From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 10 Jan 2019 09:25:55 +0000 (+0100)
Subject: Fixed bug #77434
X-Git-Tag: php-7.3.2RC1~27
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ade702a0d299f0c8967720fb4887cd1447419cd9;p=php

Fixed bug #77434

Mark arrays containing partial arrays as partial. This was already
done for the ADD_ARRAY_ELEMENT case, but not for ASSIGN_DIM.
---

diff --git a/NEWS b/NEWS
index 2ae6d5625d..18ddbee6ba 100644
--- a/NEWS
+++ b/NEWS
@@ -33,6 +33,8 @@ PHP                                                                        NEWS
   . Fixed bug #77266 (Assertion failed in dce_live_ranges). (Laruence)
   . Fixed bug #77257 (value of variable assigned in a switch() construct gets
     lost). (Nikita)
+  . Fixed bug #77434 (php-fpm workers are segfaulting in zend_gc_addre).
+    (Nikita)
 
 - PCRE:
   . Fixed bug #77338 (get_browser with empty string). (Nikita)
diff --git a/ext/opcache/Optimizer/sccp.c b/ext/opcache/Optimizer/sccp.c
index c224e4afcc..ff96db4c8d 100644
--- a/ext/opcache/Optimizer/sccp.c
+++ b/ext/opcache/Optimizer/sccp.c
@@ -1102,6 +1102,10 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 					SET_RESULT(result, data);
 					SET_RESULT(op1, &zv);
 				} else if (ct_eval_assign_dim(&zv, data, op2) == SUCCESS) {
+					/* Mark array containing partial array as partial */
+					if (IS_PARTIAL_ARRAY(data)) {
+						MAKE_PARTIAL_ARRAY(&zv);
+					}
 					SET_RESULT(result, data);
 					SET_RESULT(op1, &zv);
 				} else {
@@ -2368,8 +2372,8 @@ int sccp_optimize_op_array(zend_optimizer_ctx *ctx, zend_op_array *op_array, zen
 			}
 			fprintf(stderr, "    #%d.", i);
 			zend_dump_var(op_array, IS_CV, ssa->vars[i].var);
-			if (IS_PARTIAL_ARRAY(zv)) {
-				fprintf(stderr, " = [");
+			if (Z_TYPE_P(zv) == IS_ARRAY || IS_PARTIAL_ARRAY(zv)) {
+				fprintf(stderr, " = %s[", IS_PARTIAL_ARRAY(zv) ? "partial " : "");
 				zend_dump_ht(Z_ARRVAL_P(zv));
 				fprintf(stderr, "]");
 			} else if (IS_PARTIAL_OBJECT(zv)) {
diff --git a/ext/opcache/tests/bug77434.phpt b/ext/opcache/tests/bug77434.phpt
new file mode 100644
index 0000000000..5b8be3e174
--- /dev/null
+++ b/ext/opcache/tests/bug77434.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #77434: php-fpm workers are segfaulting in zend_gc_addref
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+
+function test(int $x) {
+    $a = ['a' => 0, 'b' => $x];
+    $b = [];
+    $b[0] = $a;
+    $c = $b[0];
+}
+
+function test2(int $x) {
+    $a = ['a' => 0, 'b' => $x];
+    $b = [$a];
+    $c = $b[0];
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===