Start block at loop var free

nikic · nikic · commit 823888c4729b · 2021-09-27T11:56:37.000+02:00
This ensures that code directly before the loop var free is
separated out (and will generally be eliminated as unreachable).
This fixes some assumptions we have that unreachable loop var free
blocks start with the loop var free.

Fixes oss-fuzz #39395.
diff --git a/Zend/tests/code_before_loop_var_free.phpt b/Zend/tests/code_before_loop_var_free.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Code before loop var free
+--FILE--
+<?php
+switch ($x > 0) {
+default:
+    return;
+    Y;
+}
+?>
+--EXPECTF--
+Warning: Undefined variable $x in %s on line %d
diff --git a/ext/opcache/Optimizer/zend_cfg.c b/ext/opcache/Optimizer/zend_cfg.c
@@ -434,13 +434,12 @@ int zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t b
 				flags |= ZEND_FUNC_HAS_EXTENDED_FCALL;
 				break;
 			case ZEND_FREE:
-				if (opline->extended_value == ZEND_FREE_SWITCH) {
+			case ZEND_FE_FREE:
+				if (zend_optimizer_is_loop_var_free(opline)) {
+					BB_START(i);
 					flags |= ZEND_FUNC_FREE_LOOP_VAR;
 				}
 				break;
-			case ZEND_FE_FREE:
-				flags |= ZEND_FUNC_FREE_LOOP_VAR;
-				break;
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -434,13 +434,12 @@ int zend_build_cfg(zend_arena *arena, const zend_op_array op_array, uint32_t b`
`434`	`434`	`flags \|= ZEND_FUNC_HAS_EXTENDED_FCALL;`
`435`	`435`	`break;`
`436`	`436`	`case ZEND_FREE:`
`437`		`- if (opline->extended_value == ZEND_FREE_SWITCH) {`
	`437`	`+ case ZEND_FE_FREE:`
	`438`	`+ if (zend_optimizer_is_loop_var_free(opline)) {`
	`439`	`+ BB_START(i);`
`438`	`440`	`flags \|= ZEND_FUNC_FREE_LOOP_VAR;`
`439`	`441`	`}`
`440`	`442`	`break;`
`441`		`- case ZEND_FE_FREE:`
`442`		`- flags \|= ZEND_FUNC_FREE_LOOP_VAR;`
`443`		`- break;`
`444`	`443`	`}`
`445`	`444`	`}`
`446`	`445`