Merge branch 'PHP-7.4'

* PHP-7.4:
  Fixed bug #78598

Author: nikic

Zend/tests/bug70662.phpt

@@ -14,5 +14,5 @@ var_dump($a);
 --EXPECT--
 array(1) {
   ["b"]=>
-  int(1)
+  int(2)
 }

Zend/tests/bug78598.phpt

@@ -0,0 +1,31 @@
+--TEST--
+Bug #78598: Changing array during undef index RW error segfaults
+--FILE--
+<?php
+
+$my_var = null;
+set_error_handler(function() use(&$my_var) {
+    $my_var = 0;
+});
+
+$my_var[0] .= "xyz";
+var_dump($my_var);
+
+$my_var = null;
+$my_var[0][0][0] .= "xyz";
+var_dump($my_var);
+
+$my_var = null;
+$my_var["foo"] .= "xyz";
+var_dump($my_var);
+
+$my_var = null;
+$my_var["foo"]["bar"]["baz"] .= "xyz";
+var_dump($my_var);
+
+?>
+--EXPECT--
+int(0)
+int(0)
+int(0)
+int(0)

Zend/tests/undef_index_to_exception.phpt

@@ -0,0 +1,46 @@
+--TEST--
+Converting undefined index/offset notice to exception
+--FILE--
+<?php
+
+set_error_handler(function($_, $msg) {
+    throw new Exception($msg);
+});
+
+$test = [];
+try {
+    $test[0] .= "xyz";
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($test);
+
+try {
+    $test["key"] .= "xyz";
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($test);
+
+unset($test);
+try {
+    $GLOBALS["test"] .= "xyz";
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    var_dump($test);
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Undefined offset: 0
+array(0) {
+}
+Undefined index: key
+array(0) {
+}
+Undefined index: test
+Undefined variable $test

Zend/zend_execute.c

@@ -1909,6 +1909,44 @@ static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_undefined_index(const
 	zend_error(E_NOTICE, "Undefined index: %s", ZSTR_VAL(offset));
 }
 
+static zend_never_inline ZEND_COLD int ZEND_FASTCALL zend_undefined_offset_write(
+		HashTable *ht, zend_long lval)
+{
+	/* The array may be destroyed while throwing the notice.
+	 * Temporarily increase the refcount to detect this situation. */
+	if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
+		GC_ADDREF(ht);
+	}
+	zend_undefined_offset(lval);
+	if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+		zend_array_destroy(ht);
+		return FAILURE;
+	}
+	if (EG(exception)) {
+		return FAILURE;
+	}
+	return SUCCESS;
+}
+
+static zend_never_inline ZEND_COLD int ZEND_FASTCALL zend_undefined_index_write(
+		HashTable *ht, zend_string *offset)
+{
+	/* The array may be destroyed while throwing the notice.
+	 * Temporarily increase the refcount to detect this situation. */
+	if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE)) {
+		GC_ADDREF(ht);
+	}
+	zend_undefined_index(offset);
+	if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(ht)) {
+		zend_array_destroy(ht);
+		return FAILURE;
+	}
+	if (EG(exception)) {
+		return FAILURE;
+	}
+	return SUCCESS;
+}
+
 static zend_never_inline ZEND_COLD void ZEND_FASTCALL zend_undefined_method(const zend_class_entry *ce, const zend_string *method)
 {
 	zend_throw_error(NULL, "Call to undefined method %s::%s()", ZSTR_VAL(ce->name), ZSTR_VAL(method));
@@ -2028,9 +2066,10 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 				retval = &EG(uninitialized_zval);
 				break;
 			case BP_VAR_RW:
-				zend_undefined_offset(hval);
-				retval = zend_hash_index_update(ht, hval, &EG(uninitialized_zval));
-				break;
+				if (UNEXPECTED(zend_undefined_offset_write(ht, hval) == FAILURE)) {
+					return NULL;
+				}
+				/* break missing intentionally */
 			case BP_VAR_W:
 				retval = zend_hash_index_add_new(ht, hval, &EG(uninitialized_zval));
 				break;
@@ -2058,7 +2097,9 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 							retval = &EG(uninitialized_zval);
 							break;
 						case BP_VAR_RW:
-							zend_undefined_index(offset_key);
+							if (UNEXPECTED(zend_undefined_index_write(ht, offset_key))) {
+								return NULL;
+							}
 							/* break missing intentionally */
 						case BP_VAR_W:
 							ZVAL_NULL(retval);
@@ -2076,9 +2117,10 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 					retval = &EG(uninitialized_zval);
 					break;
 				case BP_VAR_RW:
-					zend_undefined_index(offset_key);
-					retval = zend_hash_update(ht, offset_key, &EG(uninitialized_zval));
-					break;
+					if (UNEXPECTED(zend_undefined_index_write(ht, offset_key) == FAILURE)) {
+						return NULL;
+					}
+					/* break missing intentionally */
 				case BP_VAR_W:
 					retval = zend_hash_add_new(ht, offset_key, &EG(uninitialized_zval));
 					break;
@@ -2143,7 +2185,9 @@ static zend_always_inline void zend_fetch_dimension_address(zval *result, zval *
 		} else {
 			retval = zend_fetch_dimension_address_inner(Z_ARRVAL_P(container), dim, dim_type, type EXECUTE_DATA_CC);
 			if (UNEXPECTED(!retval)) {
-				ZVAL_UNDEF(result);
+				/* This may fail without throwing if the array was modified while throwing an
+				 * undefined index error. */
+				ZVAL_NULL(result);
 				return;
 			}
 		}