clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-29 05:46:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed Bug #71824 (null ptr deref _zval_get_string_func (zend_operators.c:851))

Browse Source
This commit is contained in:
Xinchen Hui 2016-03-17 11:56:32 +08:00
parent 9020086a13
commit b9aed47a7a
3 changed files with 293 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Zend/tests/bug71824.phpt Normal file
View File

@ -0,0 +1,23 @@
--TEST--
Bug #71824 (null ptr deref _zval_get_string_func (zend_operators.c:851))
--INI--
error_reporting=0
--FILE--
<?php
$z = unserialize('O:1:"A":0:{}');
var_dump($z->e.=0);
var_dump(++$z->x);
var_dump($z->y++);
$y = array(PHP_INT_MAX => 0);
var_dump($y[] .= 0);
var_dump(++$y[]);
var_dump($y[]++);
?>
--EXPECT--
string(1) "0"
int(1)
int(1)
NULL
NULL
NULL

36
Zend/zend_vm_def.h
View File

@ -737,14 +737,21 @@ ZEND_VM_HELPER(zend_binary_assign_op_obj_helper, VAR|UNUSED|CV, CONST|TMPVAR|CV,
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((OP2_TYPE == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((OP2_TYPE == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -1128,8 +1135,14 @@ ZEND_VM_HELPER(zend_pre_incdec_property_helper, VAR|UNUSED|CV, CONST|TMPVAR|CV,
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -1202,9 +1215,14 @@ ZEND_VM_HELPER(zend_post_incdec_property_helper, VAR|UNUSED|CV, CONST|TMPVAR|CV,
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {

324
Zend/zend_vm_execute.h
View File

@ -17334,14 +17334,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -17723,8 +17730,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -17796,9 +17809,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -21683,14 +21701,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -22072,8 +22097,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -22145,9 +22176,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -24223,14 +24259,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -24614,8 +24657,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -24688,9 +24737,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -26678,14 +26732,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -27037,8 +27098,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -27110,9 +27177,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -29978,14 +30050,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -30337,8 +30416,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -30410,9 +30495,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -32217,14 +32307,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -32577,8 +32674,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -32651,9 +32754,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -36753,14 +36861,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -37142,8 +37257,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -37215,9 +37336,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -43263,14 +43389,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -43652,8 +43785,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -43725,9 +43864,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {
@ -46800,14 +46944,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
/* here we are sure we are dealing with an object */
if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
binary_op(zptr, zptr, value);
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_COPY(EX_VAR(opline->result.var), zptr);
}
if (UNEXPECTED(zptr == &zv)) {
zval_ptr_dtor(zptr);
}
} else {
zend_assign_op_overloaded_property(object, property, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
}
@ -47191,8 +47342,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
zval zv;
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
ZVAL_NULL(&zv);
zptr = &zv;
} else {
ZVAL_DEREF(zptr);
SEPARATE_ZVAL_NOREF(zptr);
}
if (inc) {
increment_function(zptr);
@ -47265,9 +47422,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
fast_long_decrement_function(zptr);
}
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
if (UNEXPECTED(Z_ISERROR_P(zptr))) {
zptr = EX_VAR(opline->result.var);
ZVAL_NULL(zptr);
} else {
ZVAL_DEREF(zptr);
ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
zval_opt_copy_ctor(zptr);
}
if (inc) {
increment_function(zptr);
} else {