Fix bug #67111

Loop variables need to be freed for both "break" and "continue".

I'm adding the test to Zend/ because it's good to have a test for
this even without opcache.

NEWS

@@ -31,6 +31,10 @@ PHP                                                                        NEWS
 - Mcrypt:
   . Fixed possible read after end of buffer and use after free. (Dmitry)
 
+- Opcache:
+  . Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach
+    loops). (Nikita)
+
 - Pcntl:
   . Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler
     when setting SIG_DFL). (Julien)

Zend/tests/bug67111.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Bug #67111: Memory leak when using "continue 2" inside two foreach loops
+--FILE--
+<?php
+
+$array1 = [1, 2, 3];
+$array2 = [1, 2, 3];
+
+foreach ($array1 as $x) {
+    foreach ($array2 as $y) {
+        echo "$x.$y\n";
+        continue 2;
+    }
+}
+
+?>
+--EXPECT--
+1.1
+2.1
+3.1

ext/opcache/Optimizer/pass2.c

@@ -175,9 +175,9 @@ if (ZEND_OPTIMIZER_PASS_2 & OPTIMIZATION_LEVEL) {
 						jmp_to = &op_array->brk_cont_array[array_offset];
 						array_offset = jmp_to->parent;
 						if (--nest_levels > 0) {
-							if (opline->opcode == ZEND_BRK &&
+							if (op_array->opcodes[jmp_to->brk].opcode == ZEND_FREE ||
-							    (op_array->opcodes[jmp_to->brk].opcode == ZEND_FREE ||
+							    op_array->opcodes[jmp_to->brk].opcode == ZEND_SWITCH_FREE
-							     op_array->opcodes[jmp_to->brk].opcode == ZEND_SWITCH_FREE)) {
+							) {
 								dont_optimize = 1;
 								break;
 							}