Start new block after loop free

nikic · nikic · commit 493c91c7429e · 2021-10-04T16:59:46.000+02:00
In the attached test case we ended up not updating a leftover
MATCH jump in the unreachable_free block. There's different ways
this can be addressed, but in this case we can just make sure that
a new block is started after the loop free, which will allow it
to be dropped as unreachable. We only need to retain the free
itself for live-range reconstruction.

Fixes oss-fuzz #39516.
diff --git a/Zend/Optimizer/zend_cfg.c b/Zend/Optimizer/zend_cfg.c
@@ -437,6 +437,9 @@ ZEND_API int zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, u
 			case ZEND_FE_FREE:
 				if (zend_optimizer_is_loop_var_free(opline)) {
 					BB_START(i);
+					if (i + 1 < op_array->last) {
+						BB_START(i + 1);
+					}
 					flags |= ZEND_FUNC_FREE_LOOP_VAR;
 				}
 				break;
diff --git a/Zend/tests/match/045.phpt b/Zend/tests/match/045.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Corrupted CFG due to unreachable free with match
+--FILE--
+<?php
+function test() {
+    var_dump(match(x){});
+    match(y){
+        3, 4 => 5,
+    };
+}
+try {
+    test();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Undefined constant "x"
