From f475edc2f10964f37e3900dd4c447e7cc0d4fb8c Mon Sep 17 00:00:00 2001
From: Deus Kane <3399275+qxzkjp@users.noreply.github.com>
Date: Sat, 25 Jul 2020 12:02:01 +0100
Subject: [PATCH] Fixed bug #79897: Promoted constructor params with attribs
 cause crash

This was caused by the attribute AST being used twice, and was fixed by
creating a temporary copy of it (and destroying said copy) when neccesary.
---
 NEWS                     |  2 ++
 Zend/tests/bug79897.phpt | 32 ++++++++++++++++++++++++++++++++
 Zend/zend_compile.c      |  9 ++++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug79897.phpt

diff --git a/NEWS b/NEWS
index e64b2efad8..df92b5fe79 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
     (cmb)
   . Fixed bug #79108 (Referencing argument in a function makes it a reference
     in the stack trace). (Nikita)
+  . Fixed bug #79897 (Promoted constructor params with attribs cause crash).
+    (Deus Kane)
 
 - JIT:
   . Fixed bug #79864 (JIT segfault in Symfony OptionsResolver). (Dmitry)
diff --git a/Zend/tests/bug79897.phpt b/Zend/tests/bug79897.phpt
new file mode 100644
index 0000000000..ed79318c76
--- /dev/null
+++ b/Zend/tests/bug79897.phpt
@@ -0,0 +1,32 @@
+--TEST--
+bug79897: Promoted constructor params with attribs cause crash
+--FILE--
+<?php
+
+@@Attribute
+class B {
+    public function __construct($value)
+    {
+    }
+}
+
+class A {
+    public function __construct(
+        @@B(12) public $b
+    )
+    {
+    }
+}
+
+var_dump((new ReflectionParameter(['A', '__construct'], 'b'))->getAttributes()[0]->getArguments());
+var_dump((new ReflectionProperty('A', 'b'))->getAttributes()[0]->getArguments());
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(12)
+}
+array(1) {
+  [0]=>
+  int(12)
+}
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index a2ec221a01..790b2acc89 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -6197,6 +6197,12 @@ void zend_compile_params(zend_ast *ast, zend_ast *return_type_ast, uint32_t fall
 		zend_op *opline;
 		zend_arg_info *arg_info;
 
+		zend_ast_ref *attributes_copy = NULL;
+
+		if (visibility && attributes_ast) {
+			attributes_copy = zend_ast_copy(attributes_ast);
+		}
+
 		if (zend_is_auto_global(name)) {
 			zend_error_noreturn(E_COMPILE_ERROR, "Cannot re-assign auto-global variable %s",
 				ZSTR_VAL(name));
@@ -6350,7 +6356,8 @@ void zend_compile_params(zend_ast *ast, zend_ast *return_type_ast, uint32_t fall
 				scope, name, &default_value, visibility | ZEND_ACC_PROMOTED, doc_comment, type);
 			if (attributes_ast) {
 				zend_compile_attributes(
-					&prop->attributes, attributes_ast, 0, ZEND_ATTRIBUTE_TARGET_PROPERTY);
+					&prop->attributes, GC_AST(attributes_copy), 0, ZEND_ATTRIBUTE_TARGET_PROPERTY);
+				zend_ast_ref_destroy(attributes_copy);
 			}
 		}
 	}
-- 
2.50.1