Fixed incorrect DCE for FREE

dstogov · dstogov · commit 78c7289f6922 · 2022-02-28T11:44:22.000+03:00
Fixes oss-fuzz #44863
diff --git a/ext/opcache/Optimizer/dce.c b/ext/opcache/Optimizer/dce.c
@@ -391,7 +391,9 @@ static zend_bool dce_instr(context *ctx, zend_op *opline, zend_ssa_op *ssa_op) {
 	}
 
 	/* We mark FREEs as dead, but they're only really dead if the destroyed var is dead */
-	if (opline->opcode == ZEND_FREE && may_be_refcounted(ssa->var_info[ssa_op->op1_use].type)
+	if (opline->opcode == ZEND_FREE
+			&& ((ssa->var_info[ssa_op->op1_use].type & (MAY_BE_REF|MAY_BE_ANY|MAY_BE_UNDEF)) == 0
+				|| may_be_refcounted(ssa->var_info[ssa_op->op1_use].type))
 			&& !is_var_dead(ctx, ssa_op->op1_use)) {
 		return 0;
 	}
diff --git a/ext/opcache/tests/opt/dce_013.phpt b/ext/opcache/tests/opt/dce_013.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Incorrect DCE of FREE
+--FILE--
+<?php
+function foo() {
+  $a = $r[] = $r = []&$y;
+  list(&$y)=$a;
+}
+?>
+DONE
+--EXPECT--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,9 @@ static zend_bool dce_instr(context ctx, zend_op opline, zend_ssa_op *ssa_op) {`
`391`	`391`	`}`
`392`	`392`
`393`	`393`	`/* We mark FREEs as dead, but they're only really dead if the destroyed var is dead */`
`394`		`- if (opline->opcode == ZEND_FREE && may_be_refcounted(ssa->var_info[ssa_op->op1_use].type)`
	`394`	`+ if (opline->opcode == ZEND_FREE`
	`395`	`+ && ((ssa->var_info[ssa_op->op1_use].type & (MAY_BE_REF\|MAY_BE_ANY\|MAY_BE_UNDEF)) == 0`
	`396`	`+ \|\| may_be_refcounted(ssa->var_info[ssa_op->op1_use].type))`
`395`	`397`	`&& !is_var_dead(ctx, ssa_op->op1_use)) {`
`396`	`398`	`return 0;`
`397`	`399`	`}`