Fix leak with EXT_STMT when pipe result is unused

iluuu1994 · iluuu1994 · commit 6282022eb040 · 2025-08-11T19:37:53.000+02:00
This example would leak:

    function x() {
        return range(0, 10);
    }
    function test($a, $b) {
        $a |&gt; $b;
    }
    test(42, x(...));

because we were missing a FREE in test(). This requires two fixes, namely one in
zend_do_free() to skip over the EXT_STMT usage, and another in
zend_optimize_block() to avoid removing the FREE opcode by removing the result
def of the declaring opcode.
diff --git a/Zend/Optimizer/block_pass.c b/Zend/Optimizer/block_pass.c
@@ -420,6 +420,14 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 				}
 				break;
 
+			case ZEND_EXT_STMT:
+				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
+					/* Variable will be deleted later by FREE, so we can't optimize it */
+					Tsource[VAR_NUM(opline->op1.var)] = NULL;
+					break;
+				}
+				break;
+
 			case ZEND_CASE:
 			case ZEND_CASE_STRICT:
 			case ZEND_COPY_TMP:
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -821,7 +821,8 @@ static void zend_do_free(znode *op1) /* {{{ */
 		} else {
 			while (opline >= CG(active_op_array)->opcodes) {
 				if ((opline->opcode == ZEND_FETCH_LIST_R ||
-				     opline->opcode == ZEND_FETCH_LIST_W) &&
+				     opline->opcode == ZEND_FETCH_LIST_W ||
+				     opline->opcode == ZEND_EXT_STMT) &&
 				    opline->op1_type == IS_VAR &&
 				    opline->op1.var == op1->u.op.var) {
 					zend_emit_op(NULL, ZEND_FREE, op1, NULL);
