The address of $this passed to drectly called internal constructor in execute_data->return_value.
Internal constructors should use ZEND_CTOR_MAKE_NULL() macro (insted of previous ZEND_NULL(EG(This))) to do the work.
This patch doesn't fix the problem for indirectly called constructors. e.g. parant::__construct().
* call-frame:
Simplify call-frame handling
Removed EG(active_symbol_table) and use corresponding value from EG(current_execute_data)
Use values from current_execute_data instead of globals where possible
Removed EG(called_scope) and use corresponding value from EG(current_execute_data)
Removed EG(in_execution). If EG(currentent_execute_data) is not NULL we are executing something.
Removed EG(opline_ptr) and use corresponding value from EG(current_execute_data)
Removed EG(active_op_array) and use corresponding value from EG(current_execute_data)
Uinified call frame handling for user and internal functions. Now EG(current_execute_data) always point to the call frame of the currently executed function.
Fixed cleanup of incompleytely passed parameters
Prohibited parameter redefinition
Fixed support for extra arguments in conjunction with variadiv argument. Use compile time flags to check if we call constructor and result of ZEND_NEW is used or not.
Fixed uninitialized variables
Optimization
Changed zend_execute_data layout to reduce memory overhead
Help C compilet to do the better job optimizing target code
Use fast comparison for (func->type == ZEND_USER_FUNCTION || func->type == ZEND_EVAL_CODE)
Keep extra args in the same VM stack segment (after all CV and TMP vars)
Refactoring: merge call_frame and end_execute_data into single data structure. Keep only single copy of each argument on VM stack (previously ZE kept two copies of each arguments for user functions)
Refactoring: use call_frames instead of call_slots
Conflicts:
Zend/zend_vm_def.h
Zend/zend_vm_execute.h
In PHP-5.6 and below each argument passed to user function was copies on VM stack twice.
Now we always have ZEND_INIT_FCALL (or simular) opcode that pushes "call frame" on top of VM stack.
"Call frame" is actually the same zend_execute_data structure.
All the following ZEND_SEND instructions push arguments on top of the stack in a way that they directly comes into corresponding CV variables of the called frame. Extra arguments are copied at the end of stack frame (after all CV and TMP variables) on function enterance.
There are two minor incompatibilities:
1) It's not allowed to decalre functions redefining arguments e.g. "function foo($a,$a) {}".
2) func_get_arg() and func_get args() return the current value of argument and not the original value that was sent.
* master: (77 commits)
NEWS entry for Fix potential segfault in dns_get_record()
NEWS entry for "Fix potential segfault in dns_get_record()"
NEWS entry for Fix potential segfault in dns_get_record(
Fix potential segfault in dns_get_record()
Revert "Add optional second arg to unserialize()"
5.5.15 now
update NEWS
Fix bug #66127 (Segmentation fault with ArrayObject unset)
5.4.31 next
Add NEWS. This doesn't need UPGRADING (or an RFC), IMO.
Fix broken test.
Add a mime type map generation script and update the header.
Move the mime type map out of php_cli_server.c for easier generation.
Replace the CLI server's linear search for extensions with a hash table.
fix test
Remove unused included file
NEWS
NEWS
NEWS
Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec
...
Conflicts:
Zend/zend_closures.c
Zend/zend_execute.c
Zend/zend_vm_def.h
Zend/zend_vm_execute.h
ext/spl/spl_array.c
ext/standard/basic_functions.c
ext/standard/dns.c
ext/standard/var.c
Dereference the cached constant for Test::TEST as well (and not just
self::TEST).
Also improve the phpt file to test this case as well - previously
this only manifested with opcache enabled, due to literal sharing.
Additionally the Z_TYPE_P != IS_REFERENCE assertion is now moved
into the TMP_VAR fetching code (as it applies to more than just
property assignments.)
If a class is extended after the constant fetch has been cached
the cached value will be turned into a reference. On the next
fetch the polymorphic cache will return this reference, which
will be directly returned. The object assignment code then
dereferences this result and performs a shallow copy, which is
invalid for references. This subsequently leads to the constant
value being prematurely freed.
This is fixed by dereferencing the value returned from the
polymorphic cache. Furthermore the incorrect dereference from
in the object assignment code is replaced with an assertion that
we're dealing with a non-reference, so ensure that this kind of
problem cannot go unnoticed in the future.
