|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81216 Nullsafe operator leaks dynamic property name
Submitted: 2021-07-01 14:42 UTC Modified: -
From: Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0.8 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2021-07-01 14:42 UTC]
Split off from bug #81190:

$str = "foo";
null?->{$str . "bar"};

leaks the property name. The opcodes look like this:

0000 ASSIGN CV0($str) string("foo")
0001 T2 = CONCAT CV0($str) string("bar")
0002 T3 = JMP_NULL null 0004
0003 T3 = FETCH_OBJ_R null T2
0004 FREE T3
0005 RETURN int(1)

Note that the CONCAT happens before the JMP_NULL. This is JMP_NULL is part of the delayed opline stack.

Possibly we could get away with not using delayed oplines with nullsafe, because nullsafe cannot be used in write context, so not delaying should be safe. It will result in different evaluation order than non-nullsafe properties though.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-04 15:05 UTC]
Automatic comment on behalf of dstogov
Log: Fixed bug #81216 (Nullsafe operator leaks dynamic property name)
 [2021-12-04 15:05 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Dec 08 07:03:33 2021 UTC