op_array->last_brk_cont;
 					zend_bool in_switch = 0;
diff --git a/ext/opcache/tests/bug74019.phpt b/ext/opcache/tests/bug74019.phpt
new file mode 100644
index 00000000000..210e223c82c
--- /dev/null
+++ b/ext/opcache/tests/bug74019.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #74019	(Segfault with list)
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+
+class A {
+	public function seg() {
+		list($a, $b) = A::CONSTS;
+		var_dump($a, $b);
+		return;
+	}
+	const CONSTS = [1, 2];
+}
+
+$a = new A;
+$a->seg();
+?>
+--EXPECT--
+int(1)
+int(2)