]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4948da1)
Fixed bug #74623
authorNikita Popov <nikita.ppv@gmail.com>
Fri, 23 Jun 2017 15:32:45 +0000 (17:32 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Fri, 23 Jun 2017 15:32:45 +0000 (17:32 +0200)
NEWS patch | blob | history
ext/opcache/Optimizer/zend_inference.c patch | blob | history
ext/opcache/tests/bug74623.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index eb0da993a174c76a0823eb18c50a7216d2c01460..cfc773f8f73ea0b3b0e1afc071427b6570e35a73 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@ PHP                                                                        NEWS
     (jhdxr)
   . Fixed bug #74761 (Unary operator expected error on some systems). (petk)
 
+- Opcache:
+  . Fixed bug #74623 (Infinite loop in type inference when using HTMLPurifier).
+    (nikic)
+
 - SPL:
   . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
 
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index d6a4c273bd52a62c86640046345fbacb9d57ba79..a1a6c7b611d042619b0cea336f0b4afadaa66793 100644 (file)
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -3109,7 +3109,7 @@ static int zend_update_type_info(const zend_op_array *op_array,
                                    opline->opcode == ZEND_FETCH_OBJ_RW ||
                                    opline->opcode == ZEND_FETCH_OBJ_FUNC_ARG) {
                                        if (opline->opcode != ZEND_FETCH_DIM_FUNC_ARG) {
-                                               if (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_NULL)) {
+                                               if (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE)) {
                                                        tmp &= ~(MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE);
                                                        tmp |= MAY_BE_OBJECT | MAY_BE_RC1 | MAY_BE_RCN;
                                                }
diff --git a/ext/opcache/tests/bug74623.phpt b/ext/opcache/tests/bug74623.phpt
new file mode 100644 (file)
index 0000000..4cd0b26
--- /dev/null
+++ b/ext/opcache/tests/bug74623.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #74623: Infinite loop in type inference when using HTMLPurifier
+--FILE--
+<?php
+
+function crash($arr) {
+    $current_item = false;
+
+    foreach($arr as $item) {
+        if($item->name === 'string') {
+            $current_item = $item;
+        } else {
+            $current_item->a[] = '';
+        }
+    }
+
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
Unnamed repository; edit this file 'description' to name the repository.