Handle undef value in assign_dim jit

nikic · nikic · commit e7663785a78a · 2021-09-13T11:09:00.000+02:00
We should report the undefined variable here and convert it to
null. Passing on undef is particularly insidious here, because
a write_dimension handler may insert it into a hash table
(observed with WeakMap).
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -1239,6 +1239,13 @@ static void ZEND_FASTCALL zend_jit_fetch_dim_obj_rw_helper(zval *object_ptr, zva
 
 static void ZEND_FASTCALL zend_jit_assign_dim_helper(zval *object_ptr, zval *dim, zval *value, zval *result)
 {
+	if (UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
+		const zend_op *op_data = EG(current_execute_data)->opline + 1;
+		ZEND_ASSERT(op_data->opcode == ZEND_OP_DATA && op_data->op1_type == IS_CV);
+		zend_jit_undefined_op_helper(op_data->op1.var);
+		value = &EG(uninitialized_zval);
+	}
+
 	if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 		ZVAL_DEREF(value);
 		Z_OBJ_HT_P(object_ptr)->write_dimension(Z_OBJ_P(object_ptr), dim, value);
diff --git a/ext/opcache/tests/jit/assign_dim_002.phpt b/ext/opcache/tests/jit/assign_dim_002.phpt
@@ -81,6 +81,15 @@ function foo5() {
 }
 var_dump(foo5());
 
+
+function array_access_undef() {
+    $ao = new ArrayObject;
+    $ao[0] = $undef;
+    var_dump($ao[0]);
+}
+
+array_access_undef();
+
 ?>
 --EXPECTF--
 array(1) {
@@ -136,3 +145,6 @@ array(1) {
 }
 Cannot use a scalar value as an array
 int(1)
+
+Warning: Undefined variable $undef in %s on line %d
+NULL
