Undefined array key should not match null

Author: iluuu1994

Zend/Optimizer/zend_inference.c

@@ -2130,7 +2130,7 @@ ZEND_API uint32_t ZEND_FASTCALL zend_array_type_info(const zval *zv)
 }
 
 
-ZEND_API uint32_t zend_array_element_type(uint32_t t1, uint8_t op_type, bool write, bool insert)
+ZEND_API uint32_t zend_array_element_type(uint32_t t1, uint8_t op_type, bool write, bool insert, bool is)
 {
 	uint32_t tmp = 0;
 
@@ -2149,7 +2149,7 @@ ZEND_API uint32_t zend_array_element_type(uint32_t t1, uint8_t op_type, bool wri
 		if (insert) {
 			tmp |= MAY_BE_NULL;
 		} else {
-			tmp |= MAY_BE_NULL | ((t1 & MAY_BE_ARRAY_OF_ANY) >> MAY_BE_ARRAY_SHIFT);
+			tmp |= (is ? MAY_BE_UNDEF : MAY_BE_NULL) | ((t1 & MAY_BE_ARRAY_OF_ANY) >> MAY_BE_ARRAY_SHIFT);
 			if (tmp & MAY_BE_ARRAY) {
 				tmp |= MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF;
 			}
@@ -2760,7 +2760,7 @@ static zend_always_inline zend_result _zend_update_type_info(
 			        tmp |= MAY_BE_REF;
 				}
 				orig = t1;
-				t1 = zend_array_element_type(t1, opline->op1_type, 1, 0);
+				t1 = zend_array_element_type(t1, opline->op1_type, 1, 0, false);
 				t2 = OP1_DATA_INFO();
 			} else if (opline->opcode == ZEND_ASSIGN_STATIC_PROP_OP) {
 				prop_info = zend_fetch_static_prop_info(script, op_array, ssa, opline);
@@ -3741,12 +3741,13 @@ static zend_always_inline zend_result _zend_update_type_info(
 				opline->op1_type,
 				opline->opcode != ZEND_FETCH_DIM_R && opline->opcode != ZEND_FETCH_DIM_IS
 					&& opline->opcode != ZEND_FETCH_LIST_R,
-				opline->op2_type == IS_UNUSED);
+				opline->op2_type == IS_UNUSED,
+				opline->opcode == ZEND_FETCH_DIM_IS);
 			if (opline->opcode == ZEND_FETCH_DIM_FUNC_ARG && (t1 & (MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_RESOURCE))) {
 				tmp |= MAY_BE_NULL;
 			}
 			if (opline->opcode == ZEND_FETCH_DIM_IS && (t1 & MAY_BE_STRING)) {
-				tmp |= MAY_BE_NULL;
+				tmp |= MAY_BE_UNDEF;
 			}
 			if ((tmp & (MAY_BE_RC1|MAY_BE_RCN)) == MAY_BE_RCN && opline->result_type == IS_TMP_VAR) {
 				/* refcount may be indirectly decremented. Make an exception if the result is used in the next instruction */

Zend/Optimizer/zend_inference.h

@@ -223,7 +223,7 @@ ZEND_API void zend_ssa_find_false_dependencies(const zend_op_array *op_array, co
 ZEND_API void zend_ssa_find_sccs(const zend_op_array *op_array, zend_ssa *ssa);
 ZEND_API zend_result zend_ssa_inference(zend_arena **raena, const zend_op_array *op_array, const zend_script *script, zend_ssa *ssa, zend_long optimization_level);
 
-ZEND_API uint32_t zend_array_element_type(uint32_t t1, uint8_t op_type, bool write, bool insert);
+ZEND_API uint32_t zend_array_element_type(uint32_t t1, uint8_t op_type, bool write, bool insert, bool is);
 
 ZEND_API bool zend_inference_propagate_range(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op *opline, const zend_ssa_op* ssa_op, int var, zend_ssa_range *tmp);
 

Zend/tests/pattern_matching/is/undefined_array_key.phpt

@@ -0,0 +1,10 @@
+--TEST--
+Pattern matching: Undefined index should not match null
+--FILE--
+<?php
+
+var_dump(['a' => 'a'] is ['b' => null]);
+
+?>
+--EXPECT--
+bool(false)

Zend/zend_execute.c

@@ -2825,9 +2825,11 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 					zend_undefined_offset(hval);
 					ZEND_FALLTHROUGH;
 				case BP_VAR_UNSET:
-				case BP_VAR_IS:
 					retval = &EG(uninitialized_zval);
 					break;
+				case BP_VAR_IS:
+					retval = &EG(undef_zval);
+					break;
 				case BP_VAR_RW:
 					retval = zend_undefined_offset_write(ht, hval);
 					break;
@@ -2851,9 +2853,11 @@ static zend_always_inline zval *zend_fetch_dimension_address_inner(HashTable *ht
 						zend_undefined_index(offset_key);
 						ZEND_FALLTHROUGH;
 					case BP_VAR_UNSET:
-					case BP_VAR_IS:
 						retval = &EG(uninitialized_zval);
 						break;
+					case BP_VAR_IS:
+						retval = &EG(undef_zval);
+						break;
 					case BP_VAR_RW:
 						retval = zend_undefined_index_write(ht, offset_key);
 						break;

Zend/zend_execute_API.c

@@ -131,6 +131,7 @@ void init_executor(void) /* {{{ */
 
 	ZVAL_NULL(&EG(uninitialized_zval));
 	ZVAL_ERROR(&EG(error_zval));
+	ZVAL_UNDEF(&EG(undef_zval));
 /* destroys stack frame, therefore makes core dumps worthless */
 #if 0&&ZEND_DEBUG
 	original_sigsegv_handler = signal(SIGSEGV, zend_handle_sigsegv);

Zend/zend_globals.h

@@ -167,6 +167,7 @@ struct _zend_compiler_globals {
 struct _zend_executor_globals {
 	zval uninitialized_zval;
 	zval error_zval;
+	zval undef_zval;
 
 	/* symbol table cache */
 	zend_array *symtable_cache[SYMTABLE_CACHE_SIZE];

ext/opcache/jit/zend_jit_ir.c

@@ -13419,7 +13419,7 @@ static int zend_jit_assign_dim(zend_jit_ctx  *jit,
 				return 0;
 			}
 		} else {
-			uint32_t var_info = zend_array_element_type(op1_info, opline->op1_type, 0, 0);
+			uint32_t var_info = zend_array_element_type(op1_info, opline->op1_type, 0, 0, false);
 			zend_jit_addr var_addr;
 			ir_ref ref;
 			ir_refs *found_inputs, *found_values;
@@ -13565,7 +13565,7 @@ static int zend_jit_assign_dim_op(zend_jit_ctx   *jit,
 	}
 
 	if (op1_info & MAY_BE_ARRAY) {
-		uint32_t var_def_info = zend_array_element_type(op1_def_info, opline->op1_type, 1, 0);
+		uint32_t var_def_info = zend_array_element_type(op1_def_info, opline->op1_type, 1, 0, false);
 
 		if (opline->op2_type == IS_UNUSED) {
 			var_info = MAY_BE_NULL;
@@ -13593,7 +13593,7 @@ static int zend_jit_assign_dim_op(zend_jit_ctx   *jit,
 			ir_refs_init(found_inputs, 8);
 			ir_refs_init(found_values, 8);
 
-			var_info = zend_array_element_type(op1_info, opline->op1_type, 0, 0);
+			var_info = zend_array_element_type(op1_info, opline->op1_type, 0, 0, false);
 			if (op1_info & (MAY_BE_ARRAY_OF_REF|MAY_BE_OBJECT)) {
 				var_info |= MAY_BE_REF;
 			}