Fixed bug #81051 (Broken property type handling after incrementing reference)

Author: dstogov

NEWS

@@ -9,6 +9,8 @@ PHP                                                                        NEWS
   . Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)
 
 - Opcache:
+  . Fixed bug #81051 (Broken property type handling after incrementing
+    reference). (Dmitry)
   . Fixed bug #80968 (JIT segfault with return from required file). (Dmitry)
 
 - Standard:

ext/opcache/jit/zend_jit_helpers.c

@@ -2179,6 +2179,7 @@ static void ZEND_FASTCALL zend_jit_assign_op_to_typed_prop(zval *zptr, zend_prop
 	zend_execute_data *execute_data = EG(current_execute_data);
 	zval z_copy;
 
+	ZVAL_DEREF(zptr);
 	binary_op(&z_copy, zptr, value);
 	if (EXPECTED(zend_verify_property_type(prop_info, &z_copy, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(zptr);
@@ -2261,6 +2262,7 @@ static void ZEND_FASTCALL zend_jit_inc_typed_prop(zval *var_ptr, zend_property_i
 	zend_execute_data *execute_data = EG(current_execute_data);
 	zval tmp;
 
+	ZVAL_DEREF(var_ptr);
 	ZVAL_COPY(&tmp, var_ptr);
 
 	increment_function(var_ptr);
@@ -2283,6 +2285,7 @@ static void ZEND_FASTCALL zend_jit_dec_typed_prop(zval *var_ptr, zend_property_i
 	zend_execute_data *execute_data = EG(current_execute_data);
 	zval tmp;
 
+	ZVAL_DEREF(var_ptr);
 	ZVAL_COPY(&tmp, var_ptr);
 
 	decrement_function(var_ptr);
@@ -2309,6 +2312,7 @@ static void ZEND_FASTCALL zend_jit_pre_inc_typed_prop(zval *var_ptr, zend_proper
 		result = &tmp;
 	}
 
+	ZVAL_DEREF(var_ptr);
 	ZVAL_COPY(result, var_ptr);
 
 	increment_function(var_ptr);
@@ -2339,6 +2343,7 @@ static void ZEND_FASTCALL zend_jit_pre_dec_typed_prop(zval *var_ptr, zend_proper
 		result = &tmp;
 	}
 
+	ZVAL_DEREF(var_ptr);
 	ZVAL_COPY(result, var_ptr);
 
 	decrement_function(var_ptr);
@@ -2364,6 +2369,7 @@ static void ZEND_FASTCALL zend_jit_post_inc_typed_prop(zval *var_ptr, zend_prope
 {
 	zend_execute_data *execute_data = EG(current_execute_data);
 
+	ZVAL_DEREF(var_ptr);
 	ZVAL_COPY(result, var_ptr);
 
 	increment_function(var_ptr);
@@ -2384,6 +2390,7 @@ static void ZEND_FASTCALL zend_jit_post_dec_typed_prop(zval *var_ptr, zend_prope
 {
 	zend_execute_data *execute_data = EG(current_execute_data);
 
+	ZVAL_DEREF(var_ptr);
 	ZVAL_COPY(result, var_ptr);
 
 	decrement_function(var_ptr);

ext/opcache/tests/jit/bug81051.phpt

@@ -0,0 +1,43 @@
+--TEST--
+Bug #80839: PHP problem with JIT
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit_buffer_size=1M
+opcache.jit=1205
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+class Binary{
+	public static function readUnsignedVarInt(string $buffer, int &$offset) : int{
+		$offset++;
+		return 0;
+	}
+}
+
+class BinaryStream{
+
+	private string $buffer;
+	private int $offset;
+
+	public function __construct(string $buffer, int $offset = 0){
+		$this->buffer = $buffer;
+		$this->offset = $offset;
+	}
+
+	public function getUnsignedVarInt() : int{
+		return Binary::readUnsignedVarInt($this->buffer, $this->offset);
+	}
+
+	public function get(int $len) : string{
+		return $len === 1 ? $this->buffer[$this->offset++] : substr($this->buffer, ($this->offset += $len) - $len, $len);
+	}
+}
+$stream = new BinaryStream(str_repeat("\x01a", 1000));
+var_dump($stream->getUnsignedVarInt());
+var_dump($stream->get(1));
+?>
+--EXPECT--
+int(0)
+string(1) "a"