Fixed bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)

diff --git a/Zend/tests/bug47109.phpt b/Zend/tests/bug47109.phpt
new file mode 100644 (file)
index 0000000..8f810d7
--- /dev/null
+++ b/Zend/tests/bug47109.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)
+--FILE--
+<?php
+$a->{"a"."b"};
+?>
+--EXPECTF--
+Notice: Undefined variable: a in %sbug47109.php on line 2
+
+Notice: Trying to get property of non-object in %sbug47109.php on line 2
+

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 34b7707f625c1a6cb88b29ea610c690ac1aad7e2..78df870f2338399a4194c18bb1b6374598d2b4dd 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1273,12 +1273,15 @@ ZEND_VM_HELPER_EX(zend_fetch_property_address_read_helper, VAR|UNUSED|CV, CONST|
        zend_op *opline = EX(opline);
        zend_free_op free_op1;
        zval *container = GET_OP1_OBJ_ZVAL_PTR(type);
+       zend_free_op free_op2;
+       zval *offset  = GET_OP2_ZVAL_PTR(BP_VAR_R);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               FREE_OP2();
                FREE_OP1();
                ZEND_VM_NEXT_OPCODE();
        }
@@ -1292,9 +1295,8 @@ ZEND_VM_HELPER_EX(zend_fetch_property_address_read_helper, VAR|UNUSED|CV, CONST|
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               FREE_OP2();
        } else {
-               zend_free_op free_op2;
-               zval *offset  = GET_OP2_ZVAL_PTR(BP_VAR_R);
                zval *retval;
 
                if (IS_OP2_TMP_FREE()) {

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index dc13bb495d95a751d059fb35cbd206c0d85de1ad..78426f3fc9176ed110ef116bd4f7415e130c53ca 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -10326,11 +10326,14 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CONST(
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 
+       zval *offset  = &opline->op2.u.constant;
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -10344,9 +10347,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CONST(
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = &opline->op2.u.constant;
+       } else {
                zval *retval;
 
                if (0) {
@@ -12266,12 +12268,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_TMP(in
        zend_op *opline = EX(opline);
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               zval_dtor(free_op2.var);
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -12285,9 +12290,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_TMP(in
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               zval_dtor(free_op2.var);
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (1) {
@@ -14115,12 +14119,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_VAR(in
        zend_op *opline = EX(opline);
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -14134,9 +14141,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_VAR(in
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (0) {
@@ -16639,11 +16645,14 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CV(int
        zend_free_op free_op1;
        zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 
+       zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+
                if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
                ZEND_VM_NEXT_OPCODE();
        }
@@ -16657,9 +16666,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CV(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+       } else {
                zval *retval;
 
                if (0) {
@@ -18190,12 +18198,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CON
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
 
+       zval *offset  = &opline->op2.u.constant;
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -18208,9 +18219,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CON
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = &opline->op2.u.constant;
+       } else {
                zval *retval;
 
                if (0) {
@@ -19387,12 +19397,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_TMP
        zend_op *opline = EX(opline);
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               zval_dtor(free_op2.var);
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -19406,9 +19419,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_TMP
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               zval_dtor(free_op2.var);
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (1) {
@@ -20522,12 +20534,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_VAR
        zend_op *opline = EX(opline);
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -20541,9 +20556,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_VAR
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (0) {
@@ -21928,12 +21942,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CV(
 
        zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
 
+       zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -21946,9 +21963,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CV(
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+       } else {
                zval *retval;
 
                if (0) {
@@ -24884,12 +24900,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CONST(i
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
 
+       zval *offset  = &opline->op2.u.constant;
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -24902,9 +24921,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CONST(i
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = &opline->op2.u.constant;
+       } else {
                zval *retval;
 
                if (0) {
@@ -26633,12 +26651,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_TMP(int
        zend_op *opline = EX(opline);
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               zval_dtor(free_op2.var);
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -26652,9 +26673,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_TMP(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               zval_dtor(free_op2.var);
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (1) {
@@ -28360,12 +28380,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_VAR(int
        zend_op *opline = EX(opline);
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
+       zend_free_op free_op2;
+       zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
                ZEND_VM_NEXT_OPCODE();
        }
@@ -28379,9 +28402,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_VAR(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
+               if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
        } else {
-               zend_free_op free_op2;
-               zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
                zval *retval;
 
                if (0) {
@@ -30649,12 +30671,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CV(int
 
        zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
 
+       zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
        if (container == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(&opline->result)) {
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
                        PZVAL_LOCK(EG(error_zval_ptr));
                }
 
+
                ZEND_VM_NEXT_OPCODE();
        }
 
@@ -30667,9 +30692,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CV(int
                        AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
                        PZVAL_LOCK(EG(uninitialized_zval_ptr));
                }
-       } else {
 
-               zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+       } else {
                zval *retval;
 
                if (0) {