Fixed bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)

diff --git a/Zend/tests/bug47109.phpt b/Zend/tests/bug47109.phpt
new file mode 100644 (file)
index 0000000..8f810d7
--- /dev/null
+++ b/Zend/tests/bug47109.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)
+--FILE--
+<?php
+$a->{"a"."b"};
+?>
+--EXPECTF--
+Notice: Undefined variable: a in %sbug47109.php on line 2
+
+Notice: Trying to get property of non-object in %sbug47109.php on line 2
+

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 8149695e46fb2fae14a0e4311cfa05e6d190c7c1..5c35aad63509baf3e3078a8d6d28011321143a17 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1236,12 +1236,15 @@ ZEND_VM_HELPER_EX(zend_fetch_property_address_read_helper, VAR|UNUSED|CV, CONST|
        zend_op *opline = EX(opline);
        zend_free_op free_op1;
        zval *container = GET_OP1_OBJ_ZVAL_PTR(type);
+       zend_free_op free_op2;
+       zval *offset  = GET_OP2_ZVAL_PTR(BP_VAR_R);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               FREE_OP2();
                FREE_OP1();
                ZEND_VM_NEXT_OPCODE();
        }
@@ -1255,9 +1258,8 @@ ZEND_VM_HELPER_EX(zend_fetch_property_address_read_helper, VAR|UNUSED|CV, CONST|
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               FREE_OP2();
        } else {
-               zend_free_op free_op2;
-               zval *offset  = GET_OP2_ZVAL_PTR(BP_VAR_R);
                zval *retval;
 
                if (IS_OP2_TMP_FREE()) {

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 0139f65979edad27f35294bf36c64d9419f909c1..2e85088bd0f66a93410b9c95e75c0ebc202b3c27 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -9906,11 +9906,14 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CONST(
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 
+       zval *offset  = &opline->op2.u.constant;
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -9924,9 +9927,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CONST(
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = &opline->op2.u.constant;
+       } else {
                zval *retval;
 
                if (0) {
@@ -11740,12 +11742,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_TMP(in
        zend_op *opline = EX(opline);
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               zval_dtor(free_op2.var);
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -11759,9 +11764,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_TMP(in
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               zval_dtor(free_op2.var);
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (1) {
@@ -13521,12 +13525,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_VAR(in
        zend_op *opline = EX(opline);
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -13540,9 +13547,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_VAR(in
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (0) {
@@ -15967,11 +15973,14 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CV(int
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 
+       zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -15985,9 +15994,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CV(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+       } else {
                zval *retval;
 
                if (0) {
@@ -17453,12 +17461,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CON
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
 
+       zval *offset  = &opline->op2.u.constant;
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -17471,9 +17482,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CON
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = &opline->op2.u.constant;
+       } else {
                zval *retval;
 
                if (0) {
@@ -18584,12 +18594,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_TMP
        zend_op *opline = EX(opline);
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               zval_dtor(free_op2.var);
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -18603,9 +18616,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_TMP
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               zval_dtor(free_op2.var);
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (1) {
@@ -19661,12 +19673,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_VAR
        zend_op *opline = EX(opline);
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -19680,9 +19695,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_VAR
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (0) {
@@ -21010,12 +21024,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CV(
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
 
+       zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -21028,9 +21045,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CV(
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+       } else {
                zval *retval;
 
                if (0) {
@@ -23790,12 +23806,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CONST(i
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
 
+       zval *offset  = &opline->op2.u.constant;
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -23808,9 +23827,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CONST(i
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = &opline->op2.u.constant;
+       } else {
                zval *retval;
 
                if (0) {
@@ -25455,12 +25473,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_TMP(int
        zend_op *opline = EX(opline);
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               zval_dtor(free_op2.var);
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -25474,9 +25495,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_TMP(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               zval_dtor(free_op2.var);
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (1) {
@@ -27124,12 +27144,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_VAR(int
        zend_op *opline = EX(opline);
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -27143,9 +27166,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_VAR(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (0) {
@@ -29355,12 +29377,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CV(int
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
 
+       zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -29373,9 +29398,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CV(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+       } else {
                zval *retval;
 
                if (0) {