Fix may_throw for ASSIGN_OBJ

nikic · nikic · commit 1548418461e0 · 2021-09-16T12:46:53.000+02:00
The code did not account for a number of possible exceptions.
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -4572,7 +4572,7 @@ int zend_may_throw_ex(const zend_op *opline, const zend_ssa_op *ssa_op, const ze
 			return (t1 & (MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_LONG|MAY_BE_DOUBLE)) || opline->op2_type == IS_UNUSED ||
 				(t2 & (MAY_BE_UNDEF|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE));
 		case ZEND_ASSIGN_OBJ:
-			if (t1 & (MAY_BE_ANY-(MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_OBJECT))) {
+			if (t1 & (MAY_BE_ANY-MAY_BE_OBJECT)) {
 				return 1;
 			}
 			if ((opline+1)->op1_type == IS_CV) {
@@ -4589,24 +4589,21 @@ int zend_may_throw_ex(const zend_op *opline, const zend_ssa_op *ssa_op, const ze
 					return 1;
 				}
 
-				if (op_array->scope != ce && ce->default_properties_count) {
-					zend_property_info *prop_info;
+				if (opline->op2_type != IS_CONST) {
+					return 1;
+				}
 
-					if (opline->op2_type == IS_CONST) {
-						prop_info = zend_hash_find_ptr(&ce->properties_info,
-							Z_STR_P(CRT_CONSTANT(opline->op2)));
-						if (prop_info && !(prop_info->flags & ZEND_ACC_PUBLIC)) {
-							return 1;
-						}
-					} else {
-						if (t2 & (MAY_BE_ANY-MAY_BE_STRING)) {
-							return 1;
-						}
-						ZEND_HASH_FOREACH_PTR(&ce->properties_info, prop_info) {
-							if (!(prop_info->flags & ZEND_ACC_PUBLIC)) {
-								return 1;
-							}
-						} ZEND_HASH_FOREACH_END();
+				zend_string *prop_name = Z_STR_P(CRT_CONSTANT(opline->op2));
+				if (ZSTR_LEN(prop_name) > 0 && ZSTR_VAL(prop_name)[0] == '\0') {
+					return 1;
+				}
+
+				if (op_array->scope != ce && ce->default_properties_count) {
+					zend_property_info *prop_info =
+						zend_hash_find_ptr(&ce->properties_info, prop_name);
+					if (prop_info && (!(prop_info->flags & ZEND_ACC_PUBLIC)
+								|| ZEND_TYPE_IS_SET(prop_info->type))) {
+						return 1;
 					}
 				}
 				return 0;
diff --git a/ext/opcache/tests/assign_obj_exceptions.phpt b/ext/opcache/tests/assign_obj_exceptions.phpt
@@ -0,0 +1,47 @@
+--TEST--
+Make sure various ASSIGN_OBJ exceptions are not optimized away
+--FILE--
+<?php
+
+class Test {
+    public stdClass $x;
+}
+
+function test_invalid_prop_type() {
+    $test = new Test;
+    $test->x = "";
+}
+function test_invalid_prop_name(string $name) {
+    $test = new stdClass;
+    $test->$name = null;
+}
+function test_invalid_obj_type($c) {
+    if ($c) {
+        $test = new stdClass;
+    } else {
+        $test = null;
+    }
+    $test->x = "";
+}
+
+try {
+    test_invalid_prop_type();
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    test_invalid_prop_name("\0");
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    test_invalid_obj_type(false);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Cannot assign string to property Test::$x of type stdClass
+Cannot access property starting with "\0"
+Attempt to assign property "x" on null
