Skip to content

Commit 6630603

Browse files
dstogovdstogov
committed
JIT: Fix incorrect type store elimination
Fixes oss-fuzz #42388
1 parent 49380b5 commit 6630603

File tree

2 files changed

+50
-9
lines changed

2 files changed

+50
-9
lines changed

ext/opcache/jit/zend_jit_trace.c

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4609,15 +4609,13 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
46094609
op2_info = OP2_INFO();
46104610
CHECK_OP2_TRACE_TYPE();
46114611
op1_info = OP1_INFO();
4612-
if (ssa->vars[ssa_op->op1_use].no_val) {
4613-
if ((op1_info & (MAY_BE_ANY|MAY_BE_UNDEF|MAY_BE_GUARD)) == MAY_BE_LONG
4614-
|| (op1_info & (MAY_BE_ANY|MAY_BE_UNDEF|MAY_BE_GUARD)) == MAY_BE_DOUBLE) {
4615-
if (STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var)) != IS_LONG
4616-
&& STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var)) != IS_DOUBLE) {
4617-
/* type may be not set */
4618-
op1_info |= MAY_BE_NULL;
4619-
}
4620-
}
4612+
if ((op1_info & (MAY_BE_ANY|MAY_BE_UNDEF|MAY_BE_GUARD)) == MAY_BE_LONG
4613+
|| (op1_info & (MAY_BE_ANY|MAY_BE_UNDEF|MAY_BE_GUARD)) == MAY_BE_DOUBLE) {
4614+
if (STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var)) != IS_LONG
4615+
&& STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var)) != IS_DOUBLE) {
4616+
/* type may be not set */
4617+
op1_info |= MAY_BE_NULL;
4618+
}
46214619
}
46224620
CHECK_OP1_TRACE_TYPE();
46234621
op1_def_info = OP1_DEF_INFO();

ext/opcache/tests/jit/assign_048.phpt

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
--TEST--
2+
JIT ASSIGN: incorrect type store elimination
3+
--INI--
4+
opcache.enable=1
5+
opcache.enable_cli=1
6+
opcache.file_update_protection=0
7+
opcache.jit_buffer_size=1M
8+
opcache.protect_memory=1
9+
opcache.optimization_level=0x7FFEBFFF
10+
--FILE--
11+
<?php
12+
function test(){
13+
$j = 0;
14+
for($i=0; $i<10; $i++) {
15+
+$b = +$b = unserialize('');
16+
$y[] = 4;
17+
$a + ~$b = $j++;
18+
}
19+
}
20+
test();
21+
?>
22+
DONE
23+
--EXPECTF--
24+
Warning: Undefined variable $a in %sassign_048.php on line 7
25+
26+
Warning: Undefined variable $a in %sassign_048.php on line 7
27+
28+
Warning: Undefined variable $a in %sassign_048.php on line 7
29+
30+
Warning: Undefined variable $a in %sassign_048.php on line 7
31+
32+
Warning: Undefined variable $a in %sassign_048.php on line 7
33+
34+
Warning: Undefined variable $a in %sassign_048.php on line 7
35+
36+
Warning: Undefined variable $a in %sassign_048.php on line 7
37+
38+
Warning: Undefined variable $a in %sassign_048.php on line 7
39+
40+
Warning: Undefined variable $a in %sassign_048.php on line 7
41+
42+
Warning: Undefined variable $a in %sassign_048.php on line 7
43+
DONE

0 commit comments

Comments
 (0)