From c264e2866e9d509e4ed73e2542e80d4c7fb0a92b Mon Sep 17 00:00:00 2001
From: Michael Wallner <mike@php.net>
Date: Fri, 12 Feb 2016 17:25:44 +0100
Subject: [PATCH] don't let impls leak into decls

---
 src/calc.c             |  5 ++---
 src/context_validate.c |  1 -
 src/engine.c           | 46 +++++++++++++++++++-----------------------
 src/engine.h           |  2 +-
 src/libffi.c           |  2 +-
 src/parser.h           |  6 ++----
 6 files changed, 27 insertions(+), 35 deletions(-)

diff --git a/src/calc.c b/src/calc.c
index efea900..f701b5a 100644
--- a/src/calc.c
+++ b/src/calc.c
@@ -4,6 +4,7 @@
 
 #include "php.h"
 #include "php_psi.h"
+#include "parser.h"
 #include "calc.h"
 
 static inline int psi_calc_num_exp_value(num_exp *exp, impl_val *strct, impl_val *res) {
@@ -39,10 +40,8 @@ static inline int psi_calc_num_exp_value(num_exp *exp, impl_val *strct, impl_val
 	case PSI_T_NAME:
 		if (strct) {
 			ref = struct_member_ref(exp->u.dvar->arg, strct, &tmp);
-		} else if (exp->u.dvar->arg->let) {
-			ref = exp->u.dvar->arg->let->ptr;
 		} else {
-			ref = exp->u.dvar->arg->ptr;
+			ref = exp->u.dvar->arg->let;
 		}
 		switch (real_decl_type(exp->u.dvar->arg->type)->type) {
 		case PSI_T_INT8:
diff --git a/src/context_validate.c b/src/context_validate.c
index 180b34d..e34330d 100644
--- a/src/context_validate.c
+++ b/src/context_validate.c
@@ -1037,7 +1037,6 @@ static inline int validate_impl_let_stmts(PSI_Data *data, impl *impl) {
 			let_stmt *let = impl->stmts->let.list[j];
 
 			if (!strcmp(let->var->name, darg->var->name)) {
-				darg->let = let;
 				check = 1;
 				break;
 			}
diff --git a/src/engine.c b/src/engine.c
index 4415e4b..a78f9ff 100644
--- a/src/engine.c
+++ b/src/engine.c
@@ -271,34 +271,28 @@ static inline impl_val *psi_let_func(let_func *func, decl_arg *darg) {
 static inline void *psi_do_let(let_stmt *let)
 {
 	decl_arg *darg = let->var->arg;
-	impl_val *arg_val = darg->ptr;
 
 	switch (let->val ? let->val->kind : PSI_LET_NULL) {
 	case PSI_LET_TMP:
-		memcpy(arg_val, deref_impl_val(let->val->data.var->arg->let->ptr, let->val->data.var), sizeof(*arg_val));
-#if 0
-		fprintf(stderr, "LET TMP: %p -> %p\n",
-				let->val->data.var->arg->let->ptr,
-				arg_val->ptr);
-#endif
+		memcpy(darg->ptr, deref_impl_val(let->val->data.var->arg->let, let->val->data.var), sizeof(impl_val));
 		break;
 	case PSI_LET_NULL:
 		if (darg->var->array_size) {
-			arg_val->ptr = ecalloc(darg->var->array_size, sizeof(*arg_val));
-			darg->mem = arg_val->ptr;
+			darg->val.ptr = ecalloc(darg->var->array_size, sizeof(impl_val));
+			darg->mem = darg->val.ptr;
 		} else {
-			memset(arg_val, 0, sizeof(*arg_val));
+			memset(&darg->val, 0, sizeof(impl_val));
 		}
 		break;
 	case PSI_LET_CALLOC:
-		arg_val->ptr = psi_do_calloc(let->val->data.alloc);
-		darg->mem = arg_val->ptr;
+		darg->val.ptr = psi_do_calloc(let->val->data.alloc);
+		darg->mem = darg->val.ptr;
 		break;
 	case PSI_LET_CALLBACK:
-		arg_val->ptr = let->val->data.callback->decl->call.sym;
+		darg->val.ptr = let->val->data.callback->decl->call.sym;
 		break;
 	case PSI_LET_NUMEXP:
-		arg_val->zend.lval = psi_long_num_exp(let->val->data.num, NULL);
+		darg->val.zend.lval = psi_long_num_exp(let->val->data.num, NULL);
 		break;
 	case PSI_LET_FUNC:
 		if (!psi_let_func(let->val->data.func, darg)) {
@@ -308,9 +302,9 @@ static inline void *psi_do_let(let_stmt *let)
 	}
 
 	if (let->val && let->val->flags.one.is_reference) {
-		return let->ptr = &darg->ptr;
+		return darg->let = &darg->ptr;
 	} else {
-		return let->ptr = darg->ptr;
+		return darg->let = darg->ptr;
 	}
 }
 
@@ -329,7 +323,7 @@ static inline void psi_do_free(free_stmt *fre)
 		for (j = 0; j < f->vars->count; ++j) {
 			decl_var *dvar = f->vars->vars[j];
 			decl_arg *darg = dvar->arg;
-			impl_val *fval = darg->let ? darg->let->ptr : darg->ptr;
+			impl_val *fval = darg->let;
 
 			f->decl->call.args[j] = deref_impl_val(fval, dvar);
 		}
@@ -339,10 +333,9 @@ static inline void psi_do_free(free_stmt *fre)
 	}
 }
 
-static inline void psi_clean_array_struct(decl_arg *darg) {
-	if (darg->let
-	&&	darg->let->val->kind == PSI_LET_FUNC
-	&&	darg->let->val->data.func->type == PSI_T_ARRVAL) {
+static inline void psi_clean_array_struct(let_stmt *let, decl_arg *darg) {
+	if (let->val->kind == PSI_LET_FUNC
+	&&	let->val->data.func->type == PSI_T_ARRVAL) {
 		decl_type *type = real_decl_type(darg->type);
 
 		if (type->type == PSI_T_STRUCT) {
@@ -363,6 +356,7 @@ static inline void psi_do_clean(impl *impl)
 		efree(impl->decl->func->ptr);
 		impl->decl->func->ptr = &impl->decl->func->val;
 	}
+
 	for (i = 0; i < impl->func->args->count; ++i ) {
 		impl_arg *iarg = impl->func->args->args[i];
 
@@ -383,15 +377,17 @@ static inline void psi_do_clean(impl *impl)
 		}
 	}
 
-	if (impl->decl->args) for (i = 0; i < impl->decl->args->count; ++i) {
-		decl_arg *darg = impl->decl->args->args[i];
+	for (i = 0; i < impl->stmts->let.count; ++i) {
+		let_stmt *let = impl->stmts->let.list[i];
+		decl_arg *darg = let->var->arg;
 
 		if (darg->mem) {
-			psi_clean_array_struct(darg);
+			psi_clean_array_struct(let, darg);
 			efree(darg->mem);
 			darg->mem = NULL;
 		}
 		darg->ptr = &darg->val;
+		darg->let = darg->ptr;
 	}
 
 	if (impl->func->args->vararg.args) {
@@ -423,7 +419,7 @@ static inline void psi_do_args(impl *impl) {
 	size_t i;
 
 	for (i = 0; i < impl->decl->args->count; ++i) {
-		impl->decl->call.args[i] = impl->decl->args->args[i]->let->ptr;
+		impl->decl->call.args[i] = impl->decl->args->args[i]->let;
 	}
 
 	if (!impl->decl->func->var->pointer_level) {
diff --git a/src/engine.h b/src/engine.h
index 83f64f1..62e1689 100644
--- a/src/engine.h
+++ b/src/engine.h
@@ -21,7 +21,7 @@ static inline void psi_do_set(zval *return_value, set_value *set)
 	decl_arg *set_arg = set->vars->vars[0]->arg;
 
 	zval_dtor(return_value);
-	set->func->handler(return_value, set, set_arg->let ? set_arg->let->ptr : set_arg->ptr);
+	set->func->handler(return_value, set, set_arg->let);
 }
 
 int psi_internal_type(impl_type *type);
diff --git a/src/libffi.c b/src/libffi.c
index 514394f..78b0239 100644
--- a/src/libffi.c
+++ b/src/libffi.c
@@ -91,7 +91,7 @@ static void psi_ffi_callback(ffi_cif *_sig, void *_result, void **_args, void *_
 
 	/* prepare args for the userland call */
 	for (i = 0; i < argc; ++i) {
-		cb->decl->args->args[i]->ptr = argv[i];
+		cb->decl->args->args[i]->let = argv[i];
 	}
 	for (i = 0; i < cb->args->count; ++i) {
 		psi_do_set(&zargv[i], cb->args->vals[i]);
diff --git a/src/parser.h b/src/parser.h
index f16f8b8..34e849e 100644
--- a/src/parser.h
+++ b/src/parser.h
@@ -59,7 +59,6 @@ typedef union impl_val {
 		zend_string *str;
 		zend_fcall *cb;
 	} zend;
-	zval zval;
 	void *ptr;
 } impl_val;
 
@@ -157,9 +156,9 @@ typedef struct decl_arg {
 	decl_type *type;
 	decl_var *var;
 	decl_struct_layout *layout;
-	struct let_stmt *let; /* FIXME: decls must not point to impls !!! */
 	impl_val val;
 	void *ptr;
+	void *let;
 	void *mem;
 } decl_arg;
 
@@ -170,6 +169,7 @@ static inline decl_arg *init_decl_arg(decl_type *type, decl_var *var) {
 	arg->var = var;
 	var->arg = arg;
 	arg->ptr = &arg->val;
+	arg->let = arg->ptr;
 	return arg;
 }
 
@@ -1017,8 +1017,6 @@ static inline void free_let_val(let_val *let) {
 typedef struct let_stmt {
 	decl_var *var;
 	let_val *val;
-
-	void *ptr;
 } let_stmt;
 
 static inline let_stmt *init_let_stmt(decl_var *var, let_val *val) {
-- 
2.30.2