Combine BIND_STATIC with assignment

Author: iluuu1994

Zend/Optimizer/dce.c

@@ -246,6 +246,10 @@ static inline bool may_have_side_effects(
 				if ((opline->extended_value & (ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT))) {
 					return 1;
 				}
+				/* Modifies local variables and static variables which are observable through reflection */
+				if (opline->extended_value & ZEND_BIND_REF) {
+					return 1;
+				}
 			}
 			return 0;
 		case ZEND_CHECK_VAR:

Zend/tests/static_variables_destructor.phpt

@@ -0,0 +1,36 @@
+--TEST--
+Static variable assign triggering destructor
+--FILE--
+<?php
+
+class Foo {
+    public function __destruct() {
+        throw new Exception('__destruct() called');
+    }
+}
+
+function bar() {
+    echo "bar() called\n";
+    return 42;
+}
+
+function foo(bool $throw) {
+    if ($throw) {
+        $a = new Foo();
+    }
+    static $a = bar();
+    var_dump($a);
+}
+
+try {
+    foo(true);
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+foo(false);
+
+?>
+--EXPECT--
+bar() called
+__destruct() called
+int(42)

Zend/tests/static_variables_null.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Static variable with null value doesn't retrigger the initializer
+--FILE--
+<?php
+
+function bar() {
+    echo "bar() called\n";
+    return null;
+}
+
+function foo() {
+    static $a = bar();
+    var_dump($a);
+}
+
+foo();
+foo();
+
+?>
+--EXPECT--
+bar() called
+NULL
+NULL

Zend/tests/static_variables_recursive.phpt

@@ -0,0 +1,29 @@
+--TEST--
+Static variable with recursive initializer
+--FILE--
+<?php
+
+function foo($i) {
+    static $a = $i <= 10 ? foo($i + 1) : 'Done';
+    var_dump($a);
+    return $i;
+}
+
+foo(0);
+foo(5);
+
+?>
+--EXPECT--
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"
+string(4) "Done"

Zend/zend_compile.c

@@ -4877,9 +4877,7 @@ static void zend_compile_static_var(zend_ast *ast) /* {{{ */
 	}
 
 	if (!value_ast) {
-		zval value_zv;
-		ZVAL_NULL(&value_zv);
-		zend_compile_static_var_common(var_name, &value_zv, ZEND_BIND_REF);
+		zend_compile_static_var_common(var_name, &EG(uninitialized_zval), ZEND_BIND_REF);
 	} else {
 		zend_op *opline;
 
@@ -4898,7 +4896,7 @@ static void zend_compile_static_var(zend_ast *ast) /* {{{ */
 		}
 
 		zval *placeholder_ptr = zend_hash_update(CG(active_op_array)->static_variables, var_name, &EG(uninitialized_zval));
-		Z_TYPE_EXTRA_P(placeholder_ptr) = IS_TYPE_UNINITIALIZED;
+		Z_TYPE_EXTRA_P(placeholder_ptr) |= IS_TYPE_UNINITIALIZED;
 		uint32_t placeholder_offset = (uint32_t)((char*)placeholder_ptr - (char*)CG(active_op_array)->static_variables->arData);
 
 		uint32_t static_def_jmp_opnum = get_next_op_number();
@@ -4908,15 +4906,11 @@ static void zend_compile_static_var(zend_ast *ast) /* {{{ */
 		znode expr;
 		zend_compile_expr(&expr, value_ast);
 
-		opline = zend_emit_op(NULL, ZEND_BIND_STATIC, NULL, NULL);
+		opline = zend_emit_op(NULL, ZEND_BIND_STATIC, NULL, &expr);
 		opline->op1_type = IS_CV;
 		opline->op1.var = lookup_cv(var_name);
 		opline->extended_value = placeholder_offset | ZEND_BIND_REF;
 
-		opline = zend_emit_op(NULL, ZEND_ASSIGN, NULL, &expr);
-		opline->op1_type = IS_CV;
-		opline->op1.var = lookup_cv(var_name);
-
 		uint32_t skip_bind_static_jmp_opnum = zend_emit_jump(0);
 
 		zend_update_jump_target_to_next(static_def_jmp_opnum);

Zend/zend_vm_def.h

@@ -8843,7 +8843,7 @@ ZEND_VM_HANDLER(182, ZEND_BIND_LEXICAL, TMP, CV, REF)
 	ZEND_VM_NEXT_OPCODE();
 }
 
-ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
+ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, ANY, REF)
 {
 	USE_OPLINE
 	HashTable *ht;
@@ -8868,14 +8868,23 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
 			zend_reference *ref = (zend_reference*)emalloc(sizeof(zend_reference));
 			GC_SET_REFCOUNT(ref, 2);
 			GC_TYPE_INFO(ref) = GC_REFERENCE;
-			ZVAL_COPY_VALUE(&ref->val, value);
+			if (OP2_TYPE == IS_UNUSED) {
+				ZVAL_COPY_VALUE(&ref->val, value);
+			} else {
+				i_zval_ptr_dtor(value);
+				ZVAL_COPY(&ref->val, GET_OP2_ZVAL_PTR_DEREF(BP_VAR_R));
+				FREE_OP2();
+			}
 			ref->sources.ptr = NULL;
 			Z_REF_P(value) = ref;
 			Z_TYPE_INFO_P(value) = IS_REFERENCE_EX;
 			ZVAL_REF(variable_ptr, ref);
 		} else {
 			Z_ADDREF_P(value);
 			ZVAL_REF(variable_ptr, Z_REF_P(value));
+			if (OP2_TYPE != IS_UNUSED) {
+				FREE_OP2();
+			}
 		}
 	} else {
 		i_zval_ptr_dtor(variable_ptr);
@@ -8898,7 +8907,7 @@ ZEND_VM_HANDLER(203, ZEND_JMP_STATIC_DEF, ANY, JMP_ADDR)
 	ZEND_ASSERT(GC_REFCOUNT(ht) == 1);
 
 	value = (zval*)((char*)ht->arData + (opline->extended_value));
-	if (Z_TYPE_EXTRA_P(value) == IS_TYPE_UNINITIALIZED) {
+	if (Z_TYPE_EXTRA_P(value) & IS_TYPE_UNINITIALIZED) {
 		ZEND_VM_NEXT_OPCODE();
 	} else {
 		ZEND_VM_JMP_EX(OP_JMP_ADDR(opline, opline->op2), 0);

Zend/zend_vm_execute.h

@@ -1282,7 +1282,7 @@
 	_(2435, ZEND_FETCH_CLASS_CONSTANT_SPEC_VAR_CONST) \
 	_(2436, ZEND_FETCH_CLASS_CONSTANT_SPEC_UNUSED_CONST) \
 	_(2438, ZEND_BIND_LEXICAL_SPEC_TMP_CV) \
-	_(2439, ZEND_BIND_STATIC_SPEC_CV_UNUSED) \
+	_(2439, ZEND_BIND_STATIC_SPEC_CV) \
 	_(2440, ZEND_FETCH_THIS_SPEC_UNUSED_UNUSED) \
 	_(2441, ZEND_SEND_FUNC_ARG_SPEC_VAR_CONST) \
 	_(2444, ZEND_SEND_FUNC_ARG_SPEC_VAR_UNUSED) \

Zend/zend_vm_handlers.h

@@ -413,7 +413,7 @@ static uint32_t zend_vm_opcodes_flags[204] = {
 	0x00067000,
 	0x00040373,
 	0x00100101,
-	0x00100101,
+	0x00100001,
 	0x00000101,
 	0x00001301,
 	0x00000101,

Zend/zend_vm_opcodes.c

@@ -0,0 +1,27 @@
+--TEST--
+ReflectionMethod::getStaticVariables() should not bleed IS_TYPE_UNINITIALIZED
+--FILE--
+<?php
+
+function test() {
+    echo "test() called\n";
+    return 42;
+}
+
+function foo() {
+    $methodInfo = new ReflectionFunction(__FUNCTION__);
+    $null = $methodInfo->getStaticVariables()['a'];
+
+    static $a = test();
+    var_dump($a);
+    $a = $null;
+}
+
+foo();
+foo();
+
+?>
+--EXPECT--
+test() called
+int(42)
+NULL