summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Zend/tests/qm_assign_ref_unwrap_leak.phpt20
-rw-r--r--Zend/zend_vm_def.h28
-rw-r--r--Zend/zend_vm_execute.h112
3 files changed, 110 insertions, 50 deletions
diff --git a/Zend/tests/qm_assign_ref_unwrap_leak.phpt b/Zend/tests/qm_assign_ref_unwrap_leak.phpt
new file mode 100644
index 0000000000..137aff5212
--- /dev/null
+++ b/Zend/tests/qm_assign_ref_unwrap_leak.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Leak in QM_ASSIGN when unwrapping references (rc=1)
+--FILE--
+<?php
+
+function &ref() {
+ $str = "str";
+ $str .= "str";
+ return $str;
+}
+
+var_dump(true ? ref() : ref());
+var_dump(ref() ?: ref());
+var_dump(ref() ?? ref());
+
+?>
+--EXPECT--
+string(6) "strstr"
+string(6) "strstr"
+string(6) "strstr"
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 3f149ec7ab..afd0b1a398 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -6696,9 +6696,10 @@ ZEND_VM_HANDLER(152, ZEND_JMP_SET, CONST|TMP|VAR|CV, JMP_ADDR)
} else if (OP1_TYPE == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -6736,9 +6737,10 @@ ZEND_VM_HANDLER(169, ZEND_COALESCE, CONST|TMP|VAR|CV, JMP_ADDR)
} else if (OP1_TYPE == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -6753,30 +6755,36 @@ ZEND_VM_HANDLER(22, ZEND_QM_ASSIGN, CONST|TMP|VAR|CV, ANY)
USE_OPLINE
zend_free_op free_op1;
zval *value;
+ zval *result = EX_VAR(opline->result.var);
value = GET_OP1_ZVAL_PTR_UNDEF(BP_VAR_R);
if (OP1_TYPE == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
SAVE_OPLINE();
GET_OP1_UNDEF_CV(value, BP_VAR_R);
- ZVAL_NULL(EX_VAR(opline->result.var));
+ ZVAL_NULL(result);
ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
}
- if ((OP1_TYPE == IS_VAR || OP1_TYPE == IS_CV) && Z_ISREF_P(value)) {
- ZVAL_COPY(EX_VAR(opline->result.var), Z_REFVAL_P(value));
- if (OP1_TYPE == IS_VAR) {
+ if (OP1_TYPE == IS_CV) {
+ ZVAL_DEREF(value);
+ ZVAL_COPY(result, value);
+ } else if (OP1_TYPE == IS_VAR) {
+ if (UNEXPECTED(Z_ISREF_P(value))) {
+ ZVAL_COPY_VALUE(result, Z_REFVAL_P(value));
if (UNEXPECTED(Z_DELREF_P(value) == 0)) {
efree_size(Z_REF_P(value), sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(result)) {
+ Z_ADDREF_P(result);
}
+ } else {
+ ZVAL_COPY_VALUE(result, value);
}
} else {
- ZVAL_COPY_VALUE(EX_VAR(opline->result.var), value);
+ ZVAL_COPY_VALUE(result, value);
if (OP1_TYPE == IS_CONST) {
if (UNEXPECTED(Z_OPT_COPYABLE_P(value))) {
- zval_copy_ctor_func(EX_VAR(opline->result.var));
+ zval_copy_ctor_func(result);
}
- } else if (OP1_TYPE == IS_CV) {
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
}
}
ZEND_VM_NEXT_OPCODE();
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 0ed33856f5..9a74e53e29 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -3728,9 +3728,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_SET_SPEC_CONST_HANDLER(ZEN
} else if (IS_CONST == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -3767,9 +3768,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_COALESCE_SPEC_CONST_HANDLER(ZE
} else if (IS_CONST == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -3783,30 +3785,36 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_QM_ASSIGN_SPEC_CONST_HANDLER(Z
USE_OPLINE
zval *value;
+ zval *result = EX_VAR(opline->result.var);
value = EX_CONSTANT(opline->op1);
if (IS_CONST == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
SAVE_OPLINE();
GET_OP1_UNDEF_CV(value, BP_VAR_R);
- ZVAL_NULL(EX_VAR(opline->result.var));
+ ZVAL_NULL(result);
ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
}
- if ((IS_CONST == IS_VAR || IS_CONST == IS_CV) && Z_ISREF_P(value)) {
- ZVAL_COPY(EX_VAR(opline->result.var), Z_REFVAL_P(value));
- if (IS_CONST == IS_VAR) {
+ if (IS_CONST == IS_CV) {
+ ZVAL_DEREF(value);
+ ZVAL_COPY(result, value);
+ } else if (IS_CONST == IS_VAR) {
+ if (UNEXPECTED(Z_ISREF_P(value))) {
+ ZVAL_COPY_VALUE(result, Z_REFVAL_P(value));
if (UNEXPECTED(Z_DELREF_P(value) == 0)) {
efree_size(Z_REF_P(value), sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(result)) {
+ Z_ADDREF_P(result);
}
+ } else {
+ ZVAL_COPY_VALUE(result, value);
}
} else {
- ZVAL_COPY_VALUE(EX_VAR(opline->result.var), value);
+ ZVAL_COPY_VALUE(result, value);
if (IS_CONST == IS_CONST) {
if (UNEXPECTED(Z_OPT_COPYABLE_P(value))) {
- zval_copy_ctor_func(EX_VAR(opline->result.var));
+ zval_copy_ctor_func(result);
}
- } else if (IS_CONST == IS_CV) {
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
}
}
ZEND_VM_NEXT_OPCODE();
@@ -12580,9 +12588,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_SET_SPEC_TMP_HANDLER(ZEND_
} else if (IS_TMP_VAR == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -12620,9 +12629,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_COALESCE_SPEC_TMP_HANDLER(ZEND
} else if (IS_TMP_VAR == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -12637,30 +12647,36 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_QM_ASSIGN_SPEC_TMP_HANDLER(ZEN
USE_OPLINE
zend_free_op free_op1;
zval *value;
+ zval *result = EX_VAR(opline->result.var);
value = _get_zval_ptr_tmp(opline->op1.var, execute_data, &free_op1);
if (IS_TMP_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
SAVE_OPLINE();
GET_OP1_UNDEF_CV(value, BP_VAR_R);
- ZVAL_NULL(EX_VAR(opline->result.var));
+ ZVAL_NULL(result);
ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
}
- if ((IS_TMP_VAR == IS_VAR || IS_TMP_VAR == IS_CV) && Z_ISREF_P(value)) {
- ZVAL_COPY(EX_VAR(opline->result.var), Z_REFVAL_P(value));
- if (IS_TMP_VAR == IS_VAR) {
+ if (IS_TMP_VAR == IS_CV) {
+ ZVAL_DEREF(value);
+ ZVAL_COPY(result, value);
+ } else if (IS_TMP_VAR == IS_VAR) {
+ if (UNEXPECTED(Z_ISREF_P(value))) {
+ ZVAL_COPY_VALUE(result, Z_REFVAL_P(value));
if (UNEXPECTED(Z_DELREF_P(value) == 0)) {
efree_size(Z_REF_P(value), sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(result)) {
+ Z_ADDREF_P(result);
}
+ } else {
+ ZVAL_COPY_VALUE(result, value);
}
} else {
- ZVAL_COPY_VALUE(EX_VAR(opline->result.var), value);
+ ZVAL_COPY_VALUE(result, value);
if (IS_TMP_VAR == IS_CONST) {
if (UNEXPECTED(Z_OPT_COPYABLE_P(value))) {
- zval_copy_ctor_func(EX_VAR(opline->result.var));
+ zval_copy_ctor_func(result);
}
- } else if (IS_TMP_VAR == IS_CV) {
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
}
}
ZEND_VM_NEXT_OPCODE();
@@ -16446,9 +16462,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_SET_SPEC_VAR_HANDLER(ZEND_
} else if (IS_VAR == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -16486,9 +16503,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_COALESCE_SPEC_VAR_HANDLER(ZEND
} else if (IS_VAR == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -16503,30 +16521,36 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_QM_ASSIGN_SPEC_VAR_HANDLER(ZEN
USE_OPLINE
zend_free_op free_op1;
zval *value;
+ zval *result = EX_VAR(opline->result.var);
value = _get_zval_ptr_var(opline->op1.var, execute_data, &free_op1);
if (IS_VAR == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
SAVE_OPLINE();
GET_OP1_UNDEF_CV(value, BP_VAR_R);
- ZVAL_NULL(EX_VAR(opline->result.var));
+ ZVAL_NULL(result);
ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
}
- if ((IS_VAR == IS_VAR || IS_VAR == IS_CV) && Z_ISREF_P(value)) {
- ZVAL_COPY(EX_VAR(opline->result.var), Z_REFVAL_P(value));
- if (IS_VAR == IS_VAR) {
+ if (IS_VAR == IS_CV) {
+ ZVAL_DEREF(value);
+ ZVAL_COPY(result, value);
+ } else if (IS_VAR == IS_VAR) {
+ if (UNEXPECTED(Z_ISREF_P(value))) {
+ ZVAL_COPY_VALUE(result, Z_REFVAL_P(value));
if (UNEXPECTED(Z_DELREF_P(value) == 0)) {
efree_size(Z_REF_P(value), sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(result)) {
+ Z_ADDREF_P(result);
}
+ } else {
+ ZVAL_COPY_VALUE(result, value);
}
} else {
- ZVAL_COPY_VALUE(EX_VAR(opline->result.var), value);
+ ZVAL_COPY_VALUE(result, value);
if (IS_VAR == IS_CONST) {
if (UNEXPECTED(Z_OPT_COPYABLE_P(value))) {
- zval_copy_ctor_func(EX_VAR(opline->result.var));
+ zval_copy_ctor_func(result);
}
- } else if (IS_VAR == IS_CV) {
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
}
}
ZEND_VM_NEXT_OPCODE();
@@ -35797,9 +35821,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_SET_SPEC_CV_HANDLER(ZEND_O
} else if (IS_CV == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -35836,9 +35861,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_COALESCE_SPEC_CV_HANDLER(ZEND_
} else if (IS_CV == IS_VAR && ref) {
zend_reference *r = Z_REF_P(ref);
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
if (UNEXPECTED(--GC_REFCOUNT(r) == 0)) {
efree_size(r, sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(value)) {
+ Z_ADDREF_P(value);
}
}
ZEND_VM_JMP(OP_JMP_ADDR(opline, opline->op2));
@@ -35852,30 +35878,36 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_QM_ASSIGN_SPEC_CV_HANDLER(ZEND
USE_OPLINE
zval *value;
+ zval *result = EX_VAR(opline->result.var);
value = _get_zval_ptr_cv_undef(execute_data, opline->op1.var);
if (IS_CV == IS_CV && UNEXPECTED(Z_TYPE_P(value) == IS_UNDEF)) {
SAVE_OPLINE();
GET_OP1_UNDEF_CV(value, BP_VAR_R);
- ZVAL_NULL(EX_VAR(opline->result.var));
+ ZVAL_NULL(result);
ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
}
- if ((IS_CV == IS_VAR || IS_CV == IS_CV) && Z_ISREF_P(value)) {
- ZVAL_COPY(EX_VAR(opline->result.var), Z_REFVAL_P(value));
- if (IS_CV == IS_VAR) {
+ if (IS_CV == IS_CV) {
+ ZVAL_DEREF(value);
+ ZVAL_COPY(result, value);
+ } else if (IS_CV == IS_VAR) {
+ if (UNEXPECTED(Z_ISREF_P(value))) {
+ ZVAL_COPY_VALUE(result, Z_REFVAL_P(value));
if (UNEXPECTED(Z_DELREF_P(value) == 0)) {
efree_size(Z_REF_P(value), sizeof(zend_reference));
+ } else if (Z_OPT_REFCOUNTED_P(result)) {
+ Z_ADDREF_P(result);
}
+ } else {
+ ZVAL_COPY_VALUE(result, value);
}
} else {
- ZVAL_COPY_VALUE(EX_VAR(opline->result.var), value);
+ ZVAL_COPY_VALUE(result, value);
if (IS_CV == IS_CONST) {
if (UNEXPECTED(Z_OPT_COPYABLE_P(value))) {
- zval_copy_ctor_func(EX_VAR(opline->result.var));
+ zval_copy_ctor_func(result);
}
- } else if (IS_CV == IS_CV) {
- if (Z_OPT_REFCOUNTED_P(value)) Z_ADDREF_P(value);
}
}
ZEND_VM_NEXT_OPCODE();
View Lorry Controller Status