Fix bug #79358: JIT miscompile in composer

nikic · nikic · commit 191451da90b6 · 2020-03-09T12:55:14.000+01:00
diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c
@@ -2474,7 +2474,8 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 					case ZEND_IS_NOT_EQUAL:
 					case ZEND_IS_SMALLER:
 					case ZEND_IS_SMALLER_OR_EQUAL:
-					case ZEND_CASE:
+					case ZEND_CASE: {
+						res_addr = RES_REG_ADDR();
 						if ((opline->result_type & IS_TMP_VAR)
 						 && (i + 1) <= end
 						 && ((opline+1)->opcode == ZEND_JMPZ
@@ -2488,19 +2489,25 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 							smart_branch_opcode = (opline+1)->opcode;
 							target_label = ssa->cfg.blocks[b].successors[0];
 							target_label2 = ssa->cfg.blocks[b].successors[1];
+							/* For EX variant write into the result of EX opcode. */
+							if ((opline+1)->opcode == ZEND_JMPZ_EX
+									|| (opline+1)->opcode == ZEND_JMPNZ_EX) {
+								res_addr = OP_REG_ADDR(opline + 1, result_type, result, result_def);
+							}
 						} else {
 							smart_branch_opcode = 0;
 							target_label = target_label2 = (uint32_t)-1;
 						}
 						if (!zend_jit_cmp(&dasm_state, opline, op_array,
 								OP1_INFO(), OP1_REG_ADDR(),
 								OP2_INFO(), OP2_REG_ADDR(),
-								RES_REG_ADDR(),
+								res_addr,
 								zend_may_throw(opline, op_array, ssa),
 								smart_branch_opcode, target_label, target_label2)) {
 							goto jit_failure;
 						}
 						goto done;
+					}
 					case ZEND_IS_IDENTICAL:
 					case ZEND_IS_NOT_IDENTICAL:
 						if ((opline->result_type & IS_TMP_VAR)
diff --git a/ext/opcache/jit/zend_jit_x86.h b/ext/opcache/jit/zend_jit_x86.h
@@ -270,7 +270,7 @@ static zend_always_inline zend_jit_addr _zend_jit_decode_op(zend_uchar op_type,
 #define OP2_ADDR() \
 	OP_ADDR(opline, op2_type, op2)
 #define RES_ADDR() \
-	OP_ADDR(opline, op2_type, op2)
+	OP_ADDR(opline, result_type, result)
 #define OP1_DATA_ADDR() \
 	OP_ADDR(opline + 1, op1_type, op1)
 
diff --git a/ext/opcache/tests/jit/bug79358.phpt b/ext/opcache/tests/jit/bug79358.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #79358: JIT miscompile in composer
+--FILE--
+<?php
+
+function test(int $x) {
+    return ($x > 0xdead && unimportant()) ||
+           ($x < 0xbeef && unimportant());
+}
+
+var_dump(test(0xcccc));
+
+?>
+--EXPECT--
+bool(false)
