Fix GH-10801: Named arguments in CTE functions cause a segfault

Fixes GH-10801 Named arguments are not supported by the constant evaluation routine, in the sense that they are ignored. This causes two issues: - It causes a crash because not all oplines belonging to the call are removed, which results in SEND_VA{L,R} which should've been removed. - It causes semantic issues (demonstrated in the test case). This case never worked anyway, leading to crashes or incorrect behaviour, so just prevent CTE of calls with named parameters for now. We can choose to support it later, but introducing support for this in a stable branch seems too dangerous. This patch does not change the removal of SEND_* opcodes in remove_call because the crash bug can't be triggered anymore with this patch as there are no named parameters anymore and no variadic CTE functions exist. Closes GH-10811.
2024-11-23 18:04:36 +08:00 · 2023-03-08 22:49:41 +01:00 · 2023-03-08 22:49:41 +01:00 · 2c53d63197
commit 2c53d63197
parent 49b2ff5dbb
3 changed files with 27 additions and 2 deletions
--- a/2
+++ b/2
@ -7,6 +7,8 @@ PHP                                                                        NEWS
    (Kévin Dunglas)
  . Fixed use-after-free in recursive AST evaluation. (ilutov)
  . Fixed bug GH-8646 (Memory leak PHP FPM 8.1). (nielsdos)
+  . Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
+    (nielsdos)

 - FTP:
  . Propagate success status of ftp_close(). (nielsdos)
--- a/Zend/Optimizer/sccp.c
+++ b/Zend/Optimizer/sccp.c
@ -1801,8 +1801,9 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 				break;
 			}

-			/* We're only interested in functions with up to three arguments right now */
-			if (call->num_args > 3 || call->send_unpack || call->is_prototype) {
+			/* We're only interested in functions with up to three arguments right now.
+			 * Note that named arguments with the argument in declaration order will still work. */
+			if (call->num_args > 3 || call->send_unpack || call->is_prototype || call->named_args) {
 				SET_RESULT_BOT(result);
 				break;
 			}
--- a/ext/opcache/tests/opt/gh10801.phpt
+++ b/ext/opcache/tests/opt/gh10801.phpt
@ -0,0 +1,22 @@
+--TEST--
+GH-10801 (Named arguments in CTE functions cause a segfault)
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=0xe0
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+// Named argument case and does not do CTE as expected
+print_r(array_keys(array: [1 => 1], strict: true, filter_value: 0));
+// Will not use named arguments and do CTE as expected
+print_r(array_keys(array: [1 => 1], filter_value: 0, strict: true));
+?>
+--EXPECT--
+Array
+(
+)
+Array
+(
+)