Fixed NAN handling in SCCP

dstogov · dstogov · commit 698ac2371150 · 2022-01-10T19:39:19.000+03:00
Fixes oss-fuzz #43341
diff --git a/ext/opcache/Optimizer/sccp.c b/ext/opcache/Optimizer/sccp.c
@@ -183,7 +183,8 @@ static void set_value(scdf_ctx *scdf, sccp_ctx *ctx, int var, zval *new) {
 	}
 
 #if ZEND_DEBUG
-	ZEND_ASSERT(zend_is_identical(value, new));
+	ZEND_ASSERT(zend_is_identical(value, new) ||
+		(Z_TYPE_P(value) == IS_DOUBLE && Z_TYPE_P(new) == IS_DOUBLE && isnan(Z_DVAL_P(value)) && isnan(Z_DVAL_P(new))));
 #endif
 }
 
diff --git a/ext/opcache/tests/opt/sccp_036.phpt b/ext/opcache/tests/opt/sccp_036.phpt
@@ -0,0 +1,16 @@
+--TEST--
+SCCP 036: NAN handling
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function foo() {
+    $y=NAN;
+    for(;x;)for(;$y=1;);
+}
+?>
+DONE
+--EXPECT--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,8 @@ static void set_value(scdf_ctx scdf, sccp_ctx ctx, int var, zval *new) {`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`#if ZEND_DEBUG`
`186`		`- ZEND_ASSERT(zend_is_identical(value, new));`
	`186`	`+ ZEND_ASSERT(zend_is_identical(value, new) \|\|`
	`187`	`+ (Z_TYPE_P(value) == IS_DOUBLE && Z_TYPE_P(new) == IS_DOUBLE && isnan(Z_DVAL_P(value)) && isnan(Z_DVAL_P(new))));`
`187`	`188`	`#endif`
`188`	`189`	`}`
`189`	`190`