Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

See GH-9068 for analysis.

This patch preserves the scratch registers of the SysV x86-64 ABI by
storing them on the stack and restoring them later. We need to do
this to prevent the registers of the caller from being corrupted.
The reason these get corrupted is because the compiler is unaware of
the Valgrind replacement function and thus makes assumptions about the
original function regarding registers which are not true for the
replacement function.

Author: nielsdos

Zend/zend_string.c

@@ -372,11 +372,69 @@ ZEND_API void zend_interned_strings_switch_storage(bool request)
 # define I_REPLACE_SONAME_FNNAME_ZU(soname, fnname) _vgr00000ZU_ ## soname ## _ ## fnname
 #endif
 
-ZEND_API bool ZEND_FASTCALL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(zend_string *s1, zend_string *s2)
+#define VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val_memcmp_wrapper)
+#define VALGRIND_REPLACEMENT_STRING_EQUAL_VAL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)
+#define STR1(X) #X
+#define STR(X) STR1(X)
+
+bool VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER(zend_string *s1, zend_string *s2)
 {
 	return !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
 }
 
+#if defined(__GNUC__) && defined(__x86_64__) && !defined(__ILP32__) && (defined(__linux__) || defined(__MACH__) || defined(__sun) || defined(__FreeBSD__ ) || defined(__NetBSD__) || defined(__OpenBSD__))
+
+/* macOS needs an additional _ prefix to be able to call functions from asm */
+#ifdef __MACH__
+#define SYMBOL_FUNCTION_PREFIX _
+#else
+#define SYMBOL_FUNCTION_PREFIX
+#endif
+
+/*
+ * See https://github.com/php/php-src/issues/9068
+ * We need to preserve the scratch registers because we cannot know what
+ * the compiler assumes to be unchanged by the original
+ * zend_string_equal_val implementation.
+ * We can safely use push and pop because we're not in leaf function.
+ * We're using a function defined using inline assembly so that the compiler does not
+ * mess with our store and restore procedure.
+ */
+__asm__ (
+	".globl " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) "\n\t"
+#ifndef __MACH__
+	".type " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) ", @function\n\t"
+#endif
+	STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) ":\n\t"
+	"pushq %rdi\n\t"
+	"pushq %rsi\n\t"
+	"pushq %rdx\n\t"
+	"pushq %rcx\n\t"
+	"pushq %r8\n\t"
+	"pushq %r9\n\t"
+	"pushq %r10\n\t"
+	"pushq %r11\n\t"
+	"callq " STR(SYMBOL_FUNCTION_PREFIX) STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER) "\n\t"
+	"popq %r11\n\t"
+	"popq %r10\n\t"
+	"popq %r9\n\t"
+	"popq %r8\n\t"
+	"popq %rcx\n\t"
+	"popq %rdx\n\t"
+	"popq %rsi\n\t"
+	"popq %rdi\n\t"
+	"ret\n\t"
+#ifndef __MACH__
+	".size " STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) ", .-" STR(VALGRIND_REPLACEMENT_STRING_EQUAL_VAL) "\n\t"
+#endif
+);
+#else
+ZEND_API bool ZEND_FASTCALL VALGRIND_REPLACEMENT_STRING_EQUAL_VAL(zend_string *s1, zend_string *s2)
+{
+	return VALGRIND_REPLACEMENT_STRING_EQUAL_VAL_MEMCMP_WRAPPER(s1, s2);
+}
+#endif
+
 #if defined(__GNUC__) && defined(__i386__)
 ZEND_API bool ZEND_FASTCALL zend_string_equal_val(zend_string *s1, zend_string *s2)
 {