From e1cb22a23e881d13ddf80a90f1b0bf2d37913f75 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Tue, 12 May 2015 15:08:12 +0200
Subject: [PATCH] Fix bug #69599

---
 NEWS                     |  1 +
 Zend/tests/bug69599.phpt | 21 +++++++++++++++++++++
 Zend/zend_vm_def.h       |  4 ++--
 Zend/zend_vm_execute.h   |  4 ++--
 4 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100644 Zend/tests/bug69599.phpt

diff --git a/NEWS b/NEWS
index 526d5801b05..104c99d6881 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,7 @@ PHP                                                                        NEWS
     (Nikita)
   . Fixed bug #69472 (php_sys_readlink ignores misc errors from
        GetFinalPathNameByHandleA). (Jan Starke)
+  . Fixed bug #69599 (Strange generator+exception+variadic crash). (Nikita)
 
 - Iconv:
   . Fixed bug #48147 (iconv with //IGNORE cuts the string). (Stas)
diff --git a/Zend/tests/bug69599.phpt b/Zend/tests/bug69599.phpt
new file mode 100644
index 00000000000..fa8eaa3db41
--- /dev/null
+++ b/Zend/tests/bug69599.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #69599: Strange generator+exception+variadic crash
+--FILE--
+<?php
+
+function crash() {
+    sin(...[0]);
+    throw new \Exception();
+    yield;
+}
+
+iterator_to_array(crash());
+
+?>
+--EXPECTF--
+Fatal error: Uncaught exception 'Exception' in %s:%d
+Stack trace:
+#0 [internal function]: crash()
+#1 %s(%d): iterator_to_array(Object(Generator))
+#2 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index dbac90c5e00..7c029ada3f7 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1887,7 +1887,7 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
 
 			EX(call)--;
 
-			zend_vm_stack_clear_multiple(1 TSRMLS_CC);
+			zend_vm_stack_clear_multiple(0 TSRMLS_CC);
 
 			if (UNEXPECTED(EG(exception) != NULL)) {
 				zend_throw_exception_internal(NULL TSRMLS_CC);
@@ -2075,7 +2075,7 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 
 	EX(call)--;
 
-	zend_vm_stack_clear_multiple(1 TSRMLS_CC);
+	zend_vm_stack_clear_multiple(0 TSRMLS_CC);
 
 	if (UNEXPECTED(EG(exception) != NULL)) {
 		zend_throw_exception_internal(NULL TSRMLS_CC);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 0db76ed5e31..1f5e55f40df 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -459,7 +459,7 @@ static int ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 
 			EX(call)--;
 
-			zend_vm_stack_clear_multiple(1 TSRMLS_CC);
+			zend_vm_stack_clear_multiple(0 TSRMLS_CC);
 
 			if (UNEXPECTED(EG(exception) != NULL)) {
 				zend_throw_exception_internal(NULL TSRMLS_CC);
@@ -647,7 +647,7 @@ static int ZEND_FASTCALL zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_AR
 
 	EX(call)--;
 
-	zend_vm_stack_clear_multiple(1 TSRMLS_CC);
+	zend_vm_stack_clear_multiple(0 TSRMLS_CC);
 
 	if (UNEXPECTED(EG(exception) != NULL)) {
 		zend_throw_exception_internal(NULL TSRMLS_CC);