Fixed bug #66041: list() fails to unpack yielded ArrayAccess object

Yield return values now use IS_VAR rather than IS_TMP_VAR. This
fixes the issue with list() and should also be faster as it avoids
doing a zval copy.

Author: nikic

NEWS

@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 
 - Core:
   . Added validation of class names in the autoload process. (Dmitry)
+  . Fixed buf #66041 (list() fails to unpack yielded ArrayAccess object).
+    (Nikita)
 
 - Date:
   . Fixed bug #66060 (Heap buffer over-read in DateInterval). (Remi)

Zend/tests/generators/bug66041.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #66041: list() fails to unpack yielded ArrayAccess object
+--FILE--
+<?php
+function dumpElement() {
+    list($value) = yield;
+    var_dump($value);
+};
+
+$fixedArray = new SplFixedArray(1);
+$fixedArray[0] = 'the element';
+
+$generator = dumpElement();
+$generator->send($fixedArray);
+?>
+--EXPECT--
+string(11) "the element"

Zend/zend_compile.c

@@ -2782,7 +2782,7 @@ void zend_do_yield(znode *result, znode *value, const znode *key, zend_bool is_v
 		SET_UNUSED(opline->op2);
 	}
 
-	opline->result_type = IS_TMP_VAR;
+	opline->result_type = IS_VAR;
 	opline->result.var = get_temporary_variable(CG(active_op_array));
 	GET_NODE(result, opline->result);
 }

Zend/zend_generators.c

@@ -55,6 +55,11 @@ ZEND_API void zend_generator_close(zend_generator *generator, zend_bool finished
 			zval_ptr_dtor(&execute_data->current_this);
 		}
 
+		if (!finished_execution && generator->send_target) {
+			Z_DELREF_PP(generator->send_target);
+			generator->send_target = NULL;
+		}
+
 		/* A fatal error / die occurred during the generator execution. Trying to clean
 		 * up the stack may not be safe in this case. */
 		if (CG(unclean_shutdown)) {
@@ -519,8 +524,12 @@ ZEND_METHOD(Generator, send)
 		return;
 	}
 
-	/* Put sent value into the TMP_VAR slot */
-	MAKE_COPY_ZVAL(&value, &generator->send_target->tmp_var);
+	/* Put sent value in the target VAR slot, if it is used */
+	if (generator->send_target) {
+		Z_DELREF_PP(generator->send_target);
+		Z_ADDREF_P(value);
+		*generator->send_target = value;
+	}
 
 	zend_generator_resume(generator TSRMLS_CC);
 

Zend/zend_generators.h

@@ -49,7 +49,7 @@ typedef struct _zend_generator {
 	/* Current key */
 	zval *key;
 	/* Variable to put sent value into */
-	temp_variable *send_target;
+	zval **send_target;
 	/* Largest used integer key for auto-incrementing keys */
 	long largest_used_integer_key;
 

Zend/zend_vm_def.h

@@ -5353,11 +5353,15 @@ ZEND_VM_HANDLER(160, ZEND_YIELD, CONST|TMP|VAR|CV|UNUSED, CONST|TMP|VAR|CV|UNUSE
 		ZVAL_LONG(generator->key, generator->largest_used_integer_key);
 	}
 
-	/* If a value is sent it should go into the result var */
-	generator->send_target = &EX_T(opline->result.var);
-
-	/* Initialize the sent value to NULL */
-	EX_T(opline->result.var).tmp_var = EG(uninitialized_zval);
+	if (RETURN_VALUE_USED(opline)) {
+		/* If the return value of yield is used set the send
+		 * target and initialize it to NULL */
+		generator->send_target = &EX_T(opline->result.var).var.ptr;
+		Z_ADDREF(EG(uninitialized_zval));
+		EX_T(opline->result.var).var.ptr = &EG(uninitialized_zval);
+	} else {
+		generator->send_target = NULL;
+	}
 
 	/* We increment to the next op, so we are at the correct position when the
 	 * generator is resumed. */