Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax)

diff --git a/NEWS b/NEWS
index 7d57c3b66d59160f778a5aefc891f73c92fc4a66..c87609de4a2733a297829ff00680b5520286bf42 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jan 2012, PHP 5.4.0 RC5
 - Core:
+  . Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry)
   . Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence)
 
 - CLI SAPI:

diff --git a/Zend/tests/bug60613.phpt b/Zend/tests/bug60613.phpt
new file mode 100644 (file)
index 0000000..91b5369
--- /dev/null
+++ b/Zend/tests/bug60613.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #60613 (Segmentation fault with $cls->{expr}() syntax)
+--FILE--
+<?php
+class Cls {
+    function __call($name, $arg) {
+    }
+}
+
+$cls = new Cls();
+$cls->{0}();
+$cls->{1.0}();
+$cls->{true}();
+$cls->{false}();
+$cls->{null}();
+echo "ok\n";
+--EXPECT--
+ok
+

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index c4e9291065dae382d57e776feecd216084465c9e..85d17f0d91046d5dcba9cabae61308a9252bf538 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -89,7 +89,8 @@
        } while (0)
 
 #define FREE_POLYMORPHIC_CACHE_SLOT(literal) do { \
-               if (CG(active_op_array)->literals[literal].cache_slot == \
+               if (CG(active_op_array)->literals[literal].cache_slot != -1 && \
+                   CG(active_op_array)->literals[literal].cache_slot == \
                    CG(active_op_array)->last_cache_slot - POLYMORPHIC_CACHE_SLOT_SIZE) { \
                        CG(active_op_array)->literals[literal].cache_slot = -1; \
                        CG(active_op_array)->last_cache_slot -= POLYMORPHIC_CACHE_SLOT_SIZE; \