Merge branch 'PHP-8.1'

* PHP-8.1:
  JIT: Fixed use-after-free caused by shift by negative number

Author: dstogov

ext/opcache/jit/zend_jit_arm64.dasc

@@ -3594,6 +3594,15 @@ static int zend_jit_load_var(dasm_State **Dst, uint32_t info, int var, zend_reg
 	return zend_jit_load_reg(Dst, src, dst, info);
 }
 
+static int zend_jit_invalidate_var_if_necessary(dasm_State **Dst, zend_uchar op_type, zend_jit_addr addr, znode_op op)
+{
+	if ((op_type & (IS_TMP_VAR|IS_VAR)) && Z_MODE(addr) == IS_REG && !Z_LOAD(addr) && !Z_STORE(addr)) {
+		zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, op.var);
+		|	SET_ZVAL_TYPE_INFO dst, IS_UNDEF, TMP1w, TMP2
+	}
+	return 1;
+}
+
 static int zend_jit_update_regs(dasm_State **Dst, uint32_t var, zend_jit_addr src, zend_jit_addr dst, uint32_t info)
 {
 	if (!zend_jit_same_addr(src, dst)) {
@@ -4654,6 +4663,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				if (EXPECTED(op2_lval > 0)) {
 					|	mov Rx(result_reg), xzr
 				} else {
+					zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+					zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 					|	SET_EX_OPLINE opline, REG0
 					|	b ->negative_shift
 				}
@@ -4683,6 +4694,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				|	mov Rx(result_reg), xzr
 				|	cmp Rx(op2_reg), xzr
 				|	bgt >1
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, REG0
 				|	b ->negative_shift
 				|.code
@@ -4700,6 +4713,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				if (EXPECTED(op2_lval > 0)) {
 					|	asr Rx(result_reg), Rx(result_reg), #((SIZEOF_ZEND_LONG * 8) - 1)
 				} else {
+					zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+					zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 					|	SET_EX_OPLINE opline, REG0
 					|	b ->negative_shift
 				}
@@ -4725,6 +4740,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				|	cmp Rx(op2_reg), xzr
 				|	mov Rx(op2_reg), #((SIZEOF_ZEND_LONG * 8) - 1)
 				|	bgt >1
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, REG0
 				|	b ->negative_shift
 				|.code
@@ -4737,6 +4754,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 			zend_long op2_lval = Z_LVAL_P(Z_ZV(op2_addr));
 
 			if (op2_lval == 0) {
+					zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+					zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, REG0
 				|	b ->mod_by_zero
 			} else if (op2_lval == -1) {
@@ -4771,6 +4790,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				|	cbz Rx(op2_reg), >1
 				|.cold_code
 				|1:
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, REG0
 				|	b ->mod_by_zero
 				|.code

ext/opcache/jit/zend_jit_x86.dasc

@@ -3939,6 +3939,15 @@ static int zend_jit_load_var(dasm_State **Dst, uint32_t info, int var, zend_reg
 	return zend_jit_load_reg(Dst, src, dst, info);
 }
 
+static int zend_jit_invalidate_var_if_necessary(dasm_State **Dst, zend_uchar op_type, zend_jit_addr addr, znode_op op)
+{
+	if ((op_type & (IS_TMP_VAR|IS_VAR)) && Z_MODE(addr) == IS_REG && !Z_LOAD(addr) && !Z_STORE(addr)) {
+		zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, op.var);
+		|	SET_ZVAL_TYPE_INFO dst, IS_UNDEF
+	}
+	return 1;
+}
+
 static int zend_jit_update_regs(dasm_State **Dst, uint32_t var, zend_jit_addr src, zend_jit_addr dst, uint32_t info)
 {
 	if (!zend_jit_same_addr(src, dst)) {
@@ -5081,6 +5090,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				if (EXPECTED(op2_lval > 0)) {
 					|	xor Ra(result_reg), Ra(result_reg)
 				} else {
+					zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+					zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 					|	SET_EX_OPLINE opline, r0
 					|	jmp ->negative_shift
 				}
@@ -5104,6 +5115,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				|	cmp r1, 0
 				|	mov Ra(result_reg), 0
 				|	jg >1
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, r0
 				|	jmp ->negative_shift
 				|.code
@@ -5121,6 +5134,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				if (EXPECTED(op2_lval > 0)) {
 					|	sar Ra(result_reg), (SIZEOF_ZEND_LONG * 8) - 1
 				} else {
+					zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+					zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 					|	SET_EX_OPLINE opline, r0
 					|	jmp ->negative_shift
 				}
@@ -5141,6 +5156,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				|	cmp r1, 0
 				|	mov r1, (SIZEOF_ZEND_LONG * 8) - 1
 				|	jg >1
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, r0
 				|	jmp ->negative_shift
 				|.code
@@ -5153,6 +5170,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 			zend_long op2_lval = Z_LVAL_P(Z_ZV(op2_addr));
 
 			if (op2_lval == 0) {
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, r0
 				|	jmp ->mod_by_zero
 			} else if (zend_long_is_power_of_two(op2_lval) && op1_range && op1_range->min >= 0) {
@@ -5192,6 +5211,8 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				|	jz >1
 				|.cold_code
 				|1:
+				zend_jit_invalidate_var_if_necessary(Dst, op1_type, op1_addr, op1);
+				zend_jit_invalidate_var_if_necessary(Dst, op2_type, op2_addr, op2);
 				|	SET_EX_OPLINE opline, r0
 				|	jmp ->mod_by_zero
 				|.code

ext/opcache/tests/jit/shift_right_004.phpt

@@ -0,0 +1,40 @@
+--TEST--
+JIT Shift Right: 004
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function test() {
+	$j = 2;
+    for ($i = 0; $i < 10;
+    	$i + $b = $a + $a = $a + $a = $a +
+		    $a = !$a +
+			$c[0] .= 0xfff0001/34028236692903846346336*6) {
+	    $a =!$a + $a &= 74444444 - 444 >> 4 - $j++;
+        if ($j > 14) break;
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $a in %sshift_right_004.php on line 8
+
+Warning: Undefined variable $a in %sshift_right_004.php on line 8
+
+Warning: Undefined variable $c in %sshift_right_004.php on line 7
+
+Warning: Undefined array key 0 in %sshift_right_004.php on line 7
+
+Warning: A non-numeric value encountered in %sshift_right_004.php on line 7
+
+Warning: A non-numeric value encountered in %sshift_right_004.php on line 7
+
+Fatal error: Uncaught ArithmeticError: Bit shift by negative number in %sshift_right_004.php:8
+Stack trace:
+#0 %sshift_right_004.php(12): test()
+#1 {main}
+  thrown in %sshift_right_004.php on line 8