Fix phpGH-10571: Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed

nielsdos · nielsdos · commit 301b55623c77 · 2024-07-21T16:23:46.000+02:00
diff --git a/Zend/tests/gh10571_1.phpt b/Zend/tests/gh10571_1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-10571: Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed - OP
+--FILE--
+<?php
+class A
+{
+    public string $prop = "";
+}
+
+class B
+{
+    public function __toString()
+    {
+        global $a;
+        $a = "";
+        return "";
+    }
+}
+
+$a = new A();
+$a->prop .= new B();
+var_dump($a);
+?>
+--EXPECT--
+string(0) ""
diff --git a/Zend/tests/gh10571_2.phpt b/Zend/tests/gh10571_2.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-10571: Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed - DIM OP
+--FILE--
+<?php
+class A
+{
+    public array $prop = ["a"];
+}
+
+class B
+{
+    public function __toString()
+    {
+        global $a;
+        $a = "";
+        return "";
+    }
+}
+
+$a = new A();
+$a->prop[0] .= new B();
+var_dump($a);
+?>
+--EXPECT--
+string(0) ""
diff --git a/Zend/tests/gh10571_3.phpt b/Zend/tests/gh10571_3.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-10571: Assertion `zval_get_type(&(*(zptr))) == 6 && "Concat should return string"' failed - DIM OP resize
+--FILE--
+<?php
+class A
+{
+    public array $prop = ["a"];
+}
+
+class B
+{
+    public function __toString()
+    {
+        global $a;
+        // Force a resize, but it will work on a copy instead
+        for ($i = 0; $i < 1000; $i++) {
+            $a->prop[] = $i;
+        }
+        return "";
+    }
+}
+
+$a = new A();
+$a->prop[0] .= new B();
+var_dump(count($a->prop));
+var_dump($a->prop[0]);
+?>
+--EXPECT--
+int(1001)
+string(1) "a"
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1059,6 +1059,10 @@ ZEND_VM_C_LABEL(assign_op_object):
 				zval *orig_zptr = zptr;
 				zend_reference *ref;
 
+				if (OP1_TYPE == IS_CV) {
+					GC_ADDREF(zobj);
+				}
+
 				do {
 					if (UNEXPECTED(Z_ISREF_P(zptr))) {
 						ref = Z_REF_P(zptr);
@@ -1085,6 +1089,10 @@ ZEND_VM_C_LABEL(assign_op_object):
 				if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 					ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 				}
+
+				if (OP1_TYPE == IS_CV) {
+					GC_DTOR(zobj);
+				}
 			}
 		} else {
 			zend_assign_op_overloaded_property(zobj, name, cache_slot, value OPLINE_CC EXECUTE_DATA_CC);
@@ -1183,6 +1191,8 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
 
 		value = get_op_data_zval_ptr_r((opline+1)->op1_type, (opline+1)->op1);
 
+		GC_ADDREF(ht);
+
 		do {
 			if (OP2_TYPE != IS_UNUSED && UNEXPECTED(Z_ISREF_P(var_ptr))) {
 				zend_reference *ref = Z_REF_P(var_ptr);
@@ -1198,6 +1208,7 @@ ZEND_VM_C_LABEL(assign_dim_op_new_array):
 		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 			ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 		}
+		GC_DTOR_NO_REF(ht);
 		FREE_OP((opline+1)->op1_type, (opline+1)->op1.var);
 	} else {
 		if (EXPECTED(Z_ISREF_P(container))) {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
