Skip to content

Commit a50a1b6

Browse files
dstogovdstogov
committed
Merge branch 'PHP-8.0'
* PHP-8.0: Fixed bug #81051 (Broken property type handling after incrementing reference)
2 parents 795efd7 + ac65f6a commit a50a1b6

File tree

2 files changed

+50
-0
lines changed

2 files changed

+50
-0
lines changed

ext/opcache/jit/zend_jit_helpers.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2116,6 +2116,7 @@ static void ZEND_FASTCALL zend_jit_assign_op_to_typed_prop(zval *zptr, zend_prop
21162116
zend_execute_data *execute_data = EG(current_execute_data);
21172117
zval z_copy;
21182118

2119+
ZVAL_DEREF(zptr);
21192120
binary_op(&z_copy, zptr, value);
21202121
if (EXPECTED(zend_verify_property_type(prop_info, &z_copy, EX_USES_STRICT_TYPES()))) {
21212122
zval_ptr_dtor(zptr);
@@ -2198,6 +2199,7 @@ static void ZEND_FASTCALL zend_jit_inc_typed_prop(zval *var_ptr, zend_property_i
21982199
zend_execute_data *execute_data = EG(current_execute_data);
21992200
zval tmp;
22002201

2202+
ZVAL_DEREF(var_ptr);
22012203
ZVAL_COPY(&tmp, var_ptr);
22022204

22032205
increment_function(var_ptr);
@@ -2220,6 +2222,7 @@ static void ZEND_FASTCALL zend_jit_dec_typed_prop(zval *var_ptr, zend_property_i
22202222
zend_execute_data *execute_data = EG(current_execute_data);
22212223
zval tmp;
22222224

2225+
ZVAL_DEREF(var_ptr);
22232226
ZVAL_COPY(&tmp, var_ptr);
22242227

22252228
decrement_function(var_ptr);
@@ -2246,6 +2249,7 @@ static void ZEND_FASTCALL zend_jit_pre_inc_typed_prop(zval *var_ptr, zend_proper
22462249
result = &tmp;
22472250
}
22482251

2252+
ZVAL_DEREF(var_ptr);
22492253
ZVAL_COPY(result, var_ptr);
22502254

22512255
increment_function(var_ptr);
@@ -2276,6 +2280,7 @@ static void ZEND_FASTCALL zend_jit_pre_dec_typed_prop(zval *var_ptr, zend_proper
22762280
result = &tmp;
22772281
}
22782282

2283+
ZVAL_DEREF(var_ptr);
22792284
ZVAL_COPY(result, var_ptr);
22802285

22812286
decrement_function(var_ptr);
@@ -2301,6 +2306,7 @@ static void ZEND_FASTCALL zend_jit_post_inc_typed_prop(zval *var_ptr, zend_prope
23012306
{
23022307
zend_execute_data *execute_data = EG(current_execute_data);
23032308

2309+
ZVAL_DEREF(var_ptr);
23042310
ZVAL_COPY(result, var_ptr);
23052311

23062312
increment_function(var_ptr);
@@ -2321,6 +2327,7 @@ static void ZEND_FASTCALL zend_jit_post_dec_typed_prop(zval *var_ptr, zend_prope
23212327
{
23222328
zend_execute_data *execute_data = EG(current_execute_data);
23232329

2330+
ZVAL_DEREF(var_ptr);
23242331
ZVAL_COPY(result, var_ptr);
23252332

23262333
decrement_function(var_ptr);

ext/opcache/tests/jit/bug81051.phpt

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
--TEST--
2+
Bug #80839: PHP problem with JIT
3+
--INI--
4+
opcache.enable=1
5+
opcache.enable_cli=1
6+
opcache.jit_buffer_size=1M
7+
opcache.jit=1205
8+
--SKIPIF--
9+
<?php require_once('skipif.inc'); ?>
10+
--FILE--
11+
<?php
12+
class Binary{
13+
public static function readUnsignedVarInt(string $buffer, int &$offset) : int{
14+
$offset++;
15+
return 0;
16+
}
17+
}
18+
19+
class BinaryStream{
20+
21+
private string $buffer;
22+
private int $offset;
23+
24+
public function __construct(string $buffer, int $offset = 0){
25+
$this->buffer = $buffer;
26+
$this->offset = $offset;
27+
}
28+
29+
public function getUnsignedVarInt() : int{
30+
return Binary::readUnsignedVarInt($this->buffer, $this->offset);
31+
}
32+
33+
public function get(int $len) : string{
34+
return $len === 1 ? $this->buffer[$this->offset++] : substr($this->buffer, ($this->offset += $len) - $len, $len);
35+
}
36+
}
37+
$stream = new BinaryStream(str_repeat("\x01a", 1000));
38+
var_dump($stream->getUnsignedVarInt());
39+
var_dump($stream->get(1));
40+
?>
41+
--EXPECT--
42+
int(0)
43+
string(1) "a"

0 commit comments

Comments
 (0)