archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed incorrect guard elimination

Browse source 
Fixes oss-fuzz #64414
This commit is contained in:
Dmitry Stogov 2023-11-27 21:12:04 +03:00
parent 298bba5319
commit e30d78f332
2 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ext/opcache/jit/zend_jit_trace.c
View file

@ -4513,7 +4513,9 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
if (((res_info & (MAY_BE_ANY|MAY_BE_GUARD)) == (MAY_BE_LONG|MAY_BE_GUARD)
|| (res_info & (MAY_BE_ANY|MAY_BE_GUARD)) == (MAY_BE_DOUBLE|MAY_BE_GUARD))
&& has_concrete_type(op1_info)
&& has_concrete_type(op2_info)) {
&& (op1_info & (MAY_BE_LONG|MAY_BE_DOUBLE))
&& has_concrete_type(op2_info)
&& (op2_info & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
ssa->var_info[ssa_op->result_def].type &= ~MAY_BE_GUARD;
}
}

32
ext/opcache/tests/jit/mul_010.phpt Normal file
View file

@ -0,0 +1,32 @@
--TEST--
JIT MUL: 010 incorrect guard elimination
--INI--
opcache.enable=1
opcache.enable_cli=1
--FILE--
<?php
function test() {
$j = 0;
for ($i = 0; $i < 40; $i++) {
$a * $e == $a - $a + $e;
$maq[$obj] = $a + $e;
$maq[$obj] = $maq[$obj] = !!$a = $a .
$maq[$obj] = $maq[$obj] = $maq[$obj] = $maq[$obj] = $a = $a + $a = &$a +
$maq[$obj] = $maq[$obj] = $a + $e;
$maq[$obj] = $maq[$obj] = !!$a = $a . $maq[$obj] = $maq[$obj] = $maq[$obj] =
$maq[$obj] = $a * $e == $a - $a + $e;
$maq[$obj] = $maq[$obj] = +$e;
$a * $e == $a - $a + $e;
+$e;
$a * $a = $a + $a = &$a + $e = $a-- +$a + $e;
$maq[$obj] = $maq[$obj] = !!$a = $a . $a &= $aZ = $a;
}
}
try {
@test();
} catch (Throwable $ex) {
echo $ex->getMessage() . "\n";
}
?>
--EXPECT--
Unsupported operand types: string * float