php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

JIT: Fix array clobbering by user error handler

Browse Source 
Fixes oss-fuzz #46336
This commit is contained in:
Dmitry Stogov
2022-04-04 16:36:25 +03:00
parent afd8f84c1a
commit df0c8aaee9
3 changed files with 391 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Zend/zend_vm_def.h
View File

@@ -2548,7 +2548,18 @@ ZEND_VM_HANDLER(23, ZEND_ASSIGN_DIM, VAR|CV, CONST|TMPVAR|UNUSED|NEXT|CV, SPEC(O
ZEND_VM_C_LABEL(try_assign_dim_array):
SEPARATE_ARRAY(object_ptr);
if (OP2_TYPE == IS_UNUSED) {
value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R);
value = GET_OP_DATA_ZVAL_PTR_UNDEF(BP_VAR_R);
if (OP_DATA_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
ZEND_VM_C_GOTO(assign_dim_error);
}
}
if (OP_DATA_TYPE == IS_CV || OP_DATA_TYPE == IS_VAR) {
ZVAL_DEREF(value);
}

368
Zend/zend_vm_execute.h
View File

@@ -23443,6 +23443,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -23580,6 +23591,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -23718,6 +23740,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -23855,7 +23888,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_CONST_OP_D
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -26098,6 +26142,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -26235,6 +26290,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -26373,6 +26439,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -26510,7 +26587,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_TMPVAR_OP_
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -27585,6 +27673,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -27722,6 +27821,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -27860,6 +27970,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -27997,7 +28118,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_UNUSED_OP_
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -30217,6 +30349,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -30354,6 +30497,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -30492,6 +30646,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -30629,7 +30794,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_CV_OP_DATA
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -41262,6 +41438,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -41399,6 +41586,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -41537,6 +41735,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -41674,7 +41883,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_CONST_OP_DA
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CONST == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -45002,6 +45222,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -45139,6 +45370,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -45277,6 +45519,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -45414,7 +45667,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_TMPVAR_OP_D
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -46936,6 +47200,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -47073,6 +47348,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -47211,6 +47497,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -47348,7 +47645,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_OP_D
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_UNUSED == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -50237,6 +50545,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = RT_CONSTANT((opline+1), (opline+1)->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -50374,6 +50693,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -50512,6 +50842,17 @@ try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
ZVAL_DEREF(value);
}
@@ -50649,7 +50990,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_CV_OP_DATA_
try_assign_dim_array:
SEPARATE_ARRAY(object_ptr);
if (IS_CV == IS_UNUSED) {
value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC);
value = EX_VAR((opline+1)->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
HashTable *ht = Z_ARRVAL_P(object_ptr);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
GC_ADDREF(ht);
}
value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC);
if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
zend_array_destroy(ht);
goto assign_dim_error;
}
}
if (IS_CV == IS_CV || IS_CV == IS_VAR) {
ZVAL_DEREF(value);
}

19
ext/opcache/tests/jit/assign_dim_015.phpt Normal file
View File

@@ -0,0 +1,19 @@
--TEST--
JIT ASSIGN_DIM: 015
--INI--
opcache.enable=1
opcache.enable_cli=1
opcache.file_update_protection=0
opcache.jit_buffer_size=1M
--FILE--
<?php
set_error_handler(function($code, $msg) use (&$my_var) {
echo "Error: $msg\n";
$my_var = 0;
});
$my_var[] = $y;
?>
DONE
--EXPECT--
Error: Undefined variable $y
DONE