wip

Author: iluuu1994

Zend/Optimizer/zend_func_info.c

@@ -77,9 +77,7 @@ static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa
 		}
 		if ((t1 & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_DOUBLE))
 				&& (t2 & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_DOUBLE))) {
-			if ((t3 & MAY_BE_ANY) != MAY_BE_DOUBLE) {
-				tmp |= MAY_BE_ARRAY_OF_LONG;
-			}
+			tmp |= MAY_BE_ARRAY_OF_LONG;
 		}
 		if (tmp & MAY_BE_ARRAY_OF_ANY) {
 			tmp |= MAY_BE_ARRAY_PACKED;

Zend/Optimizer/zend_optimizer.c

@@ -1332,6 +1332,26 @@ static void zend_redo_pass_two_ex(zend_op_array *op_array, zend_ssa *ssa)
 				}
 				break;
 		}
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+		if (ssa_op->op1_use >= 0) {
+			opline->op1_use_type = ssa->var_info[ssa_op->op1_use].type;
+		}
+		if (ssa_op->op2_use >= 0) {
+			opline->op2_use_type = ssa->var_info[ssa_op->op2_use].type;
+		}
+		if (ssa_op->result_use >= 0) {
+			opline->result_use_type = ssa->var_info[ssa_op->result_use].type;
+		}
+		if (ssa_op->op1_def >= 0) {
+			opline->op1_def_type = ssa->var_info[ssa_op->op1_def].type;
+		}
+		if (ssa_op->op2_def >= 0) {
+			opline->op2_def_type = ssa->var_info[ssa_op->op2_def].type;
+		}
+		if (ssa_op->result_def >= 0) {
+			opline->result_def_type = ssa->var_info[ssa_op->result_def].type;
+		}
+#endif
 		zend_vm_set_opcode_handler_ex(opline, op1_info, op2_info, res_info);
 		opline++;
 	}

Zend/tests/gh10168/wrong_assign_to_variable.phpt

@@ -1,5 +1,9 @@
 --TEST--
 GH-10168: Wrong assign to variable
+--SKIPIF--
+<?php
+if (defined('ZEND_VERIFY_TYPE_INFERENCE')) die('skip Destructor side-effects violate type inference');
+?>
 --FILE--
 <?php
 

Zend/zend_execute.c

@@ -5311,167 +5311,18 @@ static zend_always_inline zend_execute_data *_zend_vm_stack_push_call_frame(uint
 # include "zend_vm_trace_lines.h"
 #elif defined(ZEND_VM_TRACE_MAP)
 # include "zend_vm_trace_map.h"
-#endif
-
-#ifdef ZEND_VERIFY_TYPE_INFERENCE
-
-#define ZEND_VERIFY_TYPE_INFERENCE_ERROR(msg, ...) \
-	do { \
-		fprintf(stderr, "Inference verification failed at %04d %s (" msg ")\n", (int)(opline - EX(func)->op_array.opcodes), operand, __VA_ARGS__); \
-		exit(139); \
-	} while (0)
-
-static void zend_verify_type_inference(zval *value, uint32_t type_mask, uint8_t op_type, zend_execute_data *execute_data, const zend_op *opline, const char *operand)
-{
-	if (type_mask == MAY_BE_CLASS) {
-		return;
-	}
-
-	if (Z_TYPE_P(value) == IS_INDIRECT) {
-		if (!(type_mask & MAY_BE_INDIRECT)) {
-			ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x mising MAY_BE_INDIRECT", type_mask);
-		}
-		value = Z_INDIRECT_P(value);
-	}
-
-	/* Verifying RC inference is currently not possible because type information is based on the SSA
-	 * built without ZEND_SSA_RC_INFERENCE, which is missing various definitions for RC-modifying
-	 * operations. Support could be added by repeating SSA-construction and type inference with the
-	 * given flag. */
-	// if (Z_REFCOUNTED_P(value)) {
-	// 	if (Z_REFCOUNT_P(value) == 1 && !(type_mask & MAY_BE_RC1)) {
-	// 		ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_RC1", type_mask);
-	// 	}
-	// 	if (Z_REFCOUNT_P(value) > 1 && !(type_mask & MAY_BE_RCN)) {
-	// 		ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_RCN", type_mask);
-	// 	}
-	// }
-
-	if (Z_TYPE_P(value) == IS_REFERENCE) {
-		if (!(type_mask & MAY_BE_REF)) {
-			ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_REF", type_mask);
-		}
-		value = Z_REFVAL_P(value);
-	}
-
-	if (!(type_mask & (1u << Z_TYPE_P(value)))) {
-		if (Z_TYPE_P(value) == IS_UNUSED && op_type == IS_VAR && (type_mask & MAY_BE_NULL)) {
-			/* FETCH_OBJ_* for typed property may return IS_UNDEF. This is an exception. */
-		} else {
-			ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing type %d", type_mask, Z_TYPE_P(value));
-		}
-	}
-
-	if (Z_TYPE_P(value) == IS_ARRAY) {
-		HashTable *ht = Z_ARRVAL_P(value);
-		uint32_t num_checked = 0;
-		zend_string *str;
-		zval *val;
-		if (HT_IS_INITIALIZED(ht)) {
-			if (HT_IS_PACKED(ht) && !MAY_BE_PACKED(type_mask)) {
-				ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_ARRAY_PACKED", type_mask);
-			}
-			if (!HT_IS_PACKED(ht) && !MAY_BE_HASH(type_mask)) {
-				ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_ARRAY_HASH", type_mask);
-			}
-		} else {
-			if (!(type_mask & MAY_BE_ARRAY_EMPTY)) {
-				ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_ARRAY_EMPTY", type_mask);
-			}
-		}
-		ZEND_HASH_FOREACH_STR_KEY_VAL(ht, str, val) {
-			if (str) {
-				if (!(type_mask & MAY_BE_ARRAY_KEY_STRING)) {
-					ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_ARRAY_KEY_STRING", type_mask);
-					break;
-				}
-			} else {
-				if (!(type_mask & MAY_BE_ARRAY_KEY_LONG)) {
-					ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing MAY_BE_ARRAY_KEY_LONG", type_mask);
-					break;
-				}
-			}
-
-			uint32_t array_type = 1u << (Z_TYPE_P(val) + MAY_BE_ARRAY_SHIFT);
-			if (!(type_mask & array_type)) {
-				ZEND_VERIFY_TYPE_INFERENCE_ERROR("mask 0x%x missing array type %d", type_mask, Z_TYPE_P(val));
-				break;
-			}
-
-			/* Don't check all elements of large arrays. */
-			if (++num_checked > 16) {
-				break;
-			}
-		} ZEND_HASH_FOREACH_END();
-	}
-}
-
-static void zend_verify_inference_use(zend_execute_data *execute_data, const zend_op *opline)
-{
-	if (opline->op1_use_type
-	 && (opline->op1_type & (IS_TMP_VAR|IS_VAR|IS_CV))
-	 && opline->opcode != ZEND_ROPE_ADD
-	 && opline->opcode != ZEND_ROPE_END) {
-		zend_verify_type_inference(EX_VAR(opline->op1.var), opline->op1_use_type, opline->op1_type, execute_data, opline, "op1_use");
-	}
-	if (opline->op2_use_type
-	 && (opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))) {
-		zend_verify_type_inference(EX_VAR(opline->op2.var), opline->op2_use_type, opline->op2_type, execute_data, opline, "op2_use");
-	}
-	if (opline->result_use_type
-	 && (opline->result_type & (IS_TMP_VAR|IS_VAR|IS_CV))) {
-		zend_verify_type_inference(EX_VAR(opline->result.var), opline->result_use_type, opline->result_type, execute_data, opline, "result_use");
-	}
-}
-
-static void zend_verify_inference_def(zend_execute_data *execute_data, const zend_op *opline)
-{
-	if (EG(exception)) {
-		return;
-	}
-	if (opline->op1_def_type
-	 && (opline->op1_type & (IS_TMP_VAR|IS_VAR|IS_CV))
-	 // array is actually changed by the the following instruction(s)
-	 && opline->opcode != ZEND_FETCH_DIM_W
-	 && opline->opcode != ZEND_FETCH_DIM_RW
-	 && opline->opcode != ZEND_FETCH_DIM_FUNC_ARG
-	 && opline->opcode != ZEND_FETCH_LIST_W) {
-		zend_verify_type_inference(EX_VAR(opline->op1.var), opline->op1_def_type, opline->op1_type, execute_data, opline, "op1_def");
-	}
-	if (opline->op2_def_type
-	 && (opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))) {
-		zend_verify_type_inference(EX_VAR(opline->op2.var), opline->op2_def_type, opline->op2_type, execute_data, opline, "op2_def");
-	}
-	if (opline->result_def_type
-	 && (opline->result_type & (IS_TMP_VAR|IS_VAR|IS_CV))
-	 && opline->opcode != ZEND_ROPE_INIT
-	 && opline->opcode != ZEND_ROPE_ADD
-	 // Some jump opcode handlers don't set result when it's never read
-	 && opline->opcode != ZEND_JMP_SET
-	 && opline->opcode != ZEND_JMP_NULL
-	 && opline->opcode != ZEND_COALESCE
-	 && opline->opcode != ZEND_ASSERT_CHECK) {
-		zend_verify_type_inference(EX_VAR(opline->result.var), opline->result_def_type, opline->result_type, execute_data, opline, "result_def");
-	}
-}
-
-# define ZEND_VERIFY_INFERENCE_USE() zend_verify_inference_use(execute_data, OPLINE);
-# define ZEND_VERIFY_INFERENCE_DEF() zend_verify_inference_def(execute_data, OPLINE);
-#else
-# define ZEND_VERIFY_INFERENCE_USE()
-# define ZEND_VERIFY_INFERENCE_DEF()
+#elif defined(ZEND_VERIFY_TYPE_INFERENCE)
+# include "zend_verify_type_inference.h"
 #endif
 
 #define ZEND_VM_NEXT_OPCODE_EX(check_exception, skip) \
-	ZEND_VERIFY_INFERENCE_DEF() \
 	CHECK_SYMBOL_TABLES() \
 	if (check_exception) { \
 		OPLINE = EX(opline) + (skip); \
 	} else { \
 		ZEND_ASSERT(!EG(exception)); \
 		OPLINE = opline + (skip); \
 	} \
-	ZEND_VERIFY_INFERENCE_USE() \
 	ZEND_VM_CONTINUE()
 
 #define ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION() \