JIT: Fixed incorrect overflow detection introduced in a5e502e

dstogov · dstogov · commit 831a1717f669 · 2021-10-06T10:18:18.000+03:00
diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc
@@ -12823,6 +12823,8 @@ static int zend_jit_incdec_obj(dasm_State          **Dst,
 			}
 			if (opline->result_type != IS_UNUSED
 			 && (opline->opcode == ZEND_PRE_INC_OBJ || opline->opcode == ZEND_PRE_DEC_OBJ)
+			 && prop_info
+			 && !ZEND_TYPE_IS_SET(prop_info->type)
 			 && (res_info & MAY_BE_GUARD)
 			 && (res_info & MAY_BE_LONG)) {
 				int32_t exit_point = zend_jit_trace_get_exit_point(opline + 1, 0);
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -13549,6 +13549,8 @@ static int zend_jit_incdec_obj(dasm_State          **Dst,
 			}
 			if (opline->result_type != IS_UNUSED
 			 && (opline->opcode == ZEND_PRE_INC_OBJ || opline->opcode == ZEND_PRE_DEC_OBJ)
+			 && prop_info
+			 && !ZEND_TYPE_IS_SET(prop_info->type)
 			 && (res_info & MAY_BE_GUARD)
 			 && (res_info & MAY_BE_LONG)) {
 				int32_t exit_point = zend_jit_trace_get_exit_point(opline + 1, 0);
diff --git a/ext/opcache/tests/jit/inc_obj_001.phpt b/ext/opcache/tests/jit/inc_obj_001.phpt
@@ -6,7 +6,6 @@ opcache.enable_cli=1
 opcache.file_update_protection=0
 opcache.jit_buffer_size=1M
 opcache.protect_memory=1
-opcache.jit=function
 --FILE--
 <?php
 class Test {
diff --git a/ext/opcache/tests/jit/inc_obj_002.phpt b/ext/opcache/tests/jit/inc_obj_002.phpt
@@ -0,0 +1,33 @@
+--TEST--
+PRE_INC_OBJ: 002
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+class Test {
+    function foo() {
+        $this->prop = PHP_INT_MAX - 5;
+        for ($i = 0; $i < 10; $i++) {
+            var_dump(++$this->prop);
+        }
+    }
+}
+
+$test = new Test;
+$test->foo();
+?>
+--EXPECTF--
+int(%d)
+int(%d)
+int(%d)
+int(%d)
+int(%d)
+float(%f)
+float(%f)
+float(%f)
+float(%f)
+float(%f)

Original file line number	Diff line number	Diff line change
`@@ -12823,6 +12823,8 @@ static int zend_jit_incdec_obj(dasm_State **Dst,`
`12823`	`12823`	`}`
`12824`	`12824`	`if (opline->result_type != IS_UNUSED`
`12825`	`12825`	`&& (opline->opcode == ZEND_PRE_INC_OBJ \|\| opline->opcode == ZEND_PRE_DEC_OBJ)`
	`12826`	`+ && prop_info`
	`12827`	`+ && !ZEND_TYPE_IS_SET(prop_info->type)`
`12826`	`12828`	`&& (res_info & MAY_BE_GUARD)`
`12827`	`12829`	`&& (res_info & MAY_BE_LONG)) {`
`12828`	`12830`	`int32_t exit_point = zend_jit_trace_get_exit_point(opline + 1, 0);`
Original file line number	Diff line number	Diff line change
`@@ -13549,6 +13549,8 @@ static int zend_jit_incdec_obj(dasm_State **Dst,`
`13549`	`13549`	`}`
`13550`	`13550`	`if (opline->result_type != IS_UNUSED`
`13551`	`13551`	`&& (opline->opcode == ZEND_PRE_INC_OBJ \|\| opline->opcode == ZEND_PRE_DEC_OBJ)`
	`13552`	`+ && prop_info`
	`13553`	`+ && !ZEND_TYPE_IS_SET(prop_info->type)`
`13552`	`13554`	`&& (res_info & MAY_BE_GUARD)`
`13553`	`13555`	`&& (res_info & MAY_BE_LONG)) {`
`13554`	`13556`	`int32_t exit_point = zend_jit_trace_get_exit_point(opline + 1, 0);`