Fix GH-17190: Assertion failure ext/opcache/jit/ir/ir_gcm.c (#17221)

dstogov · web-flow · commit f8d2e009648c · 2024-12-20T10:59:33.000+03:00
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -13380,6 +13380,14 @@ static int zend_jit_assign_dim_op(zend_jit_ctx   *jit,
 
 	op1_addr = zend_jit_prepare_array_update(jit, opline, op1_info, op1_addr, &if_type, &ht_ref, &may_throw);
 
+	if (Z_MODE(op3_addr) == IS_REG
+	 && Z_LOAD(op3_addr)
+	 && jit->ra[Z_SSA_VAR(op3_addr)].ref == IR_NULL) {
+		/* Force load */
+		zend_jit_use_reg(jit, op3_addr);
+	}
+
+
 	if (op1_info & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_ARRAY)) {
 		uint32_t var_def_info = zend_array_element_type(op1_def_info, opline->op1_type, 1, 0);
 
@@ -15015,6 +15023,13 @@ static int zend_jit_assign_obj_op(zend_jit_ctx         *jit,
 		&& prop_type != IS_REFERENCE
 		&& (op1_info & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_OBJECT);
 
+	if (Z_MODE(val_addr) == IS_REG
+	 && Z_LOAD(val_addr)
+	 && jit->ra[Z_SSA_VAR(val_addr)].ref == IR_NULL) {
+		/* Force load */
+		zend_jit_use_reg(jit, val_addr);
+	}
+
 	if (!prop_info) {
 		ir_ref run_time_cache = ir_LOAD_A(jit_EX(run_time_cache));
 		ir_ref ref = ir_LOAD_A(ir_ADD_OFFSET(run_time_cache, (opline+1)->extended_value & ~ZEND_FETCH_OBJ_FLAGS));
diff --git a/ext/opcache/tests/jit/gh17190.phpt b/ext/opcache/tests/jit/gh17190.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-17190 (Assertion failure ext/opcache/jit/ir/ir_gcm.c)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=32M
+opcache.jit=function
+--FILE--
+<?php
+$a = [2147483647,2147483647,2147483647,3,0,0,32,2147483584,127];
+echo @crc32(json_encode(bitwise_small_split($a))) . "\n";
+
+function bitwise_small_split($val) {
+    $split = 8;
+    $len = count($val);
+    while ($i != $len) {
+        if (!$overflow) {
+            $remaining -= $split;
+            $overflow = $split <= $remaining ? 0 : $split - $remaining;
+        } elseif (++$i != $len) {
+            $fusion[$i] >>= $overflow;
+            $remaining = 31 - $overflow;
+            $overflow = $split <= $remaining ? 0 : $split - $remaining;
+        }
+    }
+}
+?>
+--EXPECT--
+634125391
