Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var)

Author: dstogov

NEWS

@@ -27,6 +27,7 @@ PHP                                                                        NEWS
 - OPCache:
   . Fixed bug #65561 (Zend Opcache on Solaris 11 x86 needs ZEND_MM_ALIGNMENT=4).
     (Terry Ellison)
+  . Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var). (Dmitry)
 
 - Openssl:
   . Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in

ext/opcache/Optimizer/pass1_5.c

@@ -408,6 +408,7 @@ if (ZEND_OPTIMIZER_PASS_1 & OPTIMIZATION_LEVEL) {
 			    int var = opline->result.var;
 			    int level = 0;
 				zend_op *op = opline + 1;
+				zend_op *use = NULL;
 
 				while (op < end) {
 					if (op->opcode == ZEND_BEGIN_SILENCE) {
@@ -420,21 +421,36 @@ if (ZEND_OPTIMIZER_PASS_1 & OPTIMIZATION_LEVEL) {
 						}
 					}
 					if (op->op1_type == IS_VAR && op->op1.var == var) {
-						op->op1_type = IS_CV;
-						op->op1.var = zend_optimizer_lookup_cv(op_array,
+						if (use) {
+							/* used more than once */
+							use = NULL;
+							break;
+						}
+						use = op;
+					} else if (op->op2_type == IS_VAR && op->op2.var == var) {
+						if (use) {
+							/* used more than once */
+							use = NULL;
+							break;
+						}
+						use = op;
+					}
+					op++;
+				}
+				if (use) {
+					if (use->op1_type == IS_VAR && use->op1.var == var) {
+						use->op1_type = IS_CV;
+						use->op1.var = zend_optimizer_lookup_cv(op_array,
 							Z_STRVAL(ZEND_OP1_LITERAL(opline)),
 							Z_STRLEN(ZEND_OP1_LITERAL(opline)));
 						MAKE_NOP(opline);
-						break;
-					} else if (op->op2_type == IS_VAR && op->op2.var == var) {
-						op->op2_type = IS_CV;
-						op->op2.var = zend_optimizer_lookup_cv(op_array,
+					} else if (use->op2_type == IS_VAR && use->op2.var == var) {
+						use->op2_type = IS_CV;
+						use->op2.var = zend_optimizer_lookup_cv(op_array,
 							Z_STRVAL(ZEND_OP1_LITERAL(opline)),
 							Z_STRLEN(ZEND_OP1_LITERAL(opline)));
 						MAKE_NOP(opline);
-						break;
 					}
-					op++;
 				}
 			}
 			break;

ext/opcache/tests/bug65510.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var)
+--INI--
+allow_url_include=1
+opcache.enable=1
+opcache.enable_cli=1
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+function parseQuery() {
+    $m = array("l", "a", "r", "u", "e", "n", "c", "e");
+    foreach($m as $n) {
+        @list($a, $b) = $n;
+    }
+}
+parseQuery();
+echo "ok\n";
+--EXPECT--
+ok