From 1491992f76cad95e6e9ffb307e162eff9be62b19 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 3 Oct 2007 08:02:36 +0000
Subject: [PATCH] Fixed bug #42772 (Storing $this in a static var fails while
 handling a cast to string)

---
 Zend/tests/bug42772.phpt | 18 ++++++++++
 Zend/zend_vm_def.h       | 19 +++++++---
 Zend/zend_vm_execute.h   | 76 +++++++++++++++++++++++++++++-----------
 3 files changed, 88 insertions(+), 25 deletions(-)
 create mode 100755 Zend/tests/bug42772.phpt

diff --git a/Zend/tests/bug42772.phpt b/Zend/tests/bug42772.phpt
new file mode 100755
index 00000000000..8887bdbd7e9
--- /dev/null
+++ b/Zend/tests/bug42772.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #42772 (Storing $this in a static var fails while handling a cast to string)
+--FILE--
+<?php
+class Foo {
+    static public $foo;
+    function __toString() {
+        self::$foo = $this;
+        return 'foo';
+    }
+}
+
+$foo = (string)new Foo();
+var_dump(Foo::$foo);
+?>
+--EXPECT--
+object(Foo)#1 (0) {
+}
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index bc6b31feabf..b47c726c678 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2797,9 +2797,11 @@ ZEND_VM_HANDLER(21, ZEND_CAST, CONST|TMP|VAR|CV, ANY)
 	zval *expr = GET_OP1_ZVAL_PTR(BP_VAR_R);
 	zval *result = &EX_T(opline->result.u.var).tmp_var;
 
-	*result = *expr;
-	if (!IS_OP1_TMP_FREE()) {
-		zendi_zval_copy_ctor(*result);
+	if (opline->extended_value != IS_STRING) {
+		*result = *expr;
+		if (!IS_OP1_TMP_FREE()) {
+			zendi_zval_copy_ctor(*result);
+		}
 	}
 	switch (opline->extended_value) {
 		case IS_NULL:
@@ -2818,10 +2820,17 @@ ZEND_VM_HANDLER(21, ZEND_CAST, CONST|TMP|VAR|CV, ANY)
 			zval var_copy;
 			int use_copy;
 
-			zend_make_printable_zval(result, &var_copy, &use_copy);
+			zend_make_printable_zval(expr, &var_copy, &use_copy);
 			if (use_copy) {
-				zval_dtor(result);
 				*result = var_copy;
+				if (IS_OP1_TMP_FREE()) {
+					FREE_OP1();
+				}
+			} else {
+				*result = *expr;
+				if (!IS_OP1_TMP_FREE()) {
+					zendi_zval_copy_ctor(*result);
+				}
 			}
 			break;
 		}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 100ef634331..5a2531450ef 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1648,9 +1648,11 @@ static int ZEND_CAST_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 	zval *expr = &opline->op1.u.constant;
 	zval *result = &EX_T(opline->result.u.var).tmp_var;
 
-	*result = *expr;
-	if (!0) {
-		zendi_zval_copy_ctor(*result);
+	if (opline->extended_value != IS_STRING) {
+		*result = *expr;
+		if (!0) {
+			zendi_zval_copy_ctor(*result);
+		}
 	}
 	switch (opline->extended_value) {
 		case IS_NULL:
@@ -1669,10 +1671,17 @@ static int ZEND_CAST_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 			zval var_copy;
 			int use_copy;
 
-			zend_make_printable_zval(result, &var_copy, &use_copy);
+			zend_make_printable_zval(expr, &var_copy, &use_copy);
 			if (use_copy) {
-				zval_dtor(result);
 				*result = var_copy;
+				if (0) {
+
+				}
+			} else {
+				*result = *expr;
+				if (!0) {
+					zendi_zval_copy_ctor(*result);
+				}
 			}
 			break;
 		}
@@ -4715,9 +4724,11 @@ static int ZEND_CAST_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 	zval *expr = _get_zval_ptr_tmp(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 	zval *result = &EX_T(opline->result.u.var).tmp_var;
 
-	*result = *expr;
-	if (!1) {
-		zendi_zval_copy_ctor(*result);
+	if (opline->extended_value != IS_STRING) {
+		*result = *expr;
+		if (!1) {
+			zendi_zval_copy_ctor(*result);
+		}
 	}
 	switch (opline->extended_value) {
 		case IS_NULL:
@@ -4736,10 +4747,17 @@ static int ZEND_CAST_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 			zval var_copy;
 			int use_copy;
 
-			zend_make_printable_zval(result, &var_copy, &use_copy);
+			zend_make_printable_zval(expr, &var_copy, &use_copy);
 			if (use_copy) {
-				zval_dtor(result);
 				*result = var_copy;
+				if (1) {
+					zval_dtor(free_op1.var);
+				}
+			} else {
+				*result = *expr;
+				if (!1) {
+					zendi_zval_copy_ctor(*result);
+				}
 			}
 			break;
 		}
@@ -7861,9 +7879,11 @@ static int ZEND_CAST_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 	zval *expr = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 	zval *result = &EX_T(opline->result.u.var).tmp_var;
 
-	*result = *expr;
-	if (!0) {
-		zendi_zval_copy_ctor(*result);
+	if (opline->extended_value != IS_STRING) {
+		*result = *expr;
+		if (!0) {
+			zendi_zval_copy_ctor(*result);
+		}
 	}
 	switch (opline->extended_value) {
 		case IS_NULL:
@@ -7882,10 +7902,17 @@ static int ZEND_CAST_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 			zval var_copy;
 			int use_copy;
 
-			zend_make_printable_zval(result, &var_copy, &use_copy);
+			zend_make_printable_zval(expr, &var_copy, &use_copy);
 			if (use_copy) {
-				zval_dtor(result);
 				*result = var_copy;
+				if (0) {
+					if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
+				}
+			} else {
+				*result = *expr;
+				if (!0) {
+					zendi_zval_copy_ctor(*result);
+				}
 			}
 			break;
 		}
@@ -20474,9 +20501,11 @@ static int ZEND_CAST_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 	zval *expr = _get_zval_ptr_cv(&opline->op1, EX(Ts), BP_VAR_R TSRMLS_CC);
 	zval *result = &EX_T(opline->result.u.var).tmp_var;
 
-	*result = *expr;
-	if (!0) {
-		zendi_zval_copy_ctor(*result);
+	if (opline->extended_value != IS_STRING) {
+		*result = *expr;
+		if (!0) {
+			zendi_zval_copy_ctor(*result);
+		}
 	}
 	switch (opline->extended_value) {
 		case IS_NULL:
@@ -20495,10 +20524,17 @@ static int ZEND_CAST_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 			zval var_copy;
 			int use_copy;
 
-			zend_make_printable_zval(result, &var_copy, &use_copy);
+			zend_make_printable_zval(expr, &var_copy, &use_copy);
 			if (use_copy) {
-				zval_dtor(result);
 				*result = var_copy;
+				if (0) {
+
+				}
+			} else {
+				*result = *expr;
+				if (!0) {
+					zendi_zval_copy_ctor(*result);
+				}
 			}
 			break;
 		}