Fix memory leak(null coalescing operator with Spl hash)

TysonAndre · TysonAndre · commit cdb7aafc23bd · 2016-11-20T15:46:13.000-08:00
The SEPARATE_ARG_IF_REF macro increased the refcount of the object passed as a
key.
However, when the key did not exist in the ArrayAccess implementation,
the code returned early without trying to decrement the refcount.

Add a test of `??` succeeding+failing on a SplObjectStorage instance.
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -736,9 +736,11 @@ zval *zend_std_read_dimension(zval *object, zval *offset, int type, zval *rv) /*
 		if (type == BP_VAR_IS) {
 			zend_call_method_with_1_params(object, ce, NULL, "offsetexists", rv, offset);
 			if (UNEXPECTED(Z_ISUNDEF_P(rv))) {
+				zval_ptr_dtor(offset);
 				return NULL;
 			}
 			if (!i_zend_is_true(rv)) {
+				zval_ptr_dtor(offset);
 				zval_ptr_dtor(rv);
 				return &EG(uninitialized_zval);
 			}
diff --git a/ext/spl/tests/observer_010.phpt b/ext/spl/tests/observer_010.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SPL: SplObjectStorage null coalescing operator memory leak
+--FILE--
+<?php
+// In maintainer zts mode, this should no longer
+// detect memory leaks for the objects
+$a = new stdClass();
+$b = new stdClass();
+$map = new SplObjectStorage();
+$map[$a] = 'foo';
+var_dump($map[$b] ?? null);
+var_dump($map[$a] ?? null);
+--EXPECTF--
+NULL
+string(3) "foo"

Original file line number	Diff line number	Diff line change
`@@ -736,9 +736,11 @@ zval zend_std_read_dimension(zval object, zval offset, int type, zval rv) /*`
`736`	`736`	`if (type == BP_VAR_IS) {`
`737`	`737`	`zend_call_method_with_1_params(object, ce, NULL, "offsetexists", rv, offset);`
`738`	`738`	`if (UNEXPECTED(Z_ISUNDEF_P(rv))) {`
	`739`	`+ zval_ptr_dtor(offset);`
`739`	`740`	`return NULL;`
`740`	`741`	`}`
`741`	`742`	`if (!i_zend_is_true(rv)) {`
	`743`	`+ zval_ptr_dtor(offset);`
`742`	`744`	`zval_ptr_dtor(rv);`
`743`	`745`	`return &EG(uninitialized_zval);`
`744`	`746`	`}`