From df0c8aaee99bf7361420bca85db67d3f434bdccc Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Mon, 4 Apr 2022 16:36:25 +0300 Subject: [PATCH] JIT: Fix array clobbering by user error handler Fixes oss-fuzz #46336 --- Zend/zend_vm_def.h | 13 +- Zend/zend_vm_execute.h | 368 +++++++++++++++++++++- ext/opcache/tests/jit/assign_dim_015.phpt | 19 ++ 3 files changed, 391 insertions(+), 9 deletions(-) create mode 100644 ext/opcache/tests/jit/assign_dim_015.phpt diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 5207a09d34d..bbba2ca0dfc 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -2548,7 +2548,18 @@ ZEND_VM_HANDLER(23, ZEND_ASSIGN_DIM, VAR|CV, CONST|TMPVAR|UNUSED|NEXT|CV, SPEC(O ZEND_VM_C_LABEL(try_assign_dim_array): SEPARATE_ARRAY(object_ptr); if (OP2_TYPE == IS_UNUSED) { - value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R); + value = GET_OP_DATA_ZVAL_PTR_UNDEF(BP_VAR_R); + if (OP_DATA_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + ZEND_VM_C_GOTO(assign_dim_error); + } + } if (OP_DATA_TYPE == IS_CV || OP_DATA_TYPE == IS_VAR) { ZVAL_DEREF(value); } diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index cb9654688e9..1b277854700 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -23443,6 +23443,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -23580,6 +23591,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -23718,6 +23740,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -23855,7 +23888,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_CONST_OP_D try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -26098,6 +26142,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -26235,6 +26290,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -26373,6 +26439,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -26510,7 +26587,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_TMPVAR_OP_ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -27585,6 +27673,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -27722,6 +27821,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -27860,6 +27970,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -27997,7 +28118,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_UNUSED_OP_ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -30217,6 +30349,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -30354,6 +30497,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -30492,6 +30646,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -30629,7 +30794,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_VAR_CV_OP_DATA try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -41262,6 +41438,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -41399,6 +41586,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -41537,6 +41735,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -41674,7 +41883,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_CONST_OP_DA try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CONST == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -45002,6 +45222,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -45139,6 +45370,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -45277,6 +45519,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -45414,7 +45667,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_TMPVAR_OP_D try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if ((IS_TMP_VAR|IS_VAR) == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -46936,6 +47200,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -47073,6 +47348,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -47211,6 +47497,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -47348,7 +47645,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_OP_D try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_UNUSED == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } @@ -50237,6 +50545,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { value = RT_CONSTANT((opline+1), (opline+1)->op1); + if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CONST == IS_CV || IS_CONST == IS_VAR) { ZVAL_DEREF(value); } @@ -50374,6 +50693,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { value = _get_zval_ptr_tmp((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -50512,6 +50842,17 @@ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { value = _get_zval_ptr_var((opline+1)->op1.var EXECUTE_DATA_CC); + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_VAR == IS_CV || IS_VAR == IS_VAR) { ZVAL_DEREF(value); } @@ -50649,7 +50990,18 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_DIM_SPEC_CV_CV_OP_DATA_ try_assign_dim_array: SEPARATE_ARRAY(object_ptr); if (IS_CV == IS_UNUSED) { - value = _get_zval_ptr_cv_BP_VAR_R((opline+1)->op1.var EXECUTE_DATA_CC); + value = EX_VAR((opline+1)->op1.var); + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { + HashTable *ht = Z_ARRVAL_P(object_ptr); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) { + GC_ADDREF(ht); + } + value = zval_undefined_cv((opline+1)->op1.var EXECUTE_DATA_CC); + if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } if (IS_CV == IS_CV || IS_CV == IS_VAR) { ZVAL_DEREF(value); } diff --git a/ext/opcache/tests/jit/assign_dim_015.phpt b/ext/opcache/tests/jit/assign_dim_015.phpt new file mode 100644 index 00000000000..fd37d84764d --- /dev/null +++ b/ext/opcache/tests/jit/assign_dim_015.phpt @@ -0,0 +1,19 @@ +--TEST-- +JIT ASSIGN_DIM: 015 +--INI-- +opcache.enable=1 +opcache.enable_cli=1 +opcache.file_update_protection=0 +opcache.jit_buffer_size=1M +--FILE-- + +DONE +--EXPECT-- +Error: Undefined variable $y +DONE