Skip to content

Commit e70d282

Browse files
dstogovdstogov
committed
JIT: Fix missing type stote
Fixes oss-fuzz #49402
1 parent cc465ba commit e70d282

File tree

2 files changed

+37
-6
lines changed

2 files changed

+37
-6
lines changed

ext/opcache/jit/zend_jit_trace.c

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4230,6 +4230,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
42304230
bool op1_indirect;
42314231
zend_class_entry *op1_ce = NULL;
42324232
zend_class_entry *op2_ce = NULL;
4233+
bool gen_handler;
42334234

42344235
opline = p->opline;
42354236
if (op1_type & (IS_TRACE_REFERENCE|IS_TRACE_INDIRECT)) {
@@ -4273,6 +4274,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
42734274
}
42744275

42754276
if (JIT_G(opt_level) >= ZEND_JIT_LEVEL_INLINE) {
4277+
gen_handler = 0;
42764278
switch (opline->opcode) {
42774279
case ZEND_PRE_INC:
42784280
case ZEND_PRE_DEC:
@@ -6141,6 +6143,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
61416143
}
61426144

61436145
if (opline->opcode != ZEND_NOP && opline->opcode != ZEND_JMP) {
6146+
gen_handler = 1;
61446147
op1_info = OP1_INFO();
61456148
op2_info = OP2_INFO();
61466149
if (op1_info & MAY_BE_GUARD) {
@@ -6229,7 +6232,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
62296232
}
62306233
} else {
62316234
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->result.var), type,
6232-
(type == IS_UNKNOWN || !ra || !ra[ssa_op->result_def]));
6235+
(gen_handler || type == IS_UNKNOWN || !ra || !ra[ssa_op->result_def]));
62336236
if (ssa->var_info[ssa_op->result_def].type & MAY_BE_INDIRECT) {
62346237
RESET_STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->result.var));
62356238
}
@@ -6284,7 +6287,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
62846287
type = STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var));
62856288
}
62866289
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var), type,
6287-
(type == IS_UNKNOWN || !ra ||
6290+
(gen_handler || type == IS_UNKNOWN || !ra ||
62886291
(!ra[ssa_op->op1_def] &&
62896292
(opline->opcode == ZEND_ASSIGN || !ssa->vars[ssa_op->op1_def].no_val))));
62906293
if (type != IS_UNKNOWN) {
@@ -6331,7 +6334,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
63316334
type = STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op2.var));
63326335
}
63336336
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op2.var), type,
6334-
(type == IS_UNKNOWN || !ra ||
6337+
(gen_handler || type == IS_UNKNOWN || !ra ||
63356338
(!ra[ssa_op->op2_def] && !ssa->vars[ssa_op->op2_def].no_val)));
63366339
if (type != IS_UNKNOWN) {
63376340
ssa->var_info[ssa_op->op2_def].type &= ~MAY_BE_GUARD;
@@ -6384,7 +6387,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
63846387
type = STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var));
63856388
}
63866389
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var), type,
6387-
(type == IS_UNKNOWN || !ra || !ra[ssa_op->op1_def]));
6390+
(gen_handler || type == IS_UNKNOWN || !ra || !ra[ssa_op->op1_def]));
63886391
if (type != IS_UNKNOWN) {
63896392
ssa->var_info[ssa_op->op1_def].type &= ~MAY_BE_GUARD;
63906393
if (ra && ra[ssa_op->op1_def]) {
@@ -6415,7 +6418,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
64156418
type = concrete_type(ssa->var_info[ssa_op->result_def].type);
64166419
}
64176420
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->result.var), type,
6418-
(!ra || !ra[ssa_op->result_def]));
6421+
(gen_handler || !ra || !ra[ssa_op->result_def]));
64196422
if (ra && ra[ssa_op->result_def]) {
64206423
SET_STACK_REG_EX(stack, EX_VAR_TO_NUM(opline->result.var), ra[ssa_op->result_def]->reg,
64216424
ra[ssa_op->result_def]->flags & ZREG_STORE);
@@ -6437,7 +6440,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
64376440
type = concrete_type(ssa->var_info[ssa_op->op1_def].type);
64386441
}
64396442
SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op1.var), type,
6440-
(!ra || !ra[ssa_op->op1_def]));
6443+
(gen_handler || !ra || !ra[ssa_op->op1_def]));
64416444
if (ra && ra[ssa_op->op1_def]) {
64426445
SET_STACK_REG_EX(stack, EX_VAR_TO_NUM(opline->op1.var), ra[ssa_op->op1_def]->reg,
64436446
ra[ssa_op->op1_def]->flags & ZREG_STORE);

ext/opcache/tests/jit/reg_alloc_016.phpt

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
--TEST--
2+
Register Alloction 016: Missing type store
3+
--INI--
4+
opcache.enable=1
5+
opcache.enable_cli=1
6+
opcache.file_update_protection=0
7+
opcache.jit_buffer_size=1M
8+
--FILE--
9+
<?php
10+
function foo() {
11+
for($cnt = 0; $cnt < 6; $cnt++) {
12+
var_dump($x);
13+
$a - 536 >> 4 - $y - 4 << ++$x == $a ?: $b;
14+
$a .= !$a;
15+
$x = $a ? $b : $b;
16+
}
17+
}
18+
@foo();
19+
?>
20+
DONE
21+
--EXPECTF--
22+
NULL
23+
NULL
24+
NULL
25+
NULL
26+
NULL
27+
NULL
28+
DONE

0 commit comments

Comments
 (0)