From b4112ea288b41d1f26ae5248beb18bccb4ca9b2d Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Fri, 16 Feb 2018 15:37:04 +0300
Subject: [PATCH] Don't make expectations about non-constant zval
 refcauntability

---
 Zend/zend_execute.h    | 12 ++++++++++--
 Zend/zend_vm_def.h     |  2 +-
 Zend/zend_vm_execute.h |  2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/Zend/zend_execute.h b/Zend/zend_execute.h
index 21c8ed7b6b..5da2e2d9b1 100644
--- a/Zend/zend_execute.h
+++ b/Zend/zend_execute.h
@@ -92,10 +92,14 @@ static zend_always_inline zval* zend_assign_to_variable(zval *variable_ptr, zval
 			garbage = Z_COUNTED_P(variable_ptr);
 			if (GC_DELREF(garbage) == 0) {
 				ZVAL_COPY_VALUE(variable_ptr, value);
-				if (value_type & (IS_CONST|IS_CV)) {
+				if (ZEND_CONST_COND(value_type  == IS_CONST, 0)) {
 					if (UNEXPECTED(Z_OPT_REFCOUNTED_P(variable_ptr))) {
 						Z_ADDREF_P(variable_ptr);
 					}
+				} else if (value_type & (IS_CONST|IS_CV)) {
+					if (Z_OPT_REFCOUNTED_P(variable_ptr)) {
+						Z_ADDREF_P(variable_ptr);
+					}
 				} else if (ZEND_CONST_COND(value_type == IS_VAR, 1) && UNEXPECTED(ref)) {
 					if (UNEXPECTED(GC_DELREF(ref) == 0)) {
 						efree_size(ref, sizeof(zend_reference));
@@ -115,10 +119,14 @@ static zend_always_inline zval* zend_assign_to_variable(zval *variable_ptr, zval
 	} while (0);
 
 	ZVAL_COPY_VALUE(variable_ptr, value);
-	if (value_type & (IS_CONST|IS_CV)) {
+	if (ZEND_CONST_COND(value_type == IS_CONST, 0)) {
 		if (UNEXPECTED(Z_OPT_REFCOUNTED_P(variable_ptr))) {
 			Z_ADDREF_P(variable_ptr);
 		}
+	} else if (value_type & (IS_CONST|IS_CV)) {
+		if (Z_OPT_REFCOUNTED_P(variable_ptr)) {
+			Z_ADDREF_P(variable_ptr);
+		}
 	} else if (ZEND_CONST_COND(value_type == IS_VAR, 1) && UNEXPECTED(ref)) {
 		if (UNEXPECTED(GC_DELREF(ref) == 0)) {
 			efree_size(ref, sizeof(zend_reference));
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index c82dcd6115..d50a78b588 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -6100,7 +6100,7 @@ ZEND_VM_C_LABEL(fe_fetch_r_exit):
 		zend_refcounted *gc = Z_COUNTED_P(value);
 
 		ZVAL_COPY_VALUE_EX(res, value, gc, value_type);
-		if (EXPECTED(Z_TYPE_INFO_REFCOUNTED(value_type))) {
+		if (Z_TYPE_INFO_REFCOUNTED(value_type)) {
 			GC_ADDREF(gc);
 		}
 	}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 256ec2a146..e7166571cc 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -22325,7 +22325,7 @@ fe_fetch_r_exit:
 		zend_refcounted *gc = Z_COUNTED_P(value);
 
 		ZVAL_COPY_VALUE_EX(res, value, gc, value_type);
-		if (EXPECTED(Z_TYPE_INFO_REFCOUNTED(value_type))) {
+		if (Z_TYPE_INFO_REFCOUNTED(value_type)) {
 			GC_ADDREF(gc);
 		}
 	}
-- 
2.50.1