Remove more null arithmetic UB

nikic · nikic · commit 1949a26aaca6 · 2020-02-27T12:54:48.000+01:00
Introduce an EX_NUM_TO_VAR macro to mirror EX_VAR_TO_NUM and
replace usages of the ZEND_CALL_VAR_NUM(NULL) pattern.
diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
@@ -578,6 +578,7 @@ struct _zend_execute_data {
 #define EX_VAR_NUM(n)			ZEND_CALL_VAR_NUM(execute_data, n)
 
 #define EX_VAR_TO_NUM(n)		((uint32_t)((n) / sizeof(zval) - ZEND_CALL_FRAME_SLOT))
+#define EX_NUM_TO_VAR(n)		((uint32_t)((n + ZEND_CALL_FRAME_SLOT) * sizeof(zval)))
 
 #define ZEND_OPLINE_TO_OFFSET(opline, target) \
 	((char*)(target) - (char*)(opline))
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
@@ -1035,15 +1035,15 @@ ZEND_API int pass_two(zend_op_array *op_array)
 		if (opline->op1_type == IS_CONST) {
 			ZEND_PASS_TWO_UPDATE_CONSTANT(op_array, opline, opline->op1);
 		} else if (opline->op1_type & (IS_VAR|IS_TMP_VAR)) {
-			opline->op1.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->op1.var);
+			opline->op1.var = EX_NUM_TO_VAR(op_array->last_var + opline->op1.var);
 		}
 		if (opline->op2_type == IS_CONST) {
 			ZEND_PASS_TWO_UPDATE_CONSTANT(op_array, opline, opline->op2);
 		} else if (opline->op2_type & (IS_VAR|IS_TMP_VAR)) {
-			opline->op2.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->op2.var);
+			opline->op2.var = EX_NUM_TO_VAR(op_array->last_var + opline->op2.var);
 		}
 		if (opline->result_type & (IS_VAR|IS_TMP_VAR)) {
-			opline->result.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->result.var);
+			opline->result.var = EX_NUM_TO_VAR(op_array->last_var + opline->result.var);
 		}
 		ZEND_VM_SET_OPCODE_HANDLER(opline);
 		opline++;
diff --git a/ext/opcache/Optimizer/zend_optimizer_internal.h b/ext/opcache/Optimizer/zend_optimizer_internal.h
@@ -31,7 +31,7 @@
 #define ZEND_OP2_JMP_ADDR(opline)		OP_JMP_ADDR(opline, (opline)->op2)
 
 #define VAR_NUM(v) EX_VAR_TO_NUM(v)
-#define NUM_VAR(v) ((uint32_t)(zend_uintptr_t)ZEND_CALL_VAR_NUM(0, v))
+#define NUM_VAR(v) EX_NUM_TO_VAR(v)
 
 #define INV_COND(op)       ((op) == ZEND_JMPZ    ? ZEND_JMPNZ    : ZEND_JMPZ)
 #define INV_EX_COND(op)    ((op) == ZEND_JMPZ_EX ? ZEND_JMPNZ    : ZEND_JMPZ)
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -2718,7 +2718,7 @@ static int zend_jit_load_reg(dasm_State **Dst, zend_jit_addr src, zend_jit_addr
 static int zend_jit_store_var(dasm_State **Dst, uint32_t info, int var, zend_reg reg)
 {
 	zend_jit_addr src = ZEND_ADDR_REG(reg);
-	zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, var));
+	zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, EX_NUM_TO_VAR(var));
 
 	return zend_jit_spill_store(Dst, src, dst, info, 1);
 }
@@ -2751,7 +2751,7 @@ static int zend_jit_store_var_if_necessary_ex(dasm_State **Dst, int var, zend_ji
 
 static int zend_jit_load_var(dasm_State **Dst, uint32_t info, int var, zend_reg reg)
 {
-	zend_jit_addr src = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, var));
+	zend_jit_addr src = ZEND_ADDR_MEM_ZVAL(ZREG_FP, EX_NUM_TO_VAR(var));
 	zend_jit_addr dst = ZEND_ADDR_REG(reg);
 
 	return zend_jit_load_reg(Dst, src, dst, info);
@@ -6971,7 +6971,7 @@ static int zend_jit_do_fcall(dasm_State **Dst, const zend_op *opline, const zend
 
 		if (func) {
 			for (i = call_info->num_args; i < func->op_array.last_var; i++) {
-				uint32_t n = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);
+				uint32_t n = EX_NUM_TO_VAR(i);
 				|	SET_Z_TYPE_INFO RX + n, IS_UNDEF
 			}
 		}
@@ -7189,7 +7189,7 @@ static int zend_jit_do_fcall(dasm_State **Dst, const zend_op *opline, const zend
 		|	// zend_vm_stack_free_args(call);
 		if (func) {
 			for (i = 0; i < call_info->num_args; i++ ) {
-				uint32_t offset = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);
+				uint32_t offset = EX_NUM_TO_VAR(i);
 				|	ZVAL_PTR_DTOR ZEND_ADDR_MEM_ZVAL(ZREG_RX, offset), MAY_BE_ANY|MAY_BE_RC1|MAY_BE_RCN, 0, 1, 0, opline
 			}
 		} else {
@@ -7909,8 +7909,7 @@ static int zend_jit_free_compiled_variables(dasm_State **Dst, const zend_op *opl
 					const zend_op *opline = op_array->opcodes + ssa->cfg.blocks[j].start + ssa->cfg.blocks[j].len - 1;
 
 					if (opline->opcode == ZEND_RETURN) {
-						if (opline->op1_type == IS_CV &&
-						    opline->op1.var == (uint32_t)(uintptr_t)(ZEND_CALL_VAR_NUM(NULL, i))) {
+						if (opline->op1_type == IS_CV && opline->op1.var == EX_NUM_TO_VAR(i)) {
 							info |= MAY_BE_RCN;
 							break;
 						}
@@ -7921,7 +7920,7 @@ static int zend_jit_free_compiled_variables(dasm_State **Dst, const zend_op *opl
 #endif
 
 		if (info & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF)) {
-			uint32_t offset = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);
+			uint32_t offset = EX_NUM_TO_VAR(i);
 			| ZVAL_PTR_DTOR ZEND_ADDR_MEM_ZVAL(ZREG_FP, offset), info, 1, 1, 0, opline
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -1035,15 +1035,15 @@ ZEND_API int pass_two(zend_op_array *op_array)`
`1035`	`1035`	`if (opline->op1_type == IS_CONST) {`
`1036`	`1036`	`ZEND_PASS_TWO_UPDATE_CONSTANT(op_array, opline, opline->op1);`
`1037`	`1037`	`} else if (opline->op1_type & (IS_VAR\|IS_TMP_VAR)) {`
`1038`		`- opline->op1.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->op1.var);`
	`1038`	`+ opline->op1.var = EX_NUM_TO_VAR(op_array->last_var + opline->op1.var);`
`1039`	`1039`	`}`
`1040`	`1040`	`if (opline->op2_type == IS_CONST) {`
`1041`	`1041`	`ZEND_PASS_TWO_UPDATE_CONSTANT(op_array, opline, opline->op2);`
`1042`	`1042`	`} else if (opline->op2_type & (IS_VAR\|IS_TMP_VAR)) {`
`1043`		`- opline->op2.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->op2.var);`
	`1043`	`+ opline->op2.var = EX_NUM_TO_VAR(op_array->last_var + opline->op2.var);`
`1044`	`1044`	`}`
`1045`	`1045`	`if (opline->result_type & (IS_VAR\|IS_TMP_VAR)) {`
`1046`		`- opline->result.var = (uint32_t)(zend_intptr_t)ZEND_CALL_VAR_NUM(NULL, op_array->last_var + opline->result.var);`
	`1046`	`+ opline->result.var = EX_NUM_TO_VAR(op_array->last_var + opline->result.var);`
`1047`	`1047`	`}`
`1048`	`1048`	`ZEND_VM_SET_OPCODE_HANDLER(opline);`
`1049`	`1049`	`opline++;`
Original file line number	Diff line number	Diff line change
`@@ -2718,7 +2718,7 @@ static int zend_jit_load_reg(dasm_State **Dst, zend_jit_addr src, zend_jit_addr`
`2718`	`2718`	`static int zend_jit_store_var(dasm_State **Dst, uint32_t info, int var, zend_reg reg)`
`2719`	`2719`	`{`
`2720`	`2720`	`zend_jit_addr src = ZEND_ADDR_REG(reg);`
`2721`		`- zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, var));`
	`2721`	`+ zend_jit_addr dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, EX_NUM_TO_VAR(var));`
`2722`	`2722`
`2723`	`2723`	`return zend_jit_spill_store(Dst, src, dst, info, 1);`
`2724`	`2724`	`}`
`@@ -2751,7 +2751,7 @@ static int zend_jit_store_var_if_necessary_ex(dasm_State **Dst, int var, zend_ji`
`2751`	`2751`
`2752`	`2752`	`static int zend_jit_load_var(dasm_State **Dst, uint32_t info, int var, zend_reg reg)`
`2753`	`2753`	`{`
`2754`		`- zend_jit_addr src = ZEND_ADDR_MEM_ZVAL(ZREG_FP, (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, var));`
	`2754`	`+ zend_jit_addr src = ZEND_ADDR_MEM_ZVAL(ZREG_FP, EX_NUM_TO_VAR(var));`
`2755`	`2755`	`zend_jit_addr dst = ZEND_ADDR_REG(reg);`
`2756`	`2756`
`2757`	`2757`	`return zend_jit_load_reg(Dst, src, dst, info);`
`@@ -6971,7 +6971,7 @@ static int zend_jit_do_fcall(dasm_State *Dst, const zend_op opline, const zend`
`6971`	`6971`
`6972`	`6972`	`if (func) {`
`6973`	`6973`	`for (i = call_info->num_args; i < func->op_array.last_var; i++) {`
`6974`		`- uint32_t n = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);`
	`6974`	`+ uint32_t n = EX_NUM_TO_VAR(i);`
`6975`	`6975`	`\| SET_Z_TYPE_INFO RX + n, IS_UNDEF`
`6976`	`6976`	`}`
`6977`	`6977`	`}`
`@@ -7189,7 +7189,7 @@ static int zend_jit_do_fcall(dasm_State *Dst, const zend_op opline, const zend`
`7189`	`7189`	`\| // zend_vm_stack_free_args(call);`
`7190`	`7190`	`if (func) {`
`7191`	`7191`	`for (i = 0; i < call_info->num_args; i++ ) {`
`7192`		`- uint32_t offset = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);`
	`7192`	`+ uint32_t offset = EX_NUM_TO_VAR(i);`
`7193`	`7193`	`\| ZVAL_PTR_DTOR ZEND_ADDR_MEM_ZVAL(ZREG_RX, offset), MAY_BE_ANY\|MAY_BE_RC1\|MAY_BE_RCN, 0, 1, 0, opline`
`7194`	`7194`	`}`
`7195`	`7195`	`} else {`
`@@ -7909,8 +7909,7 @@ static int zend_jit_free_compiled_variables(dasm_State *Dst, const zend_op opl`
`7909`	`7909`	`const zend_op *opline = op_array->opcodes + ssa->cfg.blocks[j].start + ssa->cfg.blocks[j].len - 1;`
`7910`	`7910`
`7911`	`7911`	`if (opline->opcode == ZEND_RETURN) {`
`7912`		`- if (opline->op1_type == IS_CV &&`
`7913`		`- opline->op1.var == (uint32_t)(uintptr_t)(ZEND_CALL_VAR_NUM(NULL, i))) {`
	`7912`	`+ if (opline->op1_type == IS_CV && opline->op1.var == EX_NUM_TO_VAR(i)) {`
`7914`	`7913`	`info \|= MAY_BE_RCN;`
`7915`	`7914`	`break;`
`7916`	`7915`	`}`
`@@ -7921,7 +7920,7 @@ static int zend_jit_free_compiled_variables(dasm_State *Dst, const zend_op opl`
`7921`	`7920`	`#endif`
`7922`	`7921`
`7923`	`7922`	`if (info & (MAY_BE_STRING\|MAY_BE_ARRAY\|MAY_BE_OBJECT\|MAY_BE_RESOURCE\|MAY_BE_REF)) {`
`7924`		`- uint32_t offset = (uint32_t)(uintptr_t)ZEND_CALL_VAR_NUM(NULL, i);`
	`7923`	`+ uint32_t offset = EX_NUM_TO_VAR(i);`
`7925`	`7924`	`\| ZVAL_PTR_DTOR ZEND_ADDR_MEM_ZVAL(ZREG_FP, offset), info, 1, 1, 0, opline`
`7926`	`7925`	`}`
`7927`	`7926`	`}`