Correctly parse array_slice() argument in call_user_func_array() opt

We should be treating this argument using the normal zpp rules,
rather than performing a simple integer cast.

Author: nikic

Zend/tests/call_user_func_array_array_slice_type.phpt

@@ -0,0 +1,27 @@
+--TEST--
+Type check in call_user_func_array() + array_slice() optimization
+--FILE--
+<?php
+
+$array = [1, 2, 3];
+
+try {
+    $len = [];
+    call_user_func_array('var_dump', array_slice($array, 0, $len));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+$len = 2.0;
+call_user_func_array('var_dump', array_slice($array, 0, $len));
+
+$len = null;
+call_user_func_array('var_dump', array_slice($array, 1, $len));
+
+?>
+--EXPECT--
+array_slice(): Argument #3 ($length) must be of type ?int, array given
+int(1)
+int(2)
+int(2)
+int(3)

Zend/tests/call_user_func_array_array_slice_type_strict.phpt

@@ -0,0 +1,31 @@
+--TEST--
+Type check in call_user_func_array() + array_slice() optimization (strict types)
+--FILE--
+<?php
+declare(strict_types=1);
+
+$array = [1, 2, 3];
+
+try {
+    $len = [];
+    call_user_func_array('var_dump', array_slice($array, 0, $len));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    $len = 2.0;
+    call_user_func_array('var_dump', array_slice($array, 0, $len));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+$len = null;
+call_user_func_array('var_dump', array_slice($array, 1, $len));
+
+?>
+--EXPECT--
+array_slice(): Argument #3 ($length) must be of type ?int, array given
+array_slice(): Argument #3 ($length) must be of type ?int, float given
+int(2)
+int(3)

Zend/zend_vm_def.h

@@ -5227,10 +5227,23 @@ ZEND_VM_C_LABEL(send_array):
 		if (OP2_TYPE != IS_UNUSED) {
 			/* We don't need to handle named params in this case,
 			 * because array_slice() is called with $preserve_keys == false. */
-			zval *op2 = GET_OP2_ZVAL_PTR(BP_VAR_R);
+			zval *op2 = GET_OP2_ZVAL_PTR_DEREF(BP_VAR_R);
 			uint32_t skip = opline->extended_value;
 			uint32_t count = zend_hash_num_elements(ht);
-			zend_long len = zval_get_long(op2);
+			zend_long len;
+			if (EXPECTED(Z_TYPE_P(op2) == IS_LONG)) {
+				len = Z_LVAL_P(op2);
+			} else if (Z_TYPE_P(op2) == IS_NULL) {
+				len = count - skip;
+			} else if (EX_USES_STRICT_TYPES()
+					|| !zend_parse_arg_long_weak(op2, &len, /* arg_num */ 3)) {
+				zend_type_error(
+					"array_slice(): Argument #3 ($length) must be of type ?int, %s given",
+					zend_zval_type_name(op2));
+				FREE_OP2();
+				FREE_OP1();
+				HANDLE_EXCEPTION();
+			}
 
 			if (len < 0) {
 				len += (zend_long)(count - skip);

Zend/zend_vm_execute.h

@@ -2334,10 +2334,23 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_SEND_ARRAY_SPEC_HANDLER(ZEND_O
 		if (opline->op2_type != IS_UNUSED) {
 			/* We don't need to handle named params in this case,
 			 * because array_slice() is called with $preserve_keys == false. */
-			zval *op2 = get_zval_ptr(opline->op2_type, opline->op2, BP_VAR_R);
+			zval *op2 = get_zval_ptr_deref(opline->op2_type, opline->op2, BP_VAR_R);
 			uint32_t skip = opline->extended_value;
 			uint32_t count = zend_hash_num_elements(ht);
-			zend_long len = zval_get_long(op2);
+			zend_long len;
+			if (EXPECTED(Z_TYPE_P(op2) == IS_LONG)) {
+				len = Z_LVAL_P(op2);
+			} else if (Z_TYPE_P(op2) == IS_NULL) {
+				len = count - skip;
+			} else if (EX_USES_STRICT_TYPES()
+					|| !zend_parse_arg_long_weak(op2, &len, /* arg_num */ 3)) {
+				zend_type_error(
+					"array_slice(): Argument #3 ($length) must be of type ?int, %s given",
+					zend_zval_type_name(op2));
+				FREE_OP(opline->op2_type, opline->op2.var);
+				FREE_OP(opline->op1_type, opline->op1.var);
+				HANDLE_EXCEPTION();
+			}
 
 			if (len < 0) {
 				len += (zend_long)(count - skip);