Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess...

author Dmitry Stogov <dmitry@zend.com>

Mon, 29 Jun 2015 08:17:56 +0000 (11:17 +0300)

committer Dmitry Stogov <dmitry@zend.com>

Mon, 29 Jun 2015 08:17:56 +0000 (11:17 +0300)
author Dmitry Stogov <dmitry@zend.com>
Mon, 29 Jun 2015 08:17:56 +0000 (11:17 +0300)
committer Dmitry Stogov <dmitry@zend.com>
Mon, 29 Jun 2015 08:17:56 +0000 (11:17 +0300)
diff --git a/NEWS b/NEWS

index b073ec3f9d18620251835717527d6168410936d1..b3b1e27774fc7884d7f1679a48cb2e21804d447f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
  
  - Core:
    . Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb)
+  . Fixed bug #69955 (Segfault when trying to combine [] and assign-op on
+    ArrayAccess object). (Laruence)
    . Fixed bug #69957 (Three different ways of handling same error condition).
      (Bob)
  
diff --git a/Zend/tests/bug69955.phpt b/Zend/tests/bug69955.phpt

new file mode 100644 (file)

index 0000000..b6d7424
--- /dev/null
+++ b/Zend/tests/bug69955.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object).
+--FILE--
+<?php
+class C10 implements ArrayAccess
+{
+        function offsetExists($offset)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset);
+        }
+        function offsetGet($offset)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset); return 100;
+        }
+        function offsetSet($offset, $value)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset); var_dump($value);
+        }
+        function offsetUnset($offset)
+        {
+                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset);
+        }
+}
+
+$c10 = new C10;
+
+var_dump($c10[] += 5);
+--EXPECTF--
+Inside C10::offsetGet
+
+Notice: Undefined variable: offset in %sbug69955.php on line 10
+NULL
+
+Inside C10::offsetSet
+NULL
+int(105)
+int(105)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h

index 1d18d4be061c63b997ec6f10efb9951b39d19c6c..ab8a2f55100d9bba5fc058ca33fa6e97801d809d 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -804,13 +804,11 @@ ZEND_VM_HELPER_EX(zend_binary_assign_op_dim_helper, VAR|UNUSED|CV, CONST|TMPVAR|
                         if (OP1_TYPE != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if !defined(ZEND_VM_SPEC) || (OP2_TYPE != IS_UNUSED)
                         if (OP1_TYPE == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, OP2_TYPE);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

index ffe55d9a62f3d2463f9b2308dbeb2a3fb960046b..93026bd185bb7e29050f26ab4f7cc9a1aeaa9243 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -16714,13 +16714,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_VAR != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_CONST != IS_UNUSED)
                         if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_CONST);
@@ -18847,13 +18845,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_VAR != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_UNUSED != IS_UNUSED)
                         if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_UNUSED);
@@ -19919,13 +19915,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_VAR != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_CV != IS_UNUSED)
                         if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_CV);
@@ -21583,13 +21577,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_VAR != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || ((IS_TMP_VAR|IS_VAR) != IS_UNUSED)
                         if (IS_VAR == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, (IS_TMP_VAR|IS_VAR));
@@ -23135,13 +23127,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_UNUSED != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_CONST != IS_UNUSED)
                         if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_CONST);
@@ -24947,13 +24937,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_UNUSED != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_UNUSED != IS_UNUSED)
                         if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_UNUSED);
@@ -25529,13 +25517,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_UNUSED != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_CV != IS_UNUSED)
                         if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_CV);
@@ -27017,13 +27003,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_UNUSED != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || ((IS_TMP_VAR|IS_VAR) != IS_UNUSED)
                         if (IS_UNUSED == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, (IS_TMP_VAR|IS_VAR));
@@ -30779,13 +30763,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_CV != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_CONST != IS_UNUSED)
                         if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_CONST);
@@ -34193,13 +34175,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_CV != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_UNUSED != IS_UNUSED)
                         if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_UNUSED);
@@ -36091,13 +36071,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_CV != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || (IS_CV != IS_UNUSED)
                         if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, IS_CV);
@@ -38782,13 +38760,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_dim_helper_SP
                         if (IS_CV != IS_UNUSED) {
                                 ZVAL_DEREF(container);
                         }
-#if 0 || ((IS_TMP_VAR|IS_VAR) != IS_UNUSED)
                         if (IS_CV == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
                                 value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1, BP_VAR_R);
                                 zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL, binary_op);
                                 break;
                         }
-#endif
                 }
  
                 zend_fetch_dimension_address_RW(&rv, container, dim, (IS_TMP_VAR|IS_VAR));
author	Dmitry Stogov <dmitry@zend.com>
	Mon, 29 Jun 2015 08:17:56 +0000 (11:17 +0300)
committer	Dmitry Stogov <dmitry@zend.com>
	Mon, 29 Jun 2015 08:17:56 +0000 (11:17 +0300)
NEWS		patch \| blob \| history
Zend/tests/bug69955.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_vm_def.h		patch \| blob \| history
Zend/zend_vm_execute.h		patch \| blob \| history