From a2dcd44272dccaab22a13d587a13c4c60972063b Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Tue, 26 Jan 2021 15:15:18 +0100 Subject: [PATCH] Fix VAR return type verification We should also set retval_ref when de-indirecting. Otherwise the retval_ref != retval_ptr comparison below may incorrect assume that we're returning a reference. I don't have a reliable reproducer for this issue, but it sometimes appears in certain configurations in arrow_functions/007.phpt in conjunction with other changes. --- Zend/zend_vm_def.h | 2 +- Zend/zend_vm_execute.h | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 2932bfbdfa..693578675f 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -4185,7 +4185,7 @@ ZEND_VM_COLD_CONST_HANDLER(124, ZEND_VERIFY_RETURN_TYPE, CONST|TMP|VAR|UNUSED|CV retval_ref = retval_ptr = EX_VAR(opline->result.var); } else if (OP1_TYPE == IS_VAR) { if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) { - retval_ptr = Z_INDIRECT_P(retval_ptr); + retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr); } ZVAL_DEREF(retval_ptr); } else if (OP1_TYPE == IS_CV) { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 60d725b365..731c4af769 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -9723,7 +9723,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYP retval_ref = retval_ptr = EX_VAR(opline->result.var); } else if (IS_CONST == IS_VAR) { if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) { - retval_ptr = Z_INDIRECT_P(retval_ptr); + retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr); } ZVAL_DEREF(retval_ptr); } else if (IS_CONST == IS_CV) { @@ -20077,7 +20077,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_TMP_UN retval_ref = retval_ptr = EX_VAR(opline->result.var); } else if (IS_TMP_VAR == IS_VAR) { if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) { - retval_ptr = Z_INDIRECT_P(retval_ptr); + retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr); } ZVAL_DEREF(retval_ptr); } else if (IS_TMP_VAR == IS_CV) { @@ -27692,7 +27692,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_VAR_UN retval_ref = retval_ptr = EX_VAR(opline->result.var); } else if (IS_VAR == IS_VAR) { if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) { - retval_ptr = Z_INDIRECT_P(retval_ptr); + retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr); } ZVAL_DEREF(retval_ptr); } else if (IS_VAR == IS_CV) { @@ -34892,7 +34892,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_UNUSED retval_ref = retval_ptr = EX_VAR(opline->result.var); } else if (IS_UNUSED == IS_VAR) { if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) { - retval_ptr = Z_INDIRECT_P(retval_ptr); + retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr); } ZVAL_DEREF(retval_ptr); } else if (IS_UNUSED == IS_CV) { @@ -46594,7 +46594,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_CV_UNU retval_ref = retval_ptr = EX_VAR(opline->result.var); } else if (IS_CV == IS_VAR) { if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) { - retval_ptr = Z_INDIRECT_P(retval_ptr); + retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr); } ZVAL_DEREF(retval_ptr); } else if (IS_CV == IS_CV) { -- 2.50.1