Skip to content

Commit 01f24bb

Browse files
dstogovdstogov
committed
Fix incorrect trace type inference in a false loop
Fixes oss-fuzz #63846
1 parent 11f4611 commit 01f24bb

File tree

1 file changed

+24
-2
lines changed

1 file changed

+24
-2
lines changed

ext/opcache/jit/zend_jit_trace.c

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -787,6 +787,25 @@ static int zend_jit_trace_add_ret_phis(zend_jit_trace_rec *trace_buffer, uint32_
787787
return ssa_vars_count;
788788
}
789789

790+
static bool zend_jit_trace_is_false_loop(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op **tssa_opcodes, zend_ssa *tssa)
791+
{
792+
const zend_op *opline;
793+
uint32_t b;
794+
zend_basic_block *bb;
795+
796+
ZEND_ASSERT(tssa->cfg.blocks_count == 2);
797+
ZEND_ASSERT(tssa->cfg.blocks[1].len > 0);
798+
799+
b = ssa->cfg.map[tssa_opcodes[0] - op_array->opcodes];
800+
opline = tssa_opcodes[tssa->cfg.blocks[1].len - 1];
801+
if (opline >= op_array->opcodes && opline < op_array->opcodes + op_array->last) {
802+
bb = ssa->cfg.blocks + ssa->cfg.map[opline - op_array->opcodes];
803+
return bb->loop_header != b;
804+
} else {
805+
return 0;
806+
}
807+
}
808+
790809
static int zend_jit_trace_copy_ssa_var_info(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op **tssa_opcodes, zend_ssa *tssa, int ssa_var)
791810
{
792811
int var, use, def, src;
@@ -796,7 +815,8 @@ static int zend_jit_trace_copy_ssa_var_info(const zend_op_array *op_array, const
796815
uint32_t b = ssa->cfg.map[tssa_opcodes[0] - op_array->opcodes];
797816
zend_basic_block *bb = ssa->cfg.blocks + b;
798817

799-
if (bb->flags & ZEND_BB_LOOP_HEADER) {
818+
if ((bb->flags & ZEND_BB_LOOP_HEADER)
819+
&& !zend_jit_trace_is_false_loop(op_array, ssa, tssa_opcodes, tssa)) {
800820
zend_ssa_phi *phi = ssa->blocks[b].phis;
801821
zend_ssa_phi *pi = NULL;
802822

@@ -1391,7 +1411,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
13911411
tssa->cfg.blocks[0].successors = tssa->cfg.blocks[0].successors_storage;
13921412
tssa->cfg.blocks[0].successors[0] = 1;
13931413

1394-
tssa->cfg.blocks[0].flags = ZEND_BB_FOLLOW|ZEND_BB_TARGET|ZEND_BB_LOOP_HEADER|ZEND_BB_REACHABLE;
1414+
tssa->cfg.blocks[1].flags = ZEND_BB_FOLLOW|ZEND_BB_TARGET|ZEND_BB_LOOP_HEADER|ZEND_BB_REACHABLE;
1415+
tssa->cfg.blocks[1].len = ssa_ops_count;
13951416
tssa->cfg.blocks[1].successors_count = 1;
13961417
tssa->cfg.blocks[1].predecessors_count = 2;
13971418
tssa->cfg.blocks[1].successors = tssa->cfg.blocks[1].successors_storage;
@@ -1401,6 +1422,7 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
14011422
tssa->cfg.edges_count = 0;
14021423

14031424
tssa->cfg.blocks[0].flags = ZEND_BB_START|ZEND_BB_EXIT|ZEND_BB_REACHABLE;
1425+
tssa->cfg.blocks[0].len = ssa_ops_count;
14041426
tssa->cfg.blocks[0].successors_count = 0;
14051427
tssa->cfg.blocks[0].predecessors_count = 0;
14061428
}

0 commit comments

Comments
 (0)