From: Nikita Popov <nikic@php.net>
Date: Tue, 7 Jul 2015 22:12:47 +0000 (+0200)
Subject: ZEND_SEPARATE reuses temporaries
X-Git-Tag: php-7.1.1RC1~35^2~71
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1852f538b9f8d5e7d67fe5a4f6080396d8b10034;p=php

ZEND_SEPARATE reuses temporaries
---

diff --git a/Zend/tests/temporary_cleaning_006.phpt b/Zend/tests/temporary_cleaning_006.phpt
new file mode 100644
index 0000000000..758260d55a
--- /dev/null
+++ b/Zend/tests/temporary_cleaning_006.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Exception after separation during indirect write to fcall result
+--FILE--
+<?php
+
+function throwing() { throw new Exception; }
+
+function getArray() { return [0]; }
+
+try {
+    getArray()[throwing()] = 1;
+} catch (Exception $e) {
+    echo "Exception\n";
+}
+
+?>
+--EXPECT--
+Exception
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 8f3ecddbda..f8d040468f 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -950,6 +950,7 @@ static zend_always_inline uint32_t *generate_var_liveliness_info_ex(zend_op_arra
 			/* the following opcodes reuse TMP created before */
 			&& opline->opcode != ZEND_ROPE_ADD
 			&& opline->opcode != ZEND_ADD_ARRAY_ELEMENT
+			&& opline->opcode != ZEND_SEPARATE
 			/* passes fast_call */
 			&& opline->opcode != ZEND_FAST_CALL
 			/* the following opcodes pass class_entry */
@@ -980,6 +981,7 @@ static zend_always_inline uint32_t *generate_var_liveliness_info_ex(zend_op_arra
 			if (Tstart[var] != (uint32_t)-1
 				/* the following opcodes don't free TMP */
 				&& opline->opcode != ZEND_ROPE_ADD
+				&& opline->opcode != ZEND_SEPARATE
 				&& opline->opcode != ZEND_FETCH_LIST
 				&& opline->opcode != ZEND_CASE
 				&& opline->opcode != ZEND_FE_FETCH_R