From dee19d11a105599726bc0722590584986c19ade9 Mon Sep 17 00:00:00 2001 From: George Peter Banyard Date: Mon, 21 Aug 2023 15:01:46 +0100 Subject: [PATCH 1/5] Fix oss-fuzz-61469: Undef dynamic property in ++/-- unset in error handler --- ..._dynamic_property_unset_error_handler.phpt | 29 ++++++++++++ Zend/zend_vm_def.h | 5 +++ Zend/zend_vm_execute.h | 45 +++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt new file mode 100644 index 0000000000000..09322b23f2d6b --- /dev/null +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt @@ -0,0 +1,29 @@ +--TEST-- +OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler +--FILE-- +a); + } +} +$c = new C; +set_error_handler([$c,'errorHandle']); + +($c->a++); +var_dump($c->a); + +($c->a--); +var_dump($c->a); + +(++$c->a); +var_dump($c->a); + +(--$c->a); +var_dump($c->a); +?> +--EXPECT-- +NULL +NULL +NULL +NULL diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 51f35118d9de4..f74fb98fba006 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1328,6 +1328,11 @@ ZEND_VM_C_LABEL(pre_incdec_object): ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (OP2_TYPE == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 90f105f611e61..9bffdbee43242 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -23106,6 +23106,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_VAR_CONST_HAN ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -26029,6 +26034,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_VAR_TMPVAR_HA ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -30324,6 +30334,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_VAR_CV_HANDLE ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CV == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -32798,6 +32813,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_UNUSED_CONST_ ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -34855,6 +34875,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_UNUSED_TMPVAR ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -37351,6 +37376,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_UNUSED_CV_HAN ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CV == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -41514,6 +41544,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_CV_CONST_HAND ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -45356,6 +45391,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_CV_TMPVAR_HAN ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -50742,6 +50782,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_CV_CV_HANDLER ZVAL_NULL(EX_VAR(opline->result.var)); } } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the propery is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CV == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { From c2ab6e323af624cdc383f7ed43cf2d22f24a5306 Mon Sep 17 00:00:00 2001 From: George Peter Banyard Date: Tue, 22 Aug 2023 02:05:29 +0100 Subject: [PATCH 2/5] Handle all known cases Post increments are converted to pre increments if no return value is used. Ditto for decrement --- ..._dynamic_property_unset_error_handler.phpt | 16 ++++ ..._dynamic_property_unset_error_handler.phpt | 19 ++++ ..._dynamic_property_unset_error_handler.phpt | 19 ++++ ...dynamic_property_unset_error_handler.phpt} | 13 --- ..._dynamic_property_unset_error_handler.phpt | 16 ++++ Zend/zend_vm_def.h | 10 +++ Zend/zend_vm_execute.h | 90 +++++++++++++++++++ 7 files changed, 170 insertions(+), 13 deletions(-) create mode 100644 Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt create mode 100644 Zend/tests/in-de-crement/oss-fuzz-61469_postdec_dynamic_property_unset_error_handler.phpt create mode 100644 Zend/tests/in-de-crement/oss-fuzz-61469_postinc_dynamic_property_unset_error_handler.phpt rename Zend/tests/in-de-crement/{oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt => oss-fuzz-61469_predec_dynamic_property_unset_error_handler.phpt} (73%) create mode 100644 Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt new file mode 100644 index 0000000000000..5330aa2ed48fa --- /dev/null +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt @@ -0,0 +1,16 @@ +--TEST-- +OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler +--FILE-- +a); + } +} +$c = new C; +set_error_handler([$c,'errorHandle']); +$c->a += 5; +var_dump($c->a); +?> +--EXPECT-- +NULL diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_postdec_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_postdec_dynamic_property_unset_error_handler.phpt new file mode 100644 index 0000000000000..4db0011fb52df --- /dev/null +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_postdec_dynamic_property_unset_error_handler.phpt @@ -0,0 +1,19 @@ +--TEST-- +OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler +--FILE-- +a); + } +} +$c = new C; +set_error_handler([$c,'errorHandle']); + +$v = ($c->a--); +var_dump($c->a); +var_dump($v); +?> +--EXPECT-- +NULL +NULL diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_postinc_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_postinc_dynamic_property_unset_error_handler.phpt new file mode 100644 index 0000000000000..4db0011fb52df --- /dev/null +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_postinc_dynamic_property_unset_error_handler.phpt @@ -0,0 +1,19 @@ +--TEST-- +OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler +--FILE-- +a); + } +} +$c = new C; +set_error_handler([$c,'errorHandle']); + +$v = ($c->a--); +var_dump($c->a); +var_dump($v); +?> +--EXPECT-- +NULL +NULL diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_predec_dynamic_property_unset_error_handler.phpt similarity index 73% rename from Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt rename to Zend/tests/in-de-crement/oss-fuzz-61469_predec_dynamic_property_unset_error_handler.phpt index 09322b23f2d6b..10c6f0acb076e 100644 --- a/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_predec_dynamic_property_unset_error_handler.phpt @@ -9,21 +9,8 @@ class C { } $c = new C; set_error_handler([$c,'errorHandle']); - -($c->a++); -var_dump($c->a); - -($c->a--); -var_dump($c->a); - -(++$c->a); -var_dump($c->a); - (--$c->a); var_dump($c->a); ?> --EXPECT-- NULL -NULL -NULL -NULL diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt new file mode 100644 index 0000000000000..54192b64500ee --- /dev/null +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt @@ -0,0 +1,16 @@ +--TEST-- +OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler +--FILE-- +a); + } +} +$c = new C; +set_error_handler([$c,'errorHandle']); +(++$c->a); +var_dump($c->a); +?> +--EXPECT-- +NULL diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index f74fb98fba006..247217fa06374 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1059,6 +1059,11 @@ ZEND_VM_C_LABEL(assign_op_object): zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -1404,6 +1409,11 @@ ZEND_VM_C_LABEL(post_incdec_object): if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (OP2_TYPE == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 9bffdbee43242..c6ab0b84d878d 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -22885,6 +22885,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_VAR_CONST_H zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -23176,6 +23181,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_VAR_CONST_HA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -25811,6 +25821,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_VAR_TMPVAR_ zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -26105,6 +26120,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_VAR_TMPVAR_H if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -30113,6 +30133,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_VAR_CV_HAND zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -30404,6 +30429,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_VAR_CV_HANDL if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CV == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -32722,6 +32752,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_UNUSED_CONS zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -32883,6 +32918,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_UNUSED_CONST if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -34784,6 +34824,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_UNUSED_TMPV zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -34946,6 +34991,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_UNUSED_TMPVA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -37285,6 +37335,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_UNUSED_CV_H zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -37446,6 +37501,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_UNUSED_CV_HA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CV == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -41323,6 +41383,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_CV_CONST_HA zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -41614,6 +41679,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_CV_CONST_HAN if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -45168,6 +45238,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_CV_TMPVAR_H zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -45462,6 +45537,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_CV_TMPVAR_HA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -50561,6 +50641,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_CV_CV_HANDL zval *orig_zptr = zptr; zend_reference *ref; + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -50852,6 +50937,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_CV_CV_HANDLE if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } if (IS_CV == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { From 9bde7226428a8eaae20730e50b041d6a859596fb Mon Sep 17 00:00:00 2001 From: George Peter Banyard Date: Tue, 22 Aug 2023 03:00:58 +0100 Subject: [PATCH 3/5] Fix JIT --- ext/opcache/jit/zend_jit_helpers.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c index f9541bd7087dc..62b5c64a6732e 100644 --- a/ext/opcache/jit/zend_jit_helpers.c +++ b/ext/opcache/jit/zend_jit_helpers.c @@ -2663,6 +2663,11 @@ static void ZEND_FASTCALL zend_jit_assign_obj_op_helper(zend_object *zobj, zend_ /* special case for typed properties */ zend_jit_assign_op_to_typed_prop(zptr, prop_info, value, binary_op); } else { + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { + ZVAL_NULL(zptr); + } binary_op(zptr, zptr, value); } } while (0); @@ -2877,6 +2882,11 @@ static void ZEND_FASTCALL zend_jit_pre_inc_obj_helper(zend_object *zobj, zend_st break; } } + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { + ZVAL_NULL(prop); + } if (UNEXPECTED(prop_info)) { zend_jit_inc_typed_prop(prop, prop_info); @@ -2947,6 +2957,11 @@ static void ZEND_FASTCALL zend_jit_pre_dec_obj_helper(zend_object *zobj, zend_st break; } } + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { + ZVAL_NULL(prop); + } if (UNEXPECTED(prop_info)) { zend_jit_dec_typed_prop(prop, prop_info); @@ -3015,6 +3030,11 @@ static void ZEND_FASTCALL zend_jit_post_inc_obj_helper(zend_object *zobj, zend_s return; } } + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { + ZVAL_NULL(prop); + } if (UNEXPECTED(prop_info)) { zend_jit_post_inc_typed_prop(prop, prop_info, result); @@ -3076,6 +3096,11 @@ static void ZEND_FASTCALL zend_jit_post_dec_obj_helper(zend_object *zobj, zend_s return; } } + /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic + * (e.g. undefined property warning) and the property is unset in the error handler */ + if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { + ZVAL_NULL(prop); + } if (UNEXPECTED(prop_info)) { zend_jit_post_dec_typed_prop(prop, prop_info, result); From 1f15400686ba103ea178a3bb702808bb666df69c Mon Sep 17 00:00:00 2001 From: George Peter Banyard Date: Wed, 30 Aug 2023 20:50:53 +0100 Subject: [PATCH 4/5] Revert VM changes after related bugfix --- Zend/zend_vm_def.h | 15 ---- Zend/zend_vm_execute.h | 135 ----------------------------- ext/opcache/jit/zend_jit_helpers.c | 25 ------ 3 files changed, 175 deletions(-) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 247217fa06374..51f35118d9de4 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1059,11 +1059,6 @@ ZEND_VM_C_LABEL(assign_op_object): zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -1333,11 +1328,6 @@ ZEND_VM_C_LABEL(pre_incdec_object): ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (OP2_TYPE == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -1409,11 +1399,6 @@ ZEND_VM_C_LABEL(post_incdec_object): if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (OP2_TYPE == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index c6ab0b84d878d..90f105f611e61 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -22885,11 +22885,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_VAR_CONST_H zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -23111,11 +23106,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_VAR_CONST_HAN ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -23181,11 +23171,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_VAR_CONST_HA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -25821,11 +25806,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_VAR_TMPVAR_ zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -26049,11 +26029,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_VAR_TMPVAR_HA ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -26120,11 +26095,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_VAR_TMPVAR_H if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -30133,11 +30103,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_VAR_CV_HAND zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -30359,11 +30324,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_VAR_CV_HANDLE ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CV == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -30429,11 +30389,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_VAR_CV_HANDL if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CV == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -32752,11 +32707,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_UNUSED_CONS zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -32848,11 +32798,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_UNUSED_CONST_ ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -32918,11 +32863,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_UNUSED_CONST if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -34824,11 +34764,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_UNUSED_TMPV zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -34920,11 +34855,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_UNUSED_TMPVAR ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -34991,11 +34921,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_UNUSED_TMPVA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -37335,11 +37260,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_UNUSED_CV_H zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -37431,11 +37351,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_UNUSED_CV_HAN ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CV == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -37501,11 +37416,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_UNUSED_CV_HA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CV == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -41383,11 +41293,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_CV_CONST_HA zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -41609,11 +41514,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_CV_CONST_HAND ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -41679,11 +41579,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_CV_CONST_HAN if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CONST == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -45238,11 +45133,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_CV_TMPVAR_H zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -45466,11 +45356,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_CV_TMPVAR_HAN ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -45537,11 +45422,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_CV_TMPVAR_HA if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if ((IS_TMP_VAR|IS_VAR) == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { @@ -50641,11 +50521,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_ASSIGN_OBJ_OP_SPEC_CV_CV_HANDL zval *orig_zptr = zptr; zend_reference *ref; - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } do { if (UNEXPECTED(Z_ISREF_P(zptr))) { ref = Z_REF_P(zptr); @@ -50867,11 +50742,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_PRE_INC_OBJ_SPEC_CV_CV_HANDLER ZVAL_NULL(EX_VAR(opline->result.var)); } } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the propery is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CV == IS_CONST) { prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2); } else { @@ -50937,11 +50807,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_POST_INC_OBJ_SPEC_CV_CV_HANDLE if (UNEXPECTED(Z_ISERROR_P(zptr))) { ZVAL_NULL(EX_VAR(opline->result.var)); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } if (IS_CV == IS_CONST) { prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2); } else { diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c index 62b5c64a6732e..f9541bd7087dc 100644 --- a/ext/opcache/jit/zend_jit_helpers.c +++ b/ext/opcache/jit/zend_jit_helpers.c @@ -2663,11 +2663,6 @@ static void ZEND_FASTCALL zend_jit_assign_obj_op_helper(zend_object *zobj, zend_ /* special case for typed properties */ zend_jit_assign_op_to_typed_prop(zptr, prop_info, value, binary_op); } else { - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) { - ZVAL_NULL(zptr); - } binary_op(zptr, zptr, value); } } while (0); @@ -2882,11 +2877,6 @@ static void ZEND_FASTCALL zend_jit_pre_inc_obj_helper(zend_object *zobj, zend_st break; } } - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { - ZVAL_NULL(prop); - } if (UNEXPECTED(prop_info)) { zend_jit_inc_typed_prop(prop, prop_info); @@ -2957,11 +2947,6 @@ static void ZEND_FASTCALL zend_jit_pre_dec_obj_helper(zend_object *zobj, zend_st break; } } - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { - ZVAL_NULL(prop); - } if (UNEXPECTED(prop_info)) { zend_jit_dec_typed_prop(prop, prop_info); @@ -3030,11 +3015,6 @@ static void ZEND_FASTCALL zend_jit_post_inc_obj_helper(zend_object *zobj, zend_s return; } } - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { - ZVAL_NULL(prop); - } if (UNEXPECTED(prop_info)) { zend_jit_post_inc_typed_prop(prop, prop_info, result); @@ -3096,11 +3076,6 @@ static void ZEND_FASTCALL zend_jit_post_dec_obj_helper(zend_object *zobj, zend_s return; } } - /* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic - * (e.g. undefined property warning) and the property is unset in the error handler */ - if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) { - ZVAL_NULL(prop); - } if (UNEXPECTED(prop_info)) { zend_jit_post_dec_typed_prop(prop, prop_info, result); From d037398a3a638285025697d7a3d5df5362f6595b Mon Sep 17 00:00:00 2001 From: George Peter Banyard Date: Wed, 30 Aug 2023 20:52:36 +0100 Subject: [PATCH 5/5] Change test expectation after VM revert I'm really not sure this is the expected output --- ...s-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt | 2 +- ...-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt index 5330aa2ed48fa..7c3e7044ad550 100644 --- a/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt @@ -13,4 +13,4 @@ $c->a += 5; var_dump($c->a); ?> --EXPECT-- -NULL +int(5) diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt index 54192b64500ee..26c5eb4e0b1f5 100644 --- a/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt +++ b/Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt @@ -13,4 +13,4 @@ set_error_handler([$c,'errorHandle']); var_dump($c->a); ?> --EXPECT-- -NULL +int(1)