Fix GH-16984: function JIT overflow bug (#17015)

2025-08-15 13:38:49 +02:00 · 2024-12-02 13:30:26 +03:00 · 2024-12-02 13:30:26 +03:00 · 03bb112fb2
commit 03bb112fb2
parent d7a37cc9ad
2 changed files with 43 additions and 2 deletions
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@ -7204,9 +7204,9 @@ static int zend_jit_cmp(zend_jit_ctx   *jit,

 				while (n) {
 					n--;
-					ir_IF_TRUE(end_inputs->refs[n]);
+					jit_IF_TRUE_FALSE_ex(jit, end_inputs->refs[n], label);
 					ir_END_list(true_inputs);
-					ir_IF_FALSE(end_inputs->refs[n]);
+					jit_IF_TRUE_FALSE_ex(jit, end_inputs->refs[n], label2);
 					ir_END_list(false_inputs);
 				}
 				ir_MERGE_list(true_inputs);
--- a/ext/opcache/tests/jit/gh16984.phpt
+++ b/ext/opcache/tests/jit/gh16984.phpt
@ -0,0 +1,41 @@
+--TEST--
+GH-16984 (function JIT overflow bug)
+--EXTENSIONS--
+opcache
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip: 64-bit only"); ?>
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=32M
+opcache.jit=function
+--FILE--
+<?php
+
+final class Test {
+  public int $integer = -1;
+
+  public function foo(int $x) {
+    return $x;
+  }
+}
+
+function foo(Test $test, int $value) {
+  $val = $test->foo($value);
+  if ($val <= PHP_INT_MAX) {
+    $test->integer = $val;
+  }
+}
+
+function main() {
+  $test = new Test;
+  foo($test, 9223372036854775806);
+  foo($test, 9223372036854775807); // Also reproduces without this call, but this imitates the psalm code
+  var_dump($test->integer);
+}
+
+main();
+?>
+--EXPECT--
+int(9223372036854775807)