php
diff --git a/‎Zend/tests/gh10168_1.phpt
Lines changed: 33 additions & 0 deletions b/‎Zend/tests/gh10168_1.phpt
Lines changed: 33 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_10.phpt
Lines changed: 22 additions & 0 deletions b/‎Zend/tests/gh10168_10.phpt
Lines changed: 22 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_11.phpt
Lines changed: 21 additions & 0 deletions b/‎Zend/tests/gh10168_11.phpt
Lines changed: 21 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_12.phpt
Lines changed: 22 additions & 0 deletions b/‎Zend/tests/gh10168_12.phpt
Lines changed: 22 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_13.phpt
Lines changed: 35 additions & 0 deletions b/‎Zend/tests/gh10168_13.phpt
Lines changed: 35 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_14.phpt
Lines changed: 35 additions & 0 deletions b/‎Zend/tests/gh10168_14.phpt
Lines changed: 35 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_15.phpt
Lines changed: 21 additions & 0 deletions b/‎Zend/tests/gh10168_15.phpt
Lines changed: 21 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_2.phpt
Lines changed: 33 additions & 0 deletions b/‎Zend/tests/gh10168_2.phpt
Lines changed: 33 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_3.phpt
Lines changed: 36 additions & 0 deletions b/‎Zend/tests/gh10168_3.phpt
Lines changed: 36 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_4.phpt
Lines changed: 36 additions & 0 deletions b/‎Zend/tests/gh10168_4.phpt
Lines changed: 36 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_5.phpt
Lines changed: 32 additions & 0 deletions b/‎Zend/tests/gh10168_5.phpt
Lines changed: 32 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168_6.phpt
Lines changed: 40 additions & 0 deletions b/‎Zend/tests/gh10168_6.phpt
Lines changed: 40 additions & 0 deletions
@@ -0,0 +1,33 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): array variation
+--FILE--
+<?php
+
+class Test
+{
+    static $instances;
+    public function __construct() {
+	    var_dump(self::$instances[NULL] = $this);
+	    var_dump(self::$instances);
+    }
+
+    function __destruct() {
+        unset(self::$instances[NULL]);
+    }
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#1 (0) {
+}
+array(1) {
+  [""]=>
+  object(Test)#1 (0) {
+  }
+}
+object(Test)#2 (0) {
+}
+array(0) {
+}
@@ -0,0 +1,22 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign typed static prop ref
+--FILE--
+<?php
+
+class Test {
+    static ?Test $a = null;
+    function __construct() {
+        var_dump(self::$a = &$this);
+    }
+    function __destruct() {
+        self::$a = null;
+    }
+}
+new Test;
+new Test;
+
+?>
+--EXPECT--
+object(Test)#1 (0) {
+}
+NULL
@@ -0,0 +1,21 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): global by ref val error
+--FILE--
+<?php
+
+class Test {
+    function __destruct(){
+        unset($GLOBALS['a']);
+    }
+}
+
+function returnsVal() {
+    return 42;
+}
+$a = new Test;
+var_dump($a =& returnsVal());
+
+?>
+--EXPECTF--
+Notice: Only variables should be assigned by reference in %s on line %d
+int(42)
@@ -0,0 +1,22 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign static prop ref
+--FILE--
+<?php
+
+class Test {
+    static $a = null;
+    function __construct() {
+        var_dump(self::$a = &$this);
+    }
+    function __destruct() {
+        self::$a = null;
+    }
+}
+new Test;
+new Test;
+
+?>
+--EXPECT--
+object(Test)#1 (0) {
+}
+NULL
@@ -0,0 +1,35 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign prop ref
+--FILE--
+<?php
+
+class Box {
+	public $storage;
+}
+
+$box = new Box();
+
+class Test
+{
+	public function __construct() {
+		global $box;
+		var_dump($box->storage = &$this);
+	}
+
+	function __destruct() {
+		global $box;
+		var_dump($box->storage);
+		$box->storage = null;
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#2 (0) {
+}
+object(Test)#3 (0) {
+}
+NULL
+NULL
@@ -0,0 +1,35 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign typed prop ref
+--FILE--
+<?php
+
+class Box {
+	public ?Test $storage = null;
+}
+
+$box = new Box();
+
+class Test
+{
+	public function __construct() {
+		global $box;
+		var_dump($box->storage = &$this);
+	}
+
+	function __destruct() {
+		global $box;
+		var_dump($box->storage);
+		$box->storage = null;
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#2 (0) {
+}
+object(Test)#3 (0) {
+}
+NULL
+NULL
@@ -0,0 +1,21 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): global by ref
+--FILE--
+<?php
+
+class Test {
+    function __destruct(){
+        unset($GLOBALS['a']);
+    }
+}
+
+function &returnsVal() {
+    $a = 42;
+    return $a;
+}
+$a = new Test;
+var_dump($a =& returnsVal());
+
+?>
+--EXPECT--
+int(42)
@@ -0,0 +1,33 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign global variation
+--FILE--
+<?php
+
+$a = null;
+
+class Test
+{
+	public function __construct() {
+		var_dump($GLOBALS['a'] = $this);
+		// Destructor called after comparison, so a will be NULL
+		var_dump($GLOBALS['a']);
+	}
+
+	function __destruct() {
+		unset($GLOBALS['a']);
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECTF--
+object(Test)#1 (0) {
+}
+object(Test)#1 (0) {
+}
+object(Test)#2 (0) {
+}
+
+Warning: Undefined global variable $a in %s on line %d
+NULL
@@ -0,0 +1,36 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign typed static prop
+--FILE--
+<?php
+class Test
+{
+	static ?Test $a = null;
+
+	public function __construct() {
+		static $i = 0;
+		$i++;
+		if ($i === 1) {
+			var_dump(self::$a = $this);
+		} else {
+			// Avoid cache slot, triggering write_property
+			var_dump(self::$a = $this);
+		}
+	}
+
+	function __destruct() {
+		var_dump(self::$a);
+		self::$a = null;
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#1 (0) {
+}
+object(Test)#2 (0) {
+}
+object(Test)#2 (0) {
+}
+NULL
@@ -0,0 +1,36 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign prop
+--FILE--
+<?php
+
+class Box {
+	public $storage;
+}
+
+$box = new Box();
+
+class Test
+{
+	public function __construct() {
+		global $box;
+		var_dump($box->storage = $this);
+	}
+
+	function __destruct() {
+		global $box;
+		var_dump($box->storage);
+		$box->storage = null;
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#2 (0) {
+}
+object(Test)#3 (0) {
+}
+object(Test)#3 (0) {
+}
+NULL
@@ -0,0 +1,32 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): allocated assignment in destructor
+--FILE--
+<?php
+
+class Foo {}
+
+class Test
+{
+	static Test|Foo|null $a = null;
+
+	public function __construct() {
+		var_dump(self::$a = $this);
+	}
+
+	function __destruct() {
+		var_dump(self::$a = new Foo());
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#1 (0) {
+}
+object(Foo)#3 (0) {
+}
+object(Test)#2 (0) {
+}
+object(Foo)#1 (0) {
+}
@@ -0,0 +1,40 @@
+--TEST--
+GH-10168 (heap-buffer-overflow at zval_undefined_cv): assign typed prop without cache slot
+--XFAIL--
+--FILE--
+<?php
+
+class Box {
+	public $storage;
+}
+
+$box = new Box();
+
+class Test
+{
+	public function __construct() {
+		static $i = 0;
+		$i++;
+		global $box;
+		if ($i === 1) {
+			var_dump($box->storage = $this);
+		} else {
+			// Avoid cache slot, triggering write_property
+			var_dump($box->storage = $this);
+		}
+	}
+
+	function __destruct() {
+		global $box;
+		$box->storage = null;
+	}
+}
+new Test();
+new Test();
+
+?>
+--EXPECT--
+object(Test)#2 (0) {
+}
+object(Test)#3 (0) {
+}