Fix GH-14873: PHP 8.4 min function fails on typed integer

The DFA pass may cause the op1 and result argument to be equal to each
other. In the VM we always use ZVAL_NULL(result) first, which will also
destroy the first argument. Use a temporary result to fix the issue.

Author: nielsdos

Zend/zend_execute.c

@@ -1552,6 +1552,8 @@ ZEND_API void zend_frameless_observed_call(zend_execute_data *execute_data)
 	uint8_t num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
 	zend_function *fbc = ZEND_FLF_FUNC(opline);
 	zval *result = EX_VAR(opline->result.var);
+	zval tmp_result;
+	ZVAL_NULL(&tmp_result);
 
 	zend_execute_data *call = zend_vm_stack_push_call_frame_ex(zend_vm_calc_used_stack(num_args, fbc), ZEND_CALL_NESTED_FUNCTION, fbc, num_args, NULL);
 	call->prev_execute_data = execute_data;
@@ -1565,7 +1567,8 @@ ZEND_API void zend_frameless_observed_call(zend_execute_data *execute_data)
 	EG(current_execute_data) = call;
 
 	zend_observer_fcall_begin_prechecked(call, ZEND_OBSERVER_DATA(fbc));
-	fbc->internal_function.handler(call, result);
+	fbc->internal_function.handler(call, &tmp_result);
+	ZVAL_COPY_VALUE(result, &tmp_result);
 	zend_observer_fcall_end(call, result);
 
 	EG(current_execute_data) = execute_data;

Zend/zend_vm_def.h

@@ -9638,9 +9638,9 @@ ZEND_VM_HANDLER(205, ZEND_FRAMELESS_ICALL_1, ANY, UNUSED, SPEC(OBSERVER))
 	SAVE_OPLINE();
 
 	zval *result = EX_VAR(opline->result.var);
-	ZVAL_NULL(result);
 	zval *arg1 = GET_OP1_ZVAL_PTR_DEREF(BP_VAR_R);
 	if (EG(exception)) {
+		ZVAL_NULL(result);
 		FREE_OP1();
 		HANDLE_EXCEPTION();
 	}
@@ -9651,8 +9651,11 @@ ZEND_VM_HANDLER(205, ZEND_FRAMELESS_ICALL_1, ANY, UNUSED, SPEC(OBSERVER))
 	} else
 #endif
 	{
+		zval tmp_result;
+		ZVAL_NULL(&tmp_result);
 		zend_frameless_function_1 function = (zend_frameless_function_1)ZEND_FLF_HANDLER(opline);
-		function(result, arg1);
+		function(&tmp_result, arg1);
+		ZVAL_COPY_VALUE(result, &tmp_result);
 	}
 	FREE_OP1();
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
@@ -9664,10 +9667,10 @@ ZEND_VM_HANDLER(206, ZEND_FRAMELESS_ICALL_2, ANY, ANY, SPEC(OBSERVER))
 	SAVE_OPLINE();
 
 	zval *result = EX_VAR(opline->result.var);
-	ZVAL_NULL(result);
 	zval *arg1 = GET_OP1_ZVAL_PTR_DEREF(BP_VAR_R);
 	zval *arg2 = GET_OP2_ZVAL_PTR_DEREF(BP_VAR_R);
 	if (EG(exception)) {
+		ZVAL_NULL(result);
 		FREE_OP1();
 		FREE_OP2();
 		HANDLE_EXCEPTION();
@@ -9679,8 +9682,11 @@ ZEND_VM_HANDLER(206, ZEND_FRAMELESS_ICALL_2, ANY, ANY, SPEC(OBSERVER))
 	} else
 #endif
 	{
+		zval tmp_result;
+		ZVAL_NULL(&tmp_result);
 		zend_frameless_function_2 function = (zend_frameless_function_2)ZEND_FLF_HANDLER(opline);
-		function(result, arg1, arg2);
+		function(&tmp_result, arg1, arg2);
+		ZVAL_COPY_VALUE(result, &tmp_result);
 	}
 
 	FREE_OP1();
@@ -9698,11 +9704,11 @@ ZEND_VM_HANDLER(207, ZEND_FRAMELESS_ICALL_3, ANY, ANY, SPEC(OBSERVER))
 	SAVE_OPLINE();
 
 	zval *result = EX_VAR(opline->result.var);
-	ZVAL_NULL(result);
 	zval *arg1 = GET_OP1_ZVAL_PTR_DEREF(BP_VAR_R);
 	zval *arg2 = GET_OP2_ZVAL_PTR_DEREF(BP_VAR_R);
 	zval *arg3 = GET_OP_DATA_ZVAL_PTR_DEREF(BP_VAR_R);
 	if (EG(exception)) {
+		ZVAL_NULL(result);
 		FREE_OP1();
 		FREE_OP2();
 		FREE_OP_DATA();
@@ -9715,8 +9721,11 @@ ZEND_VM_HANDLER(207, ZEND_FRAMELESS_ICALL_3, ANY, ANY, SPEC(OBSERVER))
 	} else
 #endif
 	{
+		zval tmp_result;
+		ZVAL_NULL(&tmp_result);
 		zend_frameless_function_3 function = (zend_frameless_function_3)ZEND_FLF_HANDLER(opline);
-		function(result, arg1, arg2, arg3);
+		function(&tmp_result, arg1, arg2, arg3);
+		ZVAL_COPY_VALUE(result, &tmp_result);
 	}
 
 	FREE_OP1();

Zend/zend_vm_execute.h

@@ -17103,20 +17103,33 @@ static void jit_frameless_icall1(zend_jit_ctx *jit, const zend_op *opline, uint3
 	zend_jit_addr op1_addr = OP1_ADDR();
 	ir_ref res_ref = jit_ZVAL_ADDR(jit, res_addr);
 	ir_ref op1_ref = jit_ZVAL_ADDR(jit, op1_addr);
-	jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
+	ir_ref tmp_result_ref, result_ref;
 	if (opline->op1_type == IS_CV && (op1_info & MAY_BE_UNDEF)) {
 		zend_jit_zval_check_undef(jit, op1_ref, opline->op1.var, opline, 1);
 	}
 	if (op1_info & MAY_BE_REF) {
 		op1_ref = jit_ZVAL_DEREF_ref(jit, op1_ref);
 	}
+	if (op1_addr == res_addr) {
+		tmp_result_ref = ir_ALLOCA(ir_CONST_ADDR(sizeof(zval)));
+		jit_set_Z_TYPE_INFO(jit, ZEND_ADDR_REF_ZVAL(tmp_result_ref), IS_NULL);
+		result_ref = tmp_result_ref;
+	} else {
+		jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
+		result_ref = res_ref;
+	}
 
 	ir_ref skip_observer = IR_UNUSED;
 	if (ZEND_OBSERVER_ENABLED) {
 		skip_observer = jit_frameless_observer(jit, opline);
 	}
 
-	ir_CALL_2(IR_VOID, ir_CONST_ADDR((size_t)function), res_ref, op1_ref);
+	ir_CALL_2(IR_VOID, ir_CONST_ADDR((size_t)function), result_ref, op1_ref);
+
+	if (op1_addr == res_addr) {
+		jit_ZVAL_COPY(jit, res_addr, MAY_BE_ANY, ZEND_ADDR_REF_ZVAL(tmp_result_ref), MAY_BE_ANY, 0);
+		ir_AFREE(ir_CONST_ADDR(sizeof(zval)));
+	}
 
 	if (skip_observer != IR_UNUSED) {
 		ir_MERGE_WITH(skip_observer);
@@ -17145,7 +17158,7 @@ static void jit_frameless_icall2(zend_jit_ctx *jit, const zend_op *opline, uint3
 	ir_ref res_ref = jit_ZVAL_ADDR(jit, res_addr);
 	ir_ref op1_ref = jit_ZVAL_ADDR(jit, op1_addr);
 	ir_ref op2_ref = jit_ZVAL_ADDR(jit, op2_addr);
-	jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
+	ir_ref tmp_result_ref, result_ref;
 	if (opline->op1_type == IS_CV && (op1_info & MAY_BE_UNDEF)) {
 		zend_jit_zval_check_undef(jit, op1_ref, opline->op1.var, opline, 1);
 	}
@@ -17158,13 +17171,26 @@ static void jit_frameless_icall2(zend_jit_ctx *jit, const zend_op *opline, uint3
 	if (op2_info & MAY_BE_REF) {
 		op2_ref = jit_ZVAL_DEREF_ref(jit, op2_ref);
 	}
+	if (op1_addr == res_addr || op2_addr == res_addr) {
+		tmp_result_ref = ir_ALLOCA(ir_CONST_ADDR(sizeof(zval)));
+		jit_set_Z_TYPE_INFO(jit, ZEND_ADDR_REF_ZVAL(tmp_result_ref), IS_NULL);
+		result_ref = tmp_result_ref;
+	} else {
+		jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
+		result_ref = res_ref;
+	}
 
 	ir_ref skip_observer = IR_UNUSED;
 	if (ZEND_OBSERVER_ENABLED) {
 		skip_observer = jit_frameless_observer(jit, opline);
 	}
 
-	ir_CALL_3(IR_VOID, ir_CONST_ADDR((size_t)function), res_ref, op1_ref, op2_ref);
+	ir_CALL_3(IR_VOID, ir_CONST_ADDR((size_t)function), result_ref, op1_ref, op2_ref);
+
+	if (op1_addr == res_addr || op2_addr == res_addr) {
+		jit_ZVAL_COPY(jit, res_addr, MAY_BE_ANY, ZEND_ADDR_REF_ZVAL(tmp_result_ref), MAY_BE_ANY, 0);
+		ir_AFREE(ir_CONST_ADDR(sizeof(zval)));
+	}
 
 	if (skip_observer != IR_UNUSED) {
 		ir_MERGE_WITH(skip_observer);
@@ -17204,7 +17230,7 @@ static void jit_frameless_icall3(zend_jit_ctx *jit, const zend_op *opline, uint3
 	ir_ref op1_ref = jit_ZVAL_ADDR(jit, op1_addr);
 	ir_ref op2_ref = jit_ZVAL_ADDR(jit, op2_addr);
 	ir_ref op3_ref = jit_ZVAL_ADDR(jit, op3_addr);
-	jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
+	ir_ref tmp_result_ref, result_ref;
 	if (opline->op1_type == IS_CV && (op1_info & MAY_BE_UNDEF)) {
 		zend_jit_zval_check_undef(jit, op1_ref, opline->op1.var, opline, 1);
 	}
@@ -17223,13 +17249,26 @@ static void jit_frameless_icall3(zend_jit_ctx *jit, const zend_op *opline, uint3
 	if (op1_data_info & MAY_BE_REF) {
 		op3_ref = jit_ZVAL_DEREF_ref(jit, op3_ref);
 	}
+	if (op1_addr == res_addr || op2_addr == res_addr || op3_addr == res_addr) {
+		tmp_result_ref = ir_ALLOCA(ir_CONST_ADDR(sizeof(zval)));
+		jit_set_Z_TYPE_INFO(jit, ZEND_ADDR_REF_ZVAL(tmp_result_ref), IS_NULL);
+		result_ref = tmp_result_ref;
+	} else {
+		jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
+		result_ref = res_ref;
+	}
 
 	ir_ref skip_observer = IR_UNUSED;
 	if (ZEND_OBSERVER_ENABLED) {
 		skip_observer = jit_frameless_observer(jit, opline);
 	}
 
-	ir_CALL_4(IR_VOID, ir_CONST_ADDR((size_t)function), res_ref, op1_ref, op2_ref, op3_ref);
+	ir_CALL_4(IR_VOID, ir_CONST_ADDR((size_t)function), result_ref, op1_ref, op2_ref, op3_ref);
+
+	if (op1_addr == res_addr || op2_addr == res_addr || op3_addr == res_addr) {
+		jit_ZVAL_COPY(jit, res_addr, MAY_BE_ANY, ZEND_ADDR_REF_ZVAL(tmp_result_ref), MAY_BE_ANY, 0);
+		ir_AFREE(ir_CONST_ADDR(sizeof(zval)));
+	}
 
 	if (skip_observer != IR_UNUSED) {
 		ir_MERGE_WITH(skip_observer);

ext/opcache/jit/zend_jit_ir.c

@@ -0,0 +1,29 @@
+--TEST--
+GH-14873 (PHP 8.4 min function fails on typed integer)
+--FILE--
+<?php
+
+function testTrim1(string $value): string {
+	$value = trim($value);
+	return $value;
+}
+
+function testMin2(int $value): int {
+	$value = min($value, 100);
+	return $value;
+}
+
+function testMin3(int $value): int {
+	$value = min($value, 100, 200);
+	return $value;
+}
+
+var_dump(testTrim1(" boo "));
+var_dump(testMin2(5));
+var_dump(testMin3(5));
+
+?>
+--EXPECT--
+string(3) "boo"
+int(5)
+int(5)