From 4c38a79f09d51c483f133c79b47b792f8dc90ebf Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Thu, 20 Apr 2023 15:41:50 +0200
Subject: [PATCH] Fix incorrect CG(memoize_mode) state after bailout in ??=

Fixes GH-11108
Closes GH-11109
---
 NEWS                            |  2 ++
 Zend/tests/gh11108.phpt         | 11 +++++++++++
 Zend/tests/gh11108_shutdown.inc |  5 +++++
 Zend/tests/gh11108_test.inc     |  3 +++
 Zend/zend.c                     |  1 +
 5 files changed, 22 insertions(+)
 create mode 100644 Zend/tests/gh11108.phpt
 create mode 100644 Zend/tests/gh11108_shutdown.inc
 create mode 100644 Zend/tests/gh11108_test.inc

diff --git a/NEWS b/NEWS
index 17294b82974..cb6c70b7608 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-10737 (PHP 8.1.16 segfaults on line 597 of
     sapi/apache2handler/sapi_apache2.c). (nielsdos, ElliotNB)
   . Fixed bug GH-11028 (Heap Buffer Overflow in zval_undefined_cv.). (nielsdos)
+  . Fixed bug GH-11108 (Incorrect CG(memoize_mode) state after bailout in ??=).
+    (ilutov)
 
 - DOM:
   . Fixed bug #80602 (Segfault when using DOMChildNode::before()).
diff --git a/Zend/tests/gh11108.phpt b/Zend/tests/gh11108.phpt
new file mode 100644
index 00000000000..efbd12dc367
--- /dev/null
+++ b/Zend/tests/gh11108.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-11108: Incorrect CG(memoize_mode) state after bailout in ??=
+--FILE--
+<?php
+register_shutdown_function(function() {
+    include __DIR__ . '/gh11108_shutdown.inc';
+});
+include __DIR__ . '/gh11108_test.inc';
+?>
+--EXPECTF--
+Fatal error: Cannot use [] for reading in %s on line %d
diff --git a/Zend/tests/gh11108_shutdown.inc b/Zend/tests/gh11108_shutdown.inc
new file mode 100644
index 00000000000..34f8131d4a8
--- /dev/null
+++ b/Zend/tests/gh11108_shutdown.inc
@@ -0,0 +1,5 @@
+<?php
+
+function test() {
+    throw new Exception();
+}
diff --git a/Zend/tests/gh11108_test.inc b/Zend/tests/gh11108_test.inc
new file mode 100644
index 00000000000..2dd85eef49a
--- /dev/null
+++ b/Zend/tests/gh11108_test.inc
@@ -0,0 +1,3 @@
+<?php
+
+$messageList[] ??= true;
diff --git a/Zend/zend.c b/Zend/zend.c
index b14b2c701a5..a1b4e3ee397 100644
--- a/Zend/zend.c
+++ b/Zend/zend.c
@@ -1192,6 +1192,7 @@ ZEND_API ZEND_COLD ZEND_NORETURN void _zend_bailout(const char *filename, uint32
 	CG(unclean_shutdown) = 1;
 	CG(active_class_entry) = NULL;
 	CG(in_compilation) = 0;
+	CG(memoize_mode) = 0;
 	EG(current_execute_data) = NULL;
 	LONGJMP(*EG(bailout), FAILURE);
 }