ext/opcache: unwrap reference wrappers in typed by-value returns

Author: LamentXU123

NEWS

@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fix persistent free of non-persistent connect_attr key (David Carlier).
 
 - Opcache:
+  . Fixed bug GH-21972 (Corrupted variable type when a typed by-value return
+    contains a reference wrapper). (Weilin Du)
   . Fixed tracing JIT crash when a VM interrupt is handled during an observed
     user function call. (Levi Morrison)
 

Zend/zend_vm_def.h

@@ -4387,21 +4387,6 @@ ZEND_VM_COLD_CONST_HANDLER(124, ZEND_VERIFY_RETURN_TYPE, CONST|TMP|VAR|UNUSED|CV
 			ZVAL_DEREF(retval_ptr);
 		}
 
-		if (EXPECTED(ZEND_TYPE_CONTAINS_CODE(ret_info->type, Z_TYPE_P(retval_ptr)))) {
-			ZEND_VM_NEXT_OPCODE();
-		}
-
-		if (OP1_TYPE == IS_CV && UNEXPECTED(Z_ISUNDEF_P(retval_ptr))) {
-			SAVE_OPLINE();
-			retval_ref = retval_ptr = ZVAL_UNDEFINED_OP1();
-			if (UNEXPECTED(EG(exception))) {
-				HANDLE_EXCEPTION();
-			}
-			if (ZEND_TYPE_FULL_MASK(ret_info->type) & MAY_BE_NULL) {
-				ZEND_VM_NEXT_OPCODE();
-			}
-		}
-
 		zend_reference *ref = NULL;
 		void *cache_slot = CACHE_ADDR(opline->op2.num);
 		if (UNEXPECTED(retval_ref != retval_ptr)) {
@@ -4419,6 +4404,21 @@ ZEND_VM_COLD_CONST_HANDLER(124, ZEND_VERIFY_RETURN_TYPE, CONST|TMP|VAR|UNUSED|CV
 			}
 		}
 
+		if (EXPECTED(ZEND_TYPE_CONTAINS_CODE(ret_info->type, Z_TYPE_P(retval_ptr)))) {
+			ZEND_VM_NEXT_OPCODE();
+		}
+
+		if (OP1_TYPE == IS_CV && UNEXPECTED(Z_ISUNDEF_P(retval_ptr))) {
+			SAVE_OPLINE();
+			retval_ref = retval_ptr = ZVAL_UNDEFINED_OP1();
+			if (UNEXPECTED(EG(exception))) {
+				HANDLE_EXCEPTION();
+			}
+			if (ZEND_TYPE_FULL_MASK(ret_info->type) & MAY_BE_NULL) {
+				ZEND_VM_NEXT_OPCODE();
+			}
+		}
+
 		SAVE_OPLINE();
 		if (UNEXPECTED(!zend_check_type_slow(&ret_info->type, retval_ptr, ref, cache_slot, 1, 0))) {
 			zend_verify_return_error(EX(func), retval_ptr);

ext/opcache/tests/opt/gh21972.phpt

@@ -0,0 +1,39 @@
+--TEST--
+GH-21972: Typed by-value return must not leak reference wrapper
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+declare(strict_types=1);
+
+enum ValueType {
+	case BOOL;
+	case MIXED;
+}
+
+function applyDefinition(
+	bool &$lazy = false,
+	ValueType &$type = ValueType::MIXED,
+	int &$flags = 0,
+	?string &$default = null,
+): void {
+}
+
+function getTypedValue(string $default, bool $lazy, ValueType $type): string {
+	applyDefinition($lazy, $type, default: $default);
+	return $default;
+}
+
+$value = getTypedValue('false', false, ValueType::BOOL);
+var_dump(gettype($value));
+var_dump(strtolower($value));
+var_dump(strtolower(getTypedValue('FALSE', false, ValueType::BOOL)));
+?>
+--EXPECT--
+string(6) "string"
+string(5) "false"
+string(5) "false"