From 5459ed4c2fbc25560da3808e823c0503704a8f31 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Mon, 6 Dec 2021 13:08:27 +0300 Subject: [PATCH] Fix use after free because of data clobbering by user error handler Fixes oss-fuzz #41692 --- Zend/tests/falsetoarray_002.phpt | 15 + Zend/zend_execute.c | 19 +- Zend/zend_vm_def.h | 31 +- Zend/zend_vm_execute.h | 656 +++++++++++++++++++++-------- ext/opcache/jit/zend_jit_helpers.c | 36 +- 5 files changed, 561 insertions(+), 196 deletions(-) create mode 100644 Zend/tests/falsetoarray_002.phpt diff --git a/Zend/tests/falsetoarray_002.phpt b/Zend/tests/falsetoarray_002.phpt new file mode 100644 index 00000000000..c01b7995459 --- /dev/null +++ b/Zend/tests/falsetoarray_002.phpt @@ -0,0 +1,15 @@ +--TEST-- +Autovivification of false to array with data clobbering by error handler +--FILE-- + +--EXPECT-- +Err: Automatic conversion of false to array is deprecated +string(0) "" diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 02eda69787a..aa0a2e39ec4 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -2508,13 +2508,24 @@ fetch_from_array: if (type != BP_VAR_W && UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { - zend_false_to_array_deprecated(); - } if (type != BP_VAR_UNSET) { - array_init(container); + HashTable *ht = zend_new_array(0); + zend_uchar old_type = Z_TYPE_P(container); + + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto return_null; + } + } goto fetch_from_array; } else { + if (UNEXPECTED(Z_TYPE_P(container) == IS_FALSE)) { + zend_false_to_array_deprecated(); + } return_null: /* for read-mode only */ if (ZEND_CONST_COND(dim_type == IS_CV, dim != NULL) && UNEXPECTED(Z_TYPE_P(dim) == IS_UNDEF)) { diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index df0f853fba0..335c4f7a7ab 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1217,13 +1217,23 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array): } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (OP1_TYPE == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + ZEND_VM_C_GOTO(assign_dim_op_ret_null); + } } - ZVAL_ARR(container, zend_new_array(8)); ZEND_VM_C_GOTO(assign_dim_op_new_array); } else { dim = GET_OP2_ZVAL_PTR(BP_VAR_R); @@ -2626,10 +2636,6 @@ ZEND_VM_C_LABEL(try_assign_dim_array): FREE_OP_DATA(); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -2637,7 +2643,18 @@ ZEND_VM_C_LABEL(try_assign_dim_array): FREE_OP_DATA(); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + ZEND_VM_C_GOTO(assign_dim_error); + } + } ZEND_VM_C_GOTO(try_assign_dim_array); } } else { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 89f0cab5e20..2596d5261a4 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -22459,13 +22459,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = RT_CONSTANT(opline, opline->op2); @@ -23431,10 +23441,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -23442,7 +23448,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -23568,10 +23585,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -23579,7 +23592,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -23705,10 +23729,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -23716,7 +23736,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -23841,10 +23872,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -23852,7 +23879,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -25100,13 +25138,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = _get_zval_ptr_var(opline->op2.var EXECUTE_DATA_CC); @@ -26077,10 +26125,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -26088,7 +26132,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -26214,10 +26269,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -26225,7 +26276,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -26351,10 +26413,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -26362,7 +26420,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -26487,10 +26556,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -26498,7 +26563,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -27379,13 +27455,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = NULL; @@ -27555,10 +27641,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -27566,7 +27648,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -27692,10 +27785,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -27703,7 +27792,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -27829,10 +27929,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -27840,7 +27936,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -27965,10 +28072,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -27976,7 +28079,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -29206,13 +29320,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = _get_zval_ptr_cv_BP_VAR_R(opline->op2.var EXECUTE_DATA_CC); @@ -30178,10 +30302,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -30189,7 +30309,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -30315,10 +30446,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -30326,7 +30453,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -30452,10 +30590,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -30463,7 +30597,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -30588,10 +30733,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -30599,7 +30740,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -39900,13 +40052,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = RT_CONSTANT(opline, opline->op2); @@ -41135,10 +41297,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -41146,7 +41304,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -41272,10 +41441,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -41283,7 +41448,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -41409,10 +41585,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -41420,7 +41592,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -41545,10 +41728,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -41556,7 +41735,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -43620,13 +43810,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = _get_zval_ptr_var(opline->op2.var EXECUTE_DATA_CC); @@ -44854,10 +45054,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -44865,7 +45061,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -44991,10 +45198,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -45002,7 +45205,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -45128,10 +45342,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -45139,7 +45349,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -45264,10 +45485,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -45275,7 +45492,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -46475,13 +46703,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = NULL; @@ -46779,10 +47017,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -46790,7 +47024,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -46916,10 +47161,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -46927,7 +47168,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -47053,10 +47305,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -47064,7 +47312,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -47189,10 +47448,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -47200,7 +47455,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -48833,13 +49099,23 @@ assign_dim_op_new_array: } zend_binary_assign_op_obj_dim(container, dim OPLINE_CC EXECUTE_DATA_CC); } else if (EXPECTED(Z_TYPE_P(container) <= IS_FALSE)) { + HashTable *ht; + zend_uchar old_type; + if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_INFO_P(container) == IS_UNDEF)) { ZVAL_UNDEFINED_OP1(); } - if (Z_TYPE_P(container) == IS_FALSE) { + ht = zend_new_array(8); + old_type = Z_TYPE_P(container); + ZVAL_ARR(container, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_op_ret_null; + } } - ZVAL_ARR(container, zend_new_array(8)); goto assign_dim_op_new_array; } else { dim = _get_zval_ptr_cv_BP_VAR_R(opline->op2.var EXECUTE_DATA_CC); @@ -50063,10 +50339,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -50074,7 +50346,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -50200,10 +50483,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -50211,7 +50490,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -50337,10 +50627,6 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -50348,7 +50634,18 @@ try_assign_dim_array: zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var)); UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { @@ -50473,10 +50770,6 @@ try_assign_dim_array: } } else if (EXPECTED(Z_TYPE_P(object_ptr) <= IS_FALSE)) { - if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); - } - if (Z_ISREF_P(orig_object_ptr) && ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(orig_object_ptr)) && !zend_verify_ref_array_assignable(Z_REF_P(orig_object_ptr))) { @@ -50484,7 +50777,18 @@ try_assign_dim_array: UNDEF_RESULT(); } else { - ZVAL_ARR(object_ptr, zend_new_array(8)); + HashTable *ht = zend_new_array(8); + zend_uchar old_type = Z_TYPE_P(object_ptr); + + ZVAL_ARR(object_ptr, ht); + if (UNEXPECTED(old_type == IS_FALSE)) { + GC_ADDREF(ht); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(ht) == 0)) { + zend_array_destroy(ht); + goto assign_dim_error; + } + } goto try_assign_dim_array; } } else { diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c index 27796368314..2aeb68cbf83 100644 --- a/ext/opcache/jit/zend_jit_helpers.c +++ b/ext/opcache/jit/zend_jit_helpers.c @@ -1152,9 +1152,15 @@ static zend_always_inline void ZEND_FASTCALL zend_jit_fetch_dim_obj_helper(zval } ZVAL_UNDEF(result); } else if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); zend_array *arr = zend_new_array(0); ZVAL_ARR(object_ptr, arr); + GC_ADDREF(arr); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(arr) == 0)) { + zend_array_destroy(arr); + ZVAL_NULL(result); + return; + } zval *var; if (dim) { if (type == BP_VAR_W) { @@ -1247,12 +1253,6 @@ static void ZEND_FASTCALL zend_jit_assign_dim_helper(zval *object_ptr, zval *dim return; } - if (dim && UNEXPECTED(Z_TYPE_P(dim) == IS_UNDEF)) { - const zend_op *opline = EG(current_execute_data)->opline; - zend_jit_undefined_op_helper(opline->op2.var); - dim = &EG(uninitialized_zval); - } - if (UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) { const zend_op *op_data = EG(current_execute_data)->opline + 1; ZEND_ASSERT(op_data->opcode == ZEND_OP_DATA && op_data->op1_type == IS_CV); @@ -1266,9 +1266,17 @@ static void ZEND_FASTCALL zend_jit_assign_dim_helper(zval *object_ptr, zval *dim ZVAL_UNDEF(result); } } else if (Z_TYPE_P(object_ptr) == IS_FALSE) { - zend_false_to_array_deprecated(); zend_array *arr = zend_new_array(0); ZVAL_ARR(object_ptr, arr); + GC_ADDREF(arr); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(arr) == 0)) { + zend_array_destroy(arr); + if (result) { + ZVAL_NULL(result); + } + return; + } zval *var = dim ? zend_jit_fetch_dim_w_helper(arr, dim) : zend_hash_next_index_insert_new(arr, &EG(uninitialized_zval)); @@ -1284,6 +1292,11 @@ static void ZEND_FASTCALL zend_jit_assign_dim_helper(zval *object_ptr, zval *dim ZVAL_COPY(result, var); } } else { + if (dim && UNEXPECTED(Z_TYPE_P(dim) == IS_UNDEF)) { + const zend_op *opline = EG(current_execute_data)->opline; + zend_jit_undefined_op_helper(opline->op2.var); + dim = &EG(uninitialized_zval); + } zend_throw_error(NULL, "Cannot use a scalar value as an array"); if (result) { ZVAL_UNDEF(result); @@ -1335,9 +1348,14 @@ static void ZEND_FASTCALL zend_jit_assign_dim_op_helper(zval *container, zval *d zend_wrong_string_offset_error(); } } else if (Z_TYPE_P(container) == IS_FALSE) { - zend_false_to_array_deprecated(); zend_array *arr = zend_new_array(0); ZVAL_ARR(container, arr); + GC_ADDREF(arr); + zend_false_to_array_deprecated(); + if (UNEXPECTED(GC_DELREF(arr) == 0)) { + zend_array_destroy(arr); + return; + } zval *var = dim ? zend_jit_fetch_dim_rw_helper(arr, dim) : zend_hash_next_index_insert_new(arr, &EG(uninitialized_zval));