ZEND_SEPARATE reuses temporaries

diff --git a/Zend/tests/temporary_cleaning_006.phpt b/Zend/tests/temporary_cleaning_006.phpt
new file mode 100644 (file)
index 0000000..758260d
--- /dev/null
+++ b/Zend/tests/temporary_cleaning_006.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Exception after separation during indirect write to fcall result
+--FILE--
+<?php
+
+function throwing() { throw new Exception; }
+
+function getArray() { return [0]; }
+
+try {
+    getArray()[throwing()] = 1;
+} catch (Exception $e) {
+    echo "Exception\n";
+}
+
+?>
+--EXPECT--
+Exception

diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 8f3ecddbda6d3a32a664b5f8c3588da9130dc7eb..f8d040468f0239e18c6972c2bb054de8388e455f 100644 (file)
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -950,6 +950,7 @@ static zend_always_inline uint32_t *generate_var_liveliness_info_ex(zend_op_arra
                        /* the following opcodes reuse TMP created before */
                        && opline->opcode != ZEND_ROPE_ADD
                        && opline->opcode != ZEND_ADD_ARRAY_ELEMENT
+                       && opline->opcode != ZEND_SEPARATE
                        /* passes fast_call */
                        && opline->opcode != ZEND_FAST_CALL
                        /* the following opcodes pass class_entry */
@@ -980,6 +981,7 @@ static zend_always_inline uint32_t *generate_var_liveliness_info_ex(zend_op_arra
                        if (Tstart[var] != (uint32_t)-1
                                /* the following opcodes don't free TMP */
                                && opline->opcode != ZEND_ROPE_ADD
+                               && opline->opcode != ZEND_SEPARATE
                                && opline->opcode != ZEND_FETCH_LIST
                                && opline->opcode != ZEND_CASE
                                && opline->opcode != ZEND_FE_FETCH_R