Fix VAR return type verification

We should also set retval_ref when de-indirecting. Otherwise the retval_ref != retval_ptr comparison below may incorrect assume that we're returning a reference. I don't have a reliable reproducer for this issue, but it sometimes appears in certain configurations in arrow_functions/007.phpt in conjunction with other changes.
php · Jan 26, 2021 · a2dcd44 · a2dcd44
1 parent 2e580da
commit a2dcd44
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -4185,7 +4185,7 @@ ZEND_VM_COLD_CONST_HANDLER(124, ZEND_VERIFY_RETURN_TYPE, CONST|TMP|VAR|UNUSED|CV
 			retval_ref = retval_ptr = EX_VAR(opline->result.var);
 		} else if (OP1_TYPE == IS_VAR) {
 			if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-				retval_ptr = Z_INDIRECT_P(retval_ptr);
+				retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
 			}
 			ZVAL_DEREF(retval_ptr);
 		} else if (OP1_TYPE == IS_CV) {

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -9723,7 +9723,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYP
 			retval_ref = retval_ptr = EX_VAR(opline->result.var);
 		} else if (IS_CONST == IS_VAR) {
 			if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-				retval_ptr = Z_INDIRECT_P(retval_ptr);
+				retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
 			}
 			ZVAL_DEREF(retval_ptr);
 		} else if (IS_CONST == IS_CV) {
@@ -20077,7 +20077,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_TMP_UN
 			retval_ref = retval_ptr = EX_VAR(opline->result.var);
 		} else if (IS_TMP_VAR == IS_VAR) {
 			if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-				retval_ptr = Z_INDIRECT_P(retval_ptr);
+				retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
 			}
 			ZVAL_DEREF(retval_ptr);
 		} else if (IS_TMP_VAR == IS_CV) {
@@ -27692,7 +27692,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_VAR_UN
 			retval_ref = retval_ptr = EX_VAR(opline->result.var);
 		} else if (IS_VAR == IS_VAR) {
 			if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-				retval_ptr = Z_INDIRECT_P(retval_ptr);
+				retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
 			}
 			ZVAL_DEREF(retval_ptr);
 		} else if (IS_VAR == IS_CV) {
@@ -34892,7 +34892,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_UNUSED
 			retval_ref = retval_ptr = EX_VAR(opline->result.var);
 		} else if (IS_UNUSED == IS_VAR) {
 			if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-				retval_ptr = Z_INDIRECT_P(retval_ptr);
+				retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
 			}
 			ZVAL_DEREF(retval_ptr);
 		} else if (IS_UNUSED == IS_CV) {
@@ -46594,7 +46594,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_VERIFY_RETURN_TYPE_SPEC_CV_UNU
 			retval_ref = retval_ptr = EX_VAR(opline->result.var);
 		} else if (IS_CV == IS_VAR) {
 			if (UNEXPECTED(Z_TYPE_P(retval_ptr) == IS_INDIRECT)) {
-				retval_ptr = Z_INDIRECT_P(retval_ptr);
+				retval_ref = retval_ptr = Z_INDIRECT_P(retval_ptr);
 			}
 			ZVAL_DEREF(retval_ptr);
 		} else if (IS_CV == IS_CV) {