Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax)

diff --git a/Zend/tests/bug60613.phpt b/Zend/tests/bug60613.phpt
new file mode 100644 (file)
index 0000000..91b5369
--- /dev/null
+++ b/Zend/tests/bug60613.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #60613 (Segmentation fault with $cls->{expr}() syntax)
+--FILE--
+<?php
+class Cls {
+    function __call($name, $arg) {
+    }
+}
+
+$cls = new Cls();
+$cls->{0}();
+$cls->{1.0}();
+$cls->{true}();
+$cls->{false}();
+$cls->{null}();
+echo "ok\n";
+--EXPECT--
+ok
+

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index c4e9291065dae382d57e776feecd216084465c9e..85d17f0d91046d5dcba9cabae61308a9252bf538 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -89,7 +89,8 @@
        } while (0)
 
 #define FREE_POLYMORPHIC_CACHE_SLOT(literal) do { \
-               if (CG(active_op_array)->literals[literal].cache_slot == \
+               if (CG(active_op_array)->literals[literal].cache_slot != -1 && \
+                   CG(active_op_array)->literals[literal].cache_slot == \
                    CG(active_op_array)->last_cache_slot - POLYMORPHIC_CACHE_SLOT_SIZE) { \
                        CG(active_op_array)->literals[literal].cache_slot = -1; \
                        CG(active_op_array)->last_cache_slot -= POLYMORPHIC_CACHE_SLOT_SIZE; \