mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-01-09 20:44:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.0' into PHP-8.1

Browse Source 
* PHP-8.0:
  Fix incorrect optimization of ASSIGN_OP that may lead to memory leak
This commit is contained in:
Dmitry Stogov 2021-12-20 15:17:30 +03:00
commit ca3f7b0a73
2 changed files with 40 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Zend/Optimizer/dfa_pass.c
View File

@ -333,7 +333,7 @@ static inline bool can_elide_return_type_check(
}
static bool opline_supports_assign_contraction(
zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
zend_op_array *op_array, zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
if (opline->opcode == ZEND_NEW) {
/* see Zend/tests/generators/aborted_yield_during_new.phpt */
return 0;
@ -367,6 +367,13 @@ static bool opline_supports_assign_contraction(
return opline->op1_type != IS_CV || opline->op1.var != cv_var;
}
if (opline->opcode == ZEND_ASSIGN_OP
&& opline->op1_type == IS_CV
&& opline->op1.var == cv_var
&& zend_may_throw(opline, &ssa->ops[ssa->vars[src_var].definition], op_array, ssa)) {
return 0;
}
return 1;
}
@ -1357,7 +1364,7 @@ void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx
&& !ssa->vars[src_var].phi_use_chain
&& !ssa->vars[src_var].sym_use_chain
&& opline_supports_assign_contraction(
ssa, &op_array->opcodes[ssa->vars[src_var].definition],
op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
src_var, opline->result.var)
&& !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->result.var),
ssa->vars[src_var].definition+1, op_1)
@ -1514,7 +1521,7 @@ void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx
&& !ssa->vars[src_var].phi_use_chain
&& !ssa->vars[src_var].sym_use_chain
&& opline_supports_assign_contraction(
ssa, &op_array->opcodes[ssa->vars[src_var].definition],
op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
src_var, opline->op1.var)
&& !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->op1.var),
ssa->vars[src_var].definition+1, op_1)

30
ext/opcache/tests/opt/assign_op_001.phpt Normal file
View File

@ -0,0 +1,30 @@
--TEST--
ASSIGN_OP 001: Incrrect optimization of ASSIGN_OP may lead to memory leak
--INI--
opcache.enable=1
opcache.enable_cli=1
opcache.optimization_level=-1
--FILE--
<?php
function test() {
for ($i = 0; $i < 10; $i++) {
$a = $a += $a < true;
$a += $a;
$a = [];
$a['b'] += 1;
}
}
test();
?>
--EXPECTF--
Warning: Undefined variable $a in %sassign_op_001.php on line 4
Warning: Undefined variable $a in %sassign_op_001.php on line 4
Warning: Undefined array key "b" in %sassign_op_001.php on line 7
Fatal error: Uncaught TypeError: Unsupported operand types: array + bool in %sassign_op_001.php:4
Stack trace:
#0 %sassign_op_001.php(10): test()
#1 {main}
thrown in %sassign_op_001.php on line 4