Handle pi nodes in replace_predecessor

nikic · nikic · commit 038bc27787ff · 2021-09-27T10:47:47.000+02:00
If we're removing a predecessor because it already exists during
replacement, we should also drop pi nodes for that predecessor.

Fixes oss-fuzz #39276.
diff --git a/Zend/tests/replace_pred_pi_node.phpt b/Zend/tests/replace_pred_pi_node.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Handling of pi nodes when replacing a predecessor
+--FILE--
+<?php
+function test(bool $a, bool $b) {
+    $byte = '';
+    if ($a && $byte > 0 && $b) {}
+    unknown($byte);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/opcache/Optimizer/dfa_pass.c b/ext/opcache/Optimizer/dfa_pass.c
@@ -575,11 +575,19 @@ static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int n
 
 		/* Also remove the corresponding phi node entries */
 		for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
-			memmove(
-				phi->sources + old_pred_idx,
-				phi->sources + old_pred_idx + 1,
-				sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
-			);
+			if (phi->pi >= 0) {
+				if (phi->pi == old_pred) {
+					zend_ssa_rename_var_uses(
+						ssa, phi->ssa_var, phi->sources[0], /* update_types */ 0);
+					zend_ssa_remove_phi(ssa, phi);
+				}
+			} else {
+				memmove(
+					phi->sources + old_pred_idx,
+					phi->sources + old_pred_idx + 1,
+					sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
+				);
+			}
 		}
 
 		block->predecessors_count--;
