Fixed segfault (Zend/tests/026.phpt now pass)

2025-08-15 21:48:51 +02:00 · 2014-02-20 15:39:46 +08:00 · 2014-02-20 15:39:46 +08:00 · b917458490
commit b917458490
parent ff61b46941
5 changed files with 55 additions and 50 deletions
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@ -754,19 +754,23 @@ static inline void zend_assign_to_object(zval *retval, zval *object, zval *prope
 		if (Z_TYPE_P(object) == IS_NULL ||
 		    (Z_TYPE_P(object) == IS_BOOL && Z_LVAL_P(object) == 0) ||
 		    (Z_TYPE_P(object) == IS_STRING && Z_STRLEN_P(object) == 0)) {
-			SEPARATE_ZVAL_IF_NOT_REF(object);
+			if (Z_REFCOUNTED_P(object)) {
-			Z_ADDREF_P(object);
+				SEPARATE_ZVAL_IF_NOT_REF(object);
-			zend_error(E_WARNING, "Creating default object from empty value");
+				Z_ADDREF_P(object);
-			if (Z_REFCOUNTED_P(object) && Z_REFCOUNT_P(object) == 1) {
+				zend_error(E_WARNING, "Creating default object from empty value");
-				/* object was removed by error handler, nothing to assign to */
+				if (Z_REFCOUNT_P(object) == 1) {
-				zval_ptr_dtor(object);
+					/* object was removed by error handler, nothing to assign to */
-				if (retval) {
+					zval_ptr_dtor(object);
-					ZVAL_NULL(retval);
+					if (retval) {
 						ZVAL_NULL(retval);
 					}
 					FREE_OP(free_value);
 					return;
 				}
-				FREE_OP(free_value);
+				Z_DELREF_P(object);
-				return;
+			} else {
 				zend_error(E_WARNING, "Creating default object from empty value");
 			}
 			Z_DELREF_P(object);
 			zval_dtor(object);
 			object_init(object);
 		} else {
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@ -545,38 +545,39 @@ ZEND_API void zend_std_write_property(zval *object, zval *member, zval *value, c
 			variable_ptr = &zobj->properties_table[property_info->offset];
 			goto found;
 		}
-		if (UNEXPECTED(!zobj->properties)) {
+		if (EXPECTED(zobj->properties != NULL)) {
-			variable_ptr = zend_hash_find(zobj->properties, property_info->name);
+			if ((variable_ptr = zend_hash_find(zobj->properties, property_info->name)) != NULL) {
 found:
-			/* if we already have this value there, we don't actually need to do anything */
+				/* if we already have this value there, we don't actually need to do anything */
-			if (EXPECTED(variable_ptr != value)) {
+				if (EXPECTED(variable_ptr != value)) {
-				/* if we are assigning reference, we shouldn't move it, but instead assign variable
+					/* if we are assigning reference, we shouldn't move it, but instead assign variable
-				   to the same pointer */
+					   to the same pointer */
-				if (Z_ISREF_P(variable_ptr)) {
+					if (Z_ISREF_P(variable_ptr)) {
-					zval garbage;
+						zval garbage;
 					ZVAL_COPY_VALUE(&garbage, Z_REFVAL_P(variable_ptr)); /* old value should be destroyed */
-					/* To check: can't *variable_ptr be some system variable like error_zval here? */
+						ZVAL_COPY_VALUE(&garbage, Z_REFVAL_P(variable_ptr)); /* old value should be destroyed */
 					ZVAL_COPY_VALUE(Z_REFVAL_P(variable_ptr), value);
 					if (Z_REFCOUNT_P(value) > 0) {
 						zval_copy_ctor(Z_REFVAL_P(variable_ptr));
 					}
 					zval_dtor(&garbage);
 				} else {
 					zval garbage;
-					ZVAL_COPY_VALUE(&garbage, variable_ptr);
+						/* To check: can't *variable_ptr be some system variable like error_zval here? */
-
+						ZVAL_COPY_VALUE(Z_REFVAL_P(variable_ptr), value);
-					/* if we assign referenced variable, we should separate it */
+						if (Z_REFCOUNT_P(value) > 0) {
-					if (IS_REFCOUNTED(Z_TYPE_P(value))) {
+							zval_copy_ctor(Z_REFVAL_P(variable_ptr));
 						Z_ADDREF_P(value);
 						if (Z_ISREF_P(value)) {
 							SEPARATE_ZVAL(value);
 						}
 						zval_dtor(&garbage);
 					} else {
 						zval garbage;
 						ZVAL_COPY_VALUE(&garbage, variable_ptr);
 						/* if we assign referenced variable, we should separate it */
 						if (IS_REFCOUNTED(Z_TYPE_P(value))) {
 							Z_ADDREF_P(value);
 							if (Z_ISREF_P(value)) {
 								SEPARATE_ZVAL(value);
 							}
 						}
 						ZVAL_COPY_VALUE(variable_ptr, value);
 						zval_ptr_dtor(&garbage);
 					}
 					ZVAL_COPY_VALUE(variable_ptr, value);
 					zval_ptr_dtor(&garbage);
 				}
 			}
 		}
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@ -129,7 +129,7 @@ ZEND_API void zend_objects_store_del(zend_object *object TSRMLS_DC) /* {{{ */
 	 */
 	if (EG(objects_store).object_buckets &&
 	    IS_VALID(EG(objects_store).object_buckets[object->handle])) {
-		if (object->gc.refcount == 0) {
+		if (object->gc.refcount == 1) {
 			int failure = 0;
 			if (!(object->gc.u.v.flags & IS_OBJ_DESTRUCTOR_CALLED)) {
@ -146,7 +146,7 @@ ZEND_API void zend_objects_store_del(zend_object *object TSRMLS_DC) /* {{{ */
 				}
 			}
-			if (object->gc.refcount == 0) {
+			if (object->gc.refcount == 1) {
 				zend_uint handle = object->handle;
 //???				GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@ -5208,11 +5208,11 @@ ZEND_VM_HANDLER(156, ZEND_SEPARATE, VAR, UNUSED)
 	SAVE_OPLINE();
 	var_ptr = EX_VAR(opline->op1.var);
-	if (Z_TYPE_P(var_ptr) != IS_OBJECT &&
+	if (Z_TYPE_P(var_ptr) != IS_OBJECT && !Z_ISREF_P(var_ptr)) {
-			!Z_ISREF_P(var_ptr) &&
+		if (Z_REFCOUNTED_P(var_ptr) &&
-			Z_REFCOUNT_P(var_ptr) > 1) {
+				Z_REFCOUNT_P(var_ptr) > 1) {
-
+			Z_DELREF_P(var_ptr);
-		Z_DELREF_P(var_ptr);
+		}
 		ZVAL_DUP(EX_VAR(opline->op1.var), var_ptr);
 	}
 	ZEND_VM_NEXT_OPCODE();
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@ -20932,11 +20932,11 @@ static int ZEND_FASTCALL  ZEND_SEPARATE_SPEC_VAR_UNUSED_HANDLER(ZEND_OPCODE_HAND
 	SAVE_OPLINE();
 	var_ptr = EX_VAR(opline->op1.var);
-	if (Z_TYPE_P(var_ptr) != IS_OBJECT &&
+	if (Z_TYPE_P(var_ptr) != IS_OBJECT && !Z_ISREF_P(var_ptr)) {
-			!Z_ISREF_P(var_ptr) &&
+		if (Z_REFCOUNTED_P(var_ptr) &&
-			Z_REFCOUNT_P(var_ptr) > 1) {
+				Z_REFCOUNT_P(var_ptr) > 1) {
-
+			Z_DELREF_P(var_ptr);
-		Z_DELREF_P(var_ptr);
+		}
 		ZVAL_DUP(EX_VAR(opline->op1.var), var_ptr);
 	}
 	ZEND_VM_NEXT_OPCODE();