From 778e5f3da50cacb0ab04944863d3de6999dae3e3 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 11 Dec 2015 09:11:28 -0800
Subject: [PATCH] Fixed bug #71092 (Segmentation fault with return type
 hinting)

---
 NEWS                                  |  1 +
 Zend/tests/return_types/029.phpt      | 23 +++++++++++++++++++++++
 Zend/tests/return_types/bug71092.phpt | 23 +++++++++++++++++++++++
 Zend/zend_compile.c                   |  5 +++--
 4 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/return_types/029.phpt
 create mode 100644 Zend/tests/return_types/bug71092.phpt

diff --git a/NEWS b/NEWS
index 6f2b4b2701..54bdeb7578 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? Jan 2016 PHP 7.0.2
 
 - Core:
+  . Fixed bug #71092 (Segmentation fault with return type hinting). (Laruence)
   . Fixed bug memleak in header_register_callback. (Laruence)
   . Fixed bug #71067 (Local object in class method stays in memory for each
     call). (Laruence)
diff --git a/Zend/tests/return_types/029.phpt b/Zend/tests/return_types/029.phpt
new file mode 100644
index 0000000000..011182df37
--- /dev/null
+++ b/Zend/tests/return_types/029.phpt
@@ -0,0 +1,23 @@
+--TEST--
+return type with finally
+--INI--
+opcache.enable=0
+--FILE--
+<?php
+
+function foo() : array {
+	try {
+		throw new Exception("xxxx");
+	} finally {
+		return ;
+	}
+}
+
+foo();
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Return value of foo() must be of the type array, none returned in %s29.php:%d
+Stack trace:
+#0 %s(%d): foo()
+#1 {main}
+  thrown in %s029.php on line %d
diff --git a/Zend/tests/return_types/bug71092.phpt b/Zend/tests/return_types/bug71092.phpt
new file mode 100644
index 0000000000..a1ebc79085
--- /dev/null
+++ b/Zend/tests/return_types/bug71092.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #71092 (Segmentation fault with return type hinting)
+--INI--
+opcache.enable=0
+--FILE--
+<?php
+
+function boom(): array {
+	$data = [['id']];
+	switch ($data[0]) {
+	case ['id']:
+		return;
+	}
+}
+
+boom();
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Return value of boom() must be of the type array, none returned in %sbug71092.php:%d
+Stack trace:
+#0 %s(%d): boom()
+#1 {main}
+  thrown in %sbug71092.php on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 34246bdc04..1609ba5127 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3583,8 +3583,6 @@ void zend_compile_return(zend_ast *ast) /* {{{ */
 		zend_compile_expr(&expr_node, expr_ast);
 	}
 
-	zend_handle_loops_and_finally();
-
 	if (CG(context).in_finally) {
 		opline = zend_emit_op(NULL, ZEND_DISCARD_EXCEPTION, NULL, NULL);
 		opline->op1_type = IS_TMP_VAR;
@@ -3595,6 +3593,9 @@ void zend_compile_return(zend_ast *ast) /* {{{ */
 	if (!(CG(active_op_array)->fn_flags & ZEND_ACC_GENERATOR) && CG(active_op_array)->fn_flags & ZEND_ACC_HAS_RETURN_TYPE) {
 		zend_emit_return_type_check(expr_ast ? &expr_node : NULL, CG(active_op_array)->arg_info - 1);
 	}
+
+	zend_handle_loops_and_finally();
+
 	opline = zend_emit_op(NULL, by_ref ? ZEND_RETURN_BY_REF : ZEND_RETURN,
 		&expr_node, NULL);
 
-- 
2.50.1