Skip to content

Commit 1eb7061

Browse files
nikicnikic
committed
Avoid references in TMP var
Make sure we deref the OBJ_IS result, because we store it in a TMP var, which is not allowed to contain references and will cause assertion failures in the unspecialized VM. This also partially reverts fd463a9, which merged the TMP and VAR specializations of COALESCE to work around this bug. An alternative would be to change the result type of OBJ_IS back to VAR.
1 parent 9e4603f commit 1eb7061

File tree

4 files changed

+148
-82
lines changed

4 files changed

+148
-82
lines changed

Zend/zend_vm_def.h

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2311,7 +2311,7 @@ ZEND_VM_COLD_CONST_HANDLER(91, ZEND_FETCH_OBJ_IS, CONST|TMPVAR|UNUSED|THIS|CV, C
23112311
ZEND_VM_C_GOTO(fetch_obj_is_copy);
23122312
} else {
23132313
ZEND_VM_C_LABEL(fetch_obj_is_fast_copy):
2314-
ZVAL_COPY(EX_VAR(opline->result.var), retval);
2314+
ZVAL_COPY_DEREF(EX_VAR(opline->result.var), retval);
23152315
ZEND_VM_NEXT_OPCODE();
23162316
}
23172317
}
@@ -2355,7 +2355,9 @@ ZEND_VM_C_LABEL(fetch_obj_is_fast_copy):
23552355

23562356
if (retval != EX_VAR(opline->result.var)) {
23572357
ZEND_VM_C_LABEL(fetch_obj_is_copy):
2358-
ZVAL_COPY(EX_VAR(opline->result.var), retval);
2358+
ZVAL_COPY_DEREF(EX_VAR(opline->result.var), retval);
2359+
} else if (UNEXPECTED(Z_ISREF_P(retval))) {
2360+
zend_unwrap_reference(retval);
23592361
}
23602362
} while (0);
23612363

@@ -7126,7 +7128,7 @@ ZEND_VM_COLD_CONST_HANDLER(152, ZEND_JMP_SET, CONST|TMP|VAR|CV, JMP_ADDR)
71267128
ZEND_VM_NEXT_OPCODE();
71277129
}
71287130

7129-
ZEND_VM_COLD_CONST_HANDLER(169, ZEND_COALESCE, CONST|TMPVAR|CV, JMP_ADDR)
7131+
ZEND_VM_COLD_CONST_HANDLER(169, ZEND_COALESCE, CONST|TMP|VAR|CV, JMP_ADDR)
71307132
{
71317133
USE_OPLINE
71327134
zend_free_op free_op1;
@@ -7136,7 +7138,6 @@ ZEND_VM_COLD_CONST_HANDLER(169, ZEND_COALESCE, CONST|TMPVAR|CV, JMP_ADDR)
71367138
SAVE_OPLINE();
71377139
value = GET_OP1_ZVAL_PTR(BP_VAR_IS);
71387140

7139-
/* FETCH_OBJ_IS may return IS_REFERENCE in TMP_VAR */
71407141
if ((OP1_TYPE & (IS_VAR|IS_CV)) && Z_ISREF_P(value)) {
71417142
if (OP1_TYPE & IS_VAR) {
71427143
ref = value;

0 commit comments

Comments
 (0)