Re-fix Bug #65372 (Segfault in gc_zval_possible_root when return reference fails)

laruence · laruence · commit a831499b4a10 · 2013-08-06T15:37:20.000+08:00
Missed a zval_copy_ctor there
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -2914,6 +2914,7 @@ ZEND_VM_HANDLER(111, ZEND_RETURN_BY_REF, CONST|TMP|VAR|CV, ANY)
 
 					ALLOC_ZVAL(ret);
 					INIT_PZVAL_COPY(ret, *retval_ptr_ptr);
+					zval_copy_ctor(ret);
 					*EG(return_value_ptr_ptr) = ret;
 				}
 				break;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -2328,6 +2328,7 @@ static int ZEND_FASTCALL  ZEND_RETURN_BY_REF_SPEC_CONST_HANDLER(ZEND_OPCODE_HAND
 
 					ALLOC_ZVAL(ret);
 					INIT_PZVAL_COPY(ret, *retval_ptr_ptr);
+					zval_copy_ctor(ret);
 					*EG(return_value_ptr_ptr) = ret;
 				}
 				break;
@@ -6749,6 +6750,7 @@ static int ZEND_FASTCALL  ZEND_RETURN_BY_REF_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLE
 
 					ALLOC_ZVAL(ret);
 					INIT_PZVAL_COPY(ret, *retval_ptr_ptr);
+					zval_copy_ctor(ret);
 					*EG(return_value_ptr_ptr) = ret;
 				}
 				break;
@@ -11063,6 +11065,7 @@ static int ZEND_FASTCALL  ZEND_RETURN_BY_REF_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLE
 
 					ALLOC_ZVAL(ret);
 					INIT_PZVAL_COPY(ret, *retval_ptr_ptr);
+					zval_copy_ctor(ret);
 					*EG(return_value_ptr_ptr) = ret;
 				}
 				break;
@@ -27040,6 +27043,7 @@ static int ZEND_FASTCALL  ZEND_RETURN_BY_REF_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER
 
 					ALLOC_ZVAL(ret);
 					INIT_PZVAL_COPY(ret, *retval_ptr_ptr);
+					zval_copy_ctor(ret);
 					*EG(return_value_ptr_ptr) = ret;
 				}
 				break;

Original file line number	Diff line number	Diff line change
`@@ -2914,6 +2914,7 @@ ZEND_VM_HANDLER(111, ZEND_RETURN_BY_REF, CONST\|TMP\|VAR\|CV, ANY)`
`2914`	`2914`
`2915`	`2915`	`ALLOC_ZVAL(ret);`
`2916`	`2916`	`INIT_PZVAL_COPY(ret, *retval_ptr_ptr);`
	`2917`	`+ zval_copy_ctor(ret);`
`2917`	`2918`	`*EG(return_value_ptr_ptr) = ret;`
`2918`	`2919`	`}`
`2919`	`2920`	`break;`