Fix VAR return type verification

We should also set retval_ref when de-indirecting. Otherwise the
retval_ref != retval_ptr comparison below may incorrect assume
that we're returning a reference.

I don't have a reliable reproducer for this issue, but it sometimes
appears in certain configurations in arrow_functions/007.phpt in
conjunction with other changes.

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 2932bfbdfaaef45d87f0bc55a95e0f7538081b93..693578675f920b1b569b20e8ad0abb846ec3dc80 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -4185,7 +4185,7 @@ ZEND_VM_COLD_CONST_HANDLER(124, ZEND_VERIFY_RETURN_TYPE, CONST|TMP|VAR|UNUSED|CV
                        retval_ref = retval_ptr = EX_VAR(opline->result.var);
                } else if (OP1_TYPE == IS_VAR) {
                        if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-                               retval_ptr = Z_INDIRECT_P(retval_ptr);
+                               retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
                        }
                        ZVAL_DEREF(retval_ptr);
                } else if (OP1_TYPE == IS_CV) {

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 60d725b3654be0537ef8ea49db12ea072a5cecab..731c4af76969bffa0b2f2336feeb4cf8439683d8 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -9723,7 +9723,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYP
                        retval_ref = retval_ptr = EX_VAR(opline->result.var);
                } else if (IS_CONST == IS_VAR) {
                        if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-                               retval_ptr = Z_INDIRECT_P(retval_ptr);
+                               retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
                        }
                        ZVAL_DEREF(retval_ptr);
                } else if (IS_CONST == IS_CV) {
@@ -20077,7 +20077,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_TMP_UN
                        retval_ref = retval_ptr = EX_VAR(opline->result.var);
                } else if (IS_TMP_VAR == IS_VAR) {
                        if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-                               retval_ptr = Z_INDIRECT_P(retval_ptr);
+                               retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
                        }
                        ZVAL_DEREF(retval_ptr);
                } else if (IS_TMP_VAR == IS_CV) {
@@ -27692,7 +27692,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_VAR_UN
                        retval_ref = retval_ptr = EX_VAR(opline->result.var);
                } else if (IS_VAR == IS_VAR) {
                        if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-                               retval_ptr = Z_INDIRECT_P(retval_ptr);
+                               retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
                        }
                        ZVAL_DEREF(retval_ptr);
                } else if (IS_VAR == IS_CV) {
@@ -34892,7 +34892,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_UNUSED
                        retval_ref = retval_ptr = EX_VAR(opline->result.var);
                } else if (IS_UNUSED == IS_VAR) {
                        if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-                               retval_ptr = Z_INDIRECT_P(retval_ptr);
+                               retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
                        }
                        ZVAL_DEREF(retval_ptr);
                } else if (IS_UNUSED == IS_CV) {
@@ -46594,7 +46594,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_CV_UNU
                        retval_ref = retval_ptr = EX_VAR(opline->result.var);
                } else if (IS_CV == IS_VAR) {
                        if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-                               retval_ptr = Z_INDIRECT_P(retval_ptr);
+                               retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
                        }
                        ZVAL_DEREF(retval_ptr);
                } else if (IS_CV == IS_CV) {