Fixed bug #81409 (Incorrect JIT code for ADD with a reference to array)

Author: dstogov

NEWS

@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.1.0RC2
 
+- Opcache:
+  . Fixed bug #81409 (Incorrect JIT code for ADD with a reference to array).
+    (Dmitry)
+
 - Zip:
   . Fixed bug #80833 (ZipArchive::getStream doesn't use setPassword). (Remi)
 

ext/opcache/jit/zend_jit.c

@@ -2989,7 +2989,7 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 						if (opline->opcode == ZEND_ADD &&
 						    (op1_info & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY &&
 						    (op2_info & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
-							if (!zend_jit_add_arrays(&dasm_state, opline, op1_info, op2_info, res_addr)) {
+							if (!zend_jit_add_arrays(&dasm_state, opline, op1_info, OP1_REG_ADDR(), op2_info, OP2_REG_ADDR(), res_addr)) {
 								goto jit_failure;
 							}
 						} else {

ext/opcache/jit/zend_jit_arm64.dasc

@@ -4454,11 +4454,8 @@ static int zend_jit_math(dasm_State **Dst, const zend_op *opline, uint32_t op1_i
 	return 1;
 }
 
-static int zend_jit_add_arrays(dasm_State **Dst, const zend_op *opline, uint32_t op1_info, uint32_t op2_info, zend_jit_addr res_addr)
+static int zend_jit_add_arrays(dasm_State **Dst, const zend_op *opline, uint32_t op1_info, zend_jit_addr op1_addr, uint32_t op2_info, zend_jit_addr op2_addr, zend_jit_addr res_addr)
 {
-	zend_jit_addr op1_addr = OP1_ADDR();
-	zend_jit_addr op2_addr = OP2_ADDR();
-
 	|	GET_ZVAL_LVAL ZREG_FCARG1, op1_addr, TMP1
 	|	GET_ZVAL_LVAL ZREG_FCARG2, op2_addr, TMP1
 	|	EXT_CALL zend_jit_add_arrays_helper, REG0

ext/opcache/jit/zend_jit_trace.c

@@ -4270,7 +4270,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 						if (opline->opcode == ZEND_ADD &&
 						    (op1_info & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY &&
 						    (op2_info & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
-							if (!zend_jit_add_arrays(&dasm_state, opline, op1_info, op2_info, res_addr)) {
+							if (!zend_jit_add_arrays(&dasm_state, opline, op1_info, op1_addr, op2_info, op2_addr, res_addr)) {
 								goto jit_failure;
 							}
 						} else {

ext/opcache/jit/zend_jit_x86.dasc

@@ -4877,11 +4877,8 @@ static int zend_jit_math(dasm_State **Dst, const zend_op *opline, uint32_t op1_i
 	return 1;
 }
 
-static int zend_jit_add_arrays(dasm_State **Dst, const zend_op *opline, uint32_t op1_info, uint32_t op2_info, zend_jit_addr res_addr)
+static int zend_jit_add_arrays(dasm_State **Dst, const zend_op *opline, uint32_t op1_info, zend_jit_addr op1_addr, uint32_t op2_info, zend_jit_addr op2_addr, zend_jit_addr res_addr)
 {
-	zend_jit_addr op1_addr = OP1_ADDR();
-	zend_jit_addr op2_addr = OP2_ADDR();
-
 	|	GET_ZVAL_LVAL ZREG_FCARG1, op1_addr
 	|	GET_ZVAL_LVAL ZREG_FCARG2, op2_addr
 	|	EXT_CALL zend_jit_add_arrays_helper, r0

ext/opcache/tests/jit/bug81409.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #81409: Incorrect JIT code for ADD with a reference to array
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit_buffer_size=1M
+opcache.jit=tracing
+--FILE--
+<?php
+function foo(&$a) {
+    $n = count($a);	
+    $a = $a + [$n=>1];
+}
+function bar() {
+    $x = [];
+    for ($i = 0; $i < 200; $i++) {
+        foo($x);
+    }
+    var_dump(count($x));
+}
+bar();
+?>
+--EXPECT--
+int(200)