No escaping in `zend_dump_const` output

[SerafimArts]

Description

The following code:

<?php

substr_count($stmt, '")')

After some optimization steps, it outputs the following opcodes:

0026 SEND_VAR CV1($current) 1
0027 SEND_VAL string("("") 2
0028 V14 = DO_ICALL

Please pay attention to instruction 0027.

This expression cannot be correctly recognized during any automated analysis of the opcode dump. Even if I take the first and last occurrences of string(" and "), then such instructions can disrupt the work of parser:

0001 INIT_STATIC_METHOD_CALL 0 string("")") string("string("")

I understand that from the point of view of grammar, this is impossible in principle, but similar cases may arise.

The problem is here: https://github.com/php/php-src/blob/PHP-8.2/Zend/Optimizer/zend_dump.c#L69

I suggest adding character \\, " (and perhaps \n) escaping so that the output of opcodes can be parsed automatically.

However, before sending a PR, I would like to ask if there is already a ready-made function that escapes the specified sequences, instead of Z_STRVAL_P.

[iluuu1994]

I'm not sure if this output is really made to be machine readable. Either way, adjusting seems sensible. I don't think there's an existing function that does this.

[SerafimArts]

@iluuu1994 hmmm... what about php_addslashes:

php-src/ext/standard/string.c

Lines 3492 to 3494 in 2ec0134

	PHPAPI zend_string *php_addslashes(zend_string *str) {
	return php_addslashes_ptr(str);
	}

?

It is used internally by var_export

php-src/ext/standard/var.c

Line 516 in 2ec0134

ztmp = php_addcslashes(Z_STR_P(struc), "'\\", 2);

, so it seems that the string output should be filtered correctly.

[iluuu1994]

@SerafimArts You could use that, although it requires an allocation per string.