wip

Author: iluuu1994

Zend/tests/bug78598.phpt

@@ -12,7 +12,7 @@ $my_var[0] .= "xyz";
 var_dump($my_var);
 
 $my_var = null;
-$my_var[0][0][0] .= "xyz";
+$my_var[0][0] .= "xyz";
 var_dump($my_var);
 
 $my_var = null;

Zend/zend.c

@@ -1718,7 +1718,8 @@ ZEND_API void zend_free_recorded_errors(void)
 	EG(num_errors) = 0;
 }
 
-ZEND_API ZEND_COLD void zend_error_delayed(int type, const char *format, ...) {
+ZEND_API ZEND_COLD void zend_error_delayed(int type, const char *format, ...)
+{
 	ZEND_ASSERT(!(type & E_FATAL_ERRORS) && "Cannot delay fatal error");
 	zend_error_info *info = emalloc(sizeof(zend_error_info));
 	info->type = type;

Zend/zend_execute.c

@@ -2500,6 +2500,7 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 					retval = &EG(uninitialized_zval);
 					break;
 				case BP_VAR_RW:
+					// retval = zend_undefined_offset_write(ht, hval);
 					zend_undefined_offset_delayed(hval);
 					retval = zend_hash_index_add_new(ht, hval, &EG(uninitialized_zval));
 					break;

Zend/zend_globals.h

@@ -246,6 +246,13 @@ struct _zend_executor_globals {
 	zend_object *exception, *prev_exception;
 	const zend_op *opline_before_exception;
 	zend_op exception_op[3];
+	/* FIXME: Is this safe for VM reentry? We may have to save/restore this value. */
+	/* Index 1-2 are always set to HANDLE_DELAYED_ERROR. When emitting a delayed error, we set
+	 * EG(current_execute_data)->opline to index 0. Index 0 is used for delaying notices of
+	 * FETCH/ASSIGN sequences. If HANDLE_DELAYED_ERROR detects that the last opcode produced an
+	 * INDIRECT value it sets EG(delayed_error_op)[0] to the next opcode. After the opcode has
+	 * executed it advances once again to the HANDLE_DELAYED_ERROR opcode which will repeat this
+	 * check. If the last opcode did not produce an INDIRECT value, it can safely emit the warning. */
 	zend_op delayed_error_op[3];
 
 	struct _zend_module_entry *current_module;

Zend/zend_vm_def.h

@@ -1163,7 +1163,9 @@ ZEND_VM_C_LABEL(assign_dim_op_array):
 		SEPARATE_ARRAY(container);
 		ht = Z_ARRVAL_P(container);
 ZEND_VM_C_LABEL(assign_dim_op_new_array):
-		dim = GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
+		dim = OP2_TYPE == IS_CONST && opline == &EG(delayed_error_op)[0]
+			? RT_CONSTANT(EG(opline_before_exception), opline->op2)
+			: GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
 		if (OP2_TYPE == IS_UNUSED) {
 			var_ptr = zend_hash_next_index_insert(ht, &EG(uninitialized_zval));
 			if (UNEXPECTED(!var_ptr)) {
@@ -1210,7 +1212,9 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
 		if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 			zend_object *obj = Z_OBJ_P(container);
 
-			dim = GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
+			dim = OP2_TYPE == IS_CONST && opline == &EG(delayed_error_op)[0]
+				? RT_CONSTANT(EG(opline_before_exception), opline->op2)
+				: GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
 			if (OP2_TYPE == IS_CONST && Z_EXTRA_P(dim) == ZEND_EXTRA_VALUE) {
 				dim++;
 			}
@@ -1234,7 +1238,9 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
 			}
 			ZEND_VM_C_GOTO(assign_dim_op_new_array);
 		} else {
-			dim = GET_OP2_ZVAL_PTR(BP_VAR_R);
+			dim = OP2_TYPE == IS_CONST && opline == &EG(delayed_error_op)[0]
+				? RT_CONSTANT(EG(opline_before_exception), opline->op2)
+				: GET_OP2_ZVAL_PTR_UNDEF(BP_VAR_R);
 			zend_binary_assign_op_dim_slow(container, dim OPLINE_CC EXECUTE_DATA_CC);
 ZEND_VM_C_LABEL(assign_dim_op_ret_null):
 			FREE_OP_DATA();
@@ -8092,26 +8098,65 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 
 ZEND_VM_HANDLER(204, ZEND_HANDLE_DELAYED_ERROR, ANY, ANY)
 {
-	const zend_op *next_op = EG(opline_before_exception) + 1;
+	const zend_op *prev_op = EG(opline_before_exception);
+	bool delay = false;
+	switch (prev_op->opcode) {
+		case ZEND_FETCH_W:
+		case ZEND_FETCH_RW:
+		case ZEND_FETCH_FUNC_ARG:
+		case ZEND_FETCH_UNSET:
+		case ZEND_FETCH_DIM_W:
+		case ZEND_FETCH_DIM_RW:
+		case ZEND_FETCH_DIM_UNSET:
+		case ZEND_FETCH_LIST_W:
+		case ZEND_FETCH_OBJ_W:
+		case ZEND_FETCH_OBJ_RW:
+		case ZEND_FETCH_OBJ_UNSET:
+			delay = true;
+			break;
+	}
+
+	// FIXME: Is this guaranteed to be there?
+	const zend_op *next_op = prev_op + 1;
 	if (next_op->opcode == ZEND_OP_DATA) {
 		next_op++;
 	}
 
-	/* Clear EG(delayed_errors), as more errors may be delayed while we are handling these. */
-	HashTable ht;
-	memcpy(&ht, &EG(delayed_errors), sizeof(HashTable));
-	zend_hash_init(&EG(delayed_errors), 0, NULL, NULL, 0);
+	if (delay) {
+		EG(delayed_error_op)[0] = *next_op;
+		// FIXME: Is this guaranteed to be there?
+		if (next_op[1].opcode == ZEND_OP_DATA) {
+			EG(delayed_error_op)[1] = next_op[1];
+		} else {
+			/* Reset to ZEND_HANDLE_DELAYED_ERROR */
+			EG(delayed_error_op)[1] = EG(delayed_error_op)[2];
+		}
+		EG(opline_before_exception) = next_op;
+		EG(current_execute_data)->opline = EG(delayed_error_op);
 
-	zend_error_info *info;
-	ZEND_HASH_FOREACH_PTR(&ht, info) {
-		zend_error_zstr_at(info->type, info->filename, info->lineno, info->message);
-		zend_string_release(info->filename);
-		zend_string_release(info->message);
-		efree(info);
-	} ZEND_HASH_FOREACH_END();
-	zend_hash_destroy(&ht);
+		ZEND_VM_SET_NEXT_OPCODE(EG(delayed_error_op));
+	} else {
+		/* Clear EG(delayed_errors), as more errors may be delayed while we are handling these. */
+		HashTable ht;
+		memcpy(&ht, &EG(delayed_errors), sizeof(HashTable));
+		zend_hash_init(&EG(delayed_errors), 0, NULL, NULL, 0);
+
+		zend_error_info *info;
+		ZEND_HASH_FOREACH_PTR(&ht, info) {
+			zend_error_zstr_at(info->type, info->filename, info->lineno, info->message);
+			zend_string_release(info->filename);
+			zend_string_release(info->message);
+			efree(info);
+		} ZEND_HASH_FOREACH_END();
+		zend_hash_destroy(&ht);
+
+		if (EG(exception)) {
+			HANDLE_EXCEPTION();
+		}
+
+		ZEND_VM_SET_NEXT_OPCODE(next_op);
+	}
 
-	ZEND_VM_SET_NEXT_OPCODE(next_op);
 	ZEND_VM_CONTINUE();
 }