Fix too early terminated temporary range with break/cont/goto

bwoebi · bwoebi · commit cc876c04b420 · 2015-07-09T20:07:57.000+02:00
I have no crashing or leaking reproduce script, only valgrind invalid reads for that one; hence no phpt here
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -3482,7 +3482,7 @@ void zend_compile_return(zend_ast *ast) /* {{{ */
 		zend_emit_return_type_check(expr_ast ? &expr_node : NULL, CG(active_op_array)->arg_info - 1);
 	}
 
-	zend_free_foreach_and_switch_variables(ZEND_FREE_ON_RETURN);
+	zend_free_foreach_and_switch_variables(ZEND_FREE_ON_JUMP);
 
 	if (CG(context).in_finally) {
 		opline = zend_emit_op(NULL, ZEND_DISCARD_EXCEPTION, NULL, NULL);
@@ -3567,7 +3567,7 @@ void zend_compile_break_continue(zend_ast *ast) /* {{{ */
 			}
 
 			if (nest_level > 1) {
-				generate_free_loop_var(&CG(context).brk_cont_array[array_offset].loop_var);
+				generate_free_loop_var_ex(&CG(context).brk_cont_array[array_offset].loop_var, ZEND_FREE_ON_JUMP);
 			}
 
 			array_offset = CG(context).brk_cont_array[array_offset].parent;
@@ -3637,7 +3637,7 @@ void zend_resolve_goto_label(zend_op_array *op_array, znode *label_node, zend_op
 			if (pass2_opline) {
 				free_vars++;
 			} else {
-				generate_free_loop_var(&CG(context).brk_cont_array[current].loop_var);
+				generate_free_loop_var_ex(&CG(context).brk_cont_array[current].loop_var, ZEND_FREE_ON_JUMP);
 			}
 		}
 		current = CG(context).brk_cont_array[current].parent;
diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
@@ -882,7 +882,7 @@ ZEND_API void zend_assert_valid_class_name(const zend_string *const_name);
 
 #define ZEND_FETCH_ARG_MASK         0x000fffff
 
-#define ZEND_FREE_ON_RETURN     (1<<0)
+#define ZEND_FREE_ON_JUMP       (1<<0)
 
 #define ZEND_MEMBER_FUNC_CALL	(1<<0)
 
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
@@ -994,8 +994,8 @@ static zend_always_inline uint32_t *generate_var_liveliness_info_ex(zend_op_arra
 				&& opline->opcode != ZEND_FE_FETCH_RW
 				/* the following opcodes are parts of "return" statement */
 				&& opline->opcode != ZEND_VERIFY_RETURN_TYPE
-				&& (opline->opcode != ZEND_FREE || !(opline->extended_value & ZEND_FREE_ON_RETURN))
-				&& (opline->opcode != ZEND_FE_FREE || !(opline->extended_value & ZEND_FREE_ON_RETURN))
+				&& (opline->opcode != ZEND_FREE || !(opline->extended_value & ZEND_FREE_ON_JUMP))
+				&& (opline->opcode != ZEND_FE_FREE || !(opline->extended_value & ZEND_FREE_ON_JUMP))
 			) {
 				op_live_total += liveliness_kill_var(op_array, opline, var, Tstart, opTs);
 			}
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -7084,8 +7084,8 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 
 	if (catch_op_num || finally_op_num) {
 		if (EX(func)->op_array.opcodes[op_num].opcode == ZEND_VERIFY_RETURN_TYPE
-		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_RETURN))
-		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FE_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_RETURN))
+		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_JUMP))
+		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FE_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_JUMP))
 		) {
 			catch_op_num = finally_op_num = 0;
 		}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -1502,8 +1502,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(
 
 	if (catch_op_num || finally_op_num) {
 		if (EX(func)->op_array.opcodes[op_num].opcode == ZEND_VERIFY_RETURN_TYPE
-		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_RETURN))
-		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FE_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_RETURN))
+		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_JUMP))
+		 || (EX(func)->op_array.opcodes[op_num].opcode == ZEND_FE_FREE && (EX(func)->op_array.opcodes[op_num].extended_value & ZEND_FREE_ON_JUMP))
 		) {
 			catch_op_num = finally_op_num = 0;
 		}

Original file line number	Diff line number	Diff line change
`@@ -3482,7 +3482,7 @@ void zend_compile_return(zend_ast ast) / {{{ */`
`3482`	`3482`	`zend_emit_return_type_check(expr_ast ? &expr_node : NULL, CG(active_op_array)->arg_info - 1);`
`3483`	`3483`	`}`
`3484`	`3484`
`3485`		`- zend_free_foreach_and_switch_variables(ZEND_FREE_ON_RETURN);`
	`3485`	`+ zend_free_foreach_and_switch_variables(ZEND_FREE_ON_JUMP);`
`3486`	`3486`
`3487`	`3487`	`if (CG(context).in_finally) {`
`3488`	`3488`	`opline = zend_emit_op(NULL, ZEND_DISCARD_EXCEPTION, NULL, NULL);`
`@@ -3567,7 +3567,7 @@ void zend_compile_break_continue(zend_ast ast) / {{{ */`
`3567`	`3567`	`}`
`3568`	`3568`
`3569`	`3569`	`if (nest_level > 1) {`
`3570`		`- generate_free_loop_var(&CG(context).brk_cont_array[array_offset].loop_var);`
	`3570`	`+ generate_free_loop_var_ex(&CG(context).brk_cont_array[array_offset].loop_var, ZEND_FREE_ON_JUMP);`
`3571`	`3571`	`}`
`3572`	`3572`
`3573`	`3573`	`array_offset = CG(context).brk_cont_array[array_offset].parent;`
`@@ -3637,7 +3637,7 @@ void zend_resolve_goto_label(zend_op_array op_array, znode label_node, zend_op`
`3637`	`3637`	`if (pass2_opline) {`
`3638`	`3638`	`free_vars++;`
`3639`	`3639`	`} else {`
`3640`		`- generate_free_loop_var(&CG(context).brk_cont_array[current].loop_var);`
	`3640`	`+ generate_free_loop_var_ex(&CG(context).brk_cont_array[current].loop_var, ZEND_FREE_ON_JUMP);`
`3641`	`3641`	`}`
`3642`	`3642`	`}`
`3643`	`3643`	`current = CG(context).brk_cont_array[current].parent;`