From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 10 Feb 2017 06:24:44 +0000 (+0800)
Subject: Merge branch 'PHP-7.0' into PHP-7.1
X-Git-Tag: php-7.1.3RC1~50
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0b7fa040e9e83dedbbd4cb5dd6ab0f5aa3f840c9;p=php

Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0:
  Fixed bug #74019 (Segfault with list)
---

0b7fa040e9e83dedbbd4cb5dd6ab0f5aa3f840c9
diff --cc ext/opcache/Optimizer/zend_optimizer.c
index a30f18479a,7ae0e06127..fbcb3a2e16
--- a/ext/opcache/Optimizer/zend_optimizer.c
+++ b/ext/opcache/Optimizer/zend_optimizer.c
@@@ -451,18 -406,32 +451,33 @@@ int zend_optimizer_replace_by_const(zen
  					break;
  				/* In most cases IS_TMP_VAR operand may be used only once.
  				 * The operands are usually destroyed by the opcode handler.
- 				 * ZEND_CASE is an exception, that keeps operand unchanged,
- 				 * and allows its reuse. The number of ZEND_CASE instructions
+ 				 * ZEND_CASE and ZEND_FETCH_LIST are exceptions, they keeps operand
+ 				 * unchanged, and allows its reuse. these instructions
  				 * usually terminated by ZEND_FREE that finally kills the value.
  				 */
- 				case ZEND_FREE:
- 				case ZEND_CASE: {
+ 				case ZEND_FETCH_LIST: {
+ 					zend_op *m = opline;
+ 					do {
+ 						if (m->opcode == ZEND_FETCH_LIST &&
+ 							ZEND_OP1_TYPE(m) == type &&
+ 							ZEND_OP1(m).var == var) {
+ 							zend_optimizer_update_op1_const(op_array, m, val);
+ 						}
+ 						m++;
+ 					} while (m->opcode != ZEND_FREE || ZEND_OP1_TYPE(m) != type || ZEND_OP1(m).var != var);
+ 					ZEND_ASSERT(m->opcode == ZEND_FREE && ZEND_OP1_TYPE(m) == type && ZEND_OP1(m).var == var);
+ 					MAKE_NOP(m);
++					zend_optimizer_remove_live_range(op_array, var);
+ 					return 1;
+ 				}
+ 				case ZEND_CASE:
+ 				case ZEND_FREE: {
  					zend_op *m, *n;
 -					int brk = op_array->last_brk_cont;
 +					int brk = op_array->last_live_range;
  					zend_bool in_switch = 0;
  					while (brk--) {
 -						if (op_array->brk_cont_array[brk].start <= (opline - op_array->opcodes) &&
 -								op_array->brk_cont_array[brk].brk > (opline - op_array->opcodes)) {
 +						if (op_array->live_range[brk].start <= (uint32_t)(opline - op_array->opcodes) &&
 +						    op_array->live_range[brk].end > (uint32_t)(opline - op_array->opcodes)) {
  							in_switch = 1;
  							break;
  						}