From a68e858d6908f8dc3f88a409d4a9740330ad219f Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 28 Dec 2011 09:59:39 +0000
Subject: [PATCH] Fixed bug #60613 (Segmentation fault with $cls->{expr}()
 syntax)

---
 Zend/tests/bug60613.phpt | 19 +++++++++++++++++++
 Zend/zend_compile.c      |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug60613.phpt

diff --git a/Zend/tests/bug60613.phpt b/Zend/tests/bug60613.phpt
new file mode 100644
index 0000000000..91b5369d3f
--- /dev/null
+++ b/Zend/tests/bug60613.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #60613 (Segmentation fault with $cls->{expr}() syntax)
+--FILE--
+<?php
+class Cls {
+    function __call($name, $arg) {
+    }
+}
+
+$cls = new Cls();
+$cls->{0}();
+$cls->{1.0}();
+$cls->{true}();
+$cls->{false}();
+$cls->{null}();
+echo "ok\n";
+--EXPECT--
+ok
+
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index c4e9291065..85d17f0d91 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -89,7 +89,8 @@
 	} while (0)
 
 #define FREE_POLYMORPHIC_CACHE_SLOT(literal) do { \
-		if (CG(active_op_array)->literals[literal].cache_slot == \
+		if (CG(active_op_array)->literals[literal].cache_slot != -1 && \
+		    CG(active_op_array)->literals[literal].cache_slot == \
 		    CG(active_op_array)->last_cache_slot - POLYMORPHIC_CACHE_SLOT_SIZE) { \
 			CG(active_op_array)->literals[literal].cache_slot = -1; \
 			CG(active_op_array)->last_cache_slot -= POLYMORPHIC_CACHE_SLOT_SIZE; \
-- 
2.40.0