Merge branch 'PHP-8.1'

dstogov · dstogov · commit 8ed14f65ea15 · 2022-02-01T22:06:37.000+03:00
* PHP-8.1:
  JIT: Fix register alloction (missed store)
diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc
@@ -3610,6 +3610,18 @@ static int zend_jit_update_regs(dasm_State **Dst, uint32_t var, zend_jit_addr sr
 				} else {
 					ZEND_UNREACHABLE();
 				}
+				if (!Z_LOAD(src) && !Z_STORE(src) && Z_STORE(dst)) {
+					zend_jit_addr var_addr = ZEND_ADDR_MEM_ZVAL(ZREG_FP, var);
+
+					if (!zend_jit_spill_store(Dst, dst, var_addr, info,
+							JIT_G(trigger) != ZEND_JIT_ON_HOT_TRACE ||
+							JIT_G(current_frame) == NULL ||
+							STACK_MEM_TYPE(JIT_G(current_frame)->stack, EX_VAR_TO_NUM(var)) == IS_UNKNOWN ||
+							(1 << STACK_MEM_TYPE(JIT_G(current_frame)->stack, EX_VAR_TO_NUM(var))) != (info & MAY_BE_ANY)
+					)) {
+						return 0;
+					}
+				}
 			} else if (Z_MODE(dst) == IS_MEM_ZVAL) {
 				if (!Z_LOAD(src) && !Z_STORE(src)) {
 					if (!zend_jit_spill_store(Dst, src, dst, info,
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -4130,7 +4130,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 
 						ssa->var_info[i].type &= ~MAY_BE_GUARD;
 						op_type = concrete_type(ssa->var_info[i].type);
-						if (!zend_jit_type_guard(&dasm_state, opline, i, op_type)) {
+						if (!zend_jit_type_guard(&dasm_state, opline, EX_NUM_TO_VAR(i), op_type)) {
 							goto jit_failure;
 						}
 						SET_STACK_TYPE(stack, i, op_type, 1);
@@ -4163,7 +4163,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 						ZEND_ASSERT(ival->reg != ZREG_NONE);
 
 						if (info & MAY_BE_GUARD) {
-							if (!zend_jit_type_guard(&dasm_state, opline, phi->var, concrete_type(info))) {
+							if (!zend_jit_type_guard(&dasm_state, opline, EX_NUM_TO_VAR(phi->var), concrete_type(info))) {
 								goto jit_failure;
 							}
 							info &= ~MAY_BE_GUARD;
@@ -6274,8 +6274,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 								 || opline->opcode == ZEND_COALESCE
 								 || opline->opcode == ZEND_JMP_NULL
 								 || opline->opcode == ZEND_FE_RESET_R) {
-									if (!ra[ssa_op->op1_use]
-									 || ra[ssa_op->op1_use]->reg != ra[ssa_op->op1_def]->reg) {
+									if (!ra[ssa_op->op1_use]) {
 										flags |= ZREG_LOAD;
 									}
 								}
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -3950,6 +3950,18 @@ static int zend_jit_update_regs(dasm_State **Dst, uint32_t var, zend_jit_addr sr
 				} else {
 					ZEND_UNREACHABLE();
 				}
+				if (!Z_LOAD(src) && !Z_STORE(src) && Z_STORE(dst)) {
+					zend_jit_addr var_addr = ZEND_ADDR_MEM_ZVAL(ZREG_FP, var);
+
+					if (!zend_jit_spill_store(Dst, dst, var_addr, info,
+							JIT_G(trigger) != ZEND_JIT_ON_HOT_TRACE ||
+							JIT_G(current_frame) == NULL ||
+							STACK_MEM_TYPE(JIT_G(current_frame)->stack, EX_VAR_TO_NUM(var)) == IS_UNKNOWN ||
+							(1 << STACK_MEM_TYPE(JIT_G(current_frame)->stack, EX_VAR_TO_NUM(var))) != (info & MAY_BE_ANY)
+					)) {
+						return 0;
+					}
+				}
 			} else if (Z_MODE(dst) == IS_MEM_ZVAL) {
 				if (!Z_LOAD(src) && !Z_STORE(src)) {
 					if (!zend_jit_spill_store(Dst, src, dst, info,
diff --git a/ext/opcache/tests/jit/reg_alloc_007.phpt b/ext/opcache/tests/jit/reg_alloc_007.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Register Alloction 007: Missing store
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function test() {
+    for ($i = 0; $i < 100; $i++) {
+        $a = $a + $a = $a + !$a = $a;
+        $aZ = $a;
+        @$aZ %= $a;
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $a in %sreg_alloc_007.php on line 4
+
+Fatal error: Uncaught DivisionByZeroError: Modulo by zero in %sreg_alloc_007.php:6
+Stack trace:
+#0 %sreg_alloc_007.php(9): test()
+#1 {main}
+  thrown in %sreg_alloc_007.php on line 6

Original file line number	Diff line number	Diff line change
`@@ -4130,7 +4130,7 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`4130`	`4130`
`4131`	`4131`	`ssa->var_info[i].type &= ~MAY_BE_GUARD;`
`4132`	`4132`	`op_type = concrete_type(ssa->var_info[i].type);`
`4133`		`- if (!zend_jit_type_guard(&dasm_state, opline, i, op_type)) {`
	`4133`	`+ if (!zend_jit_type_guard(&dasm_state, opline, EX_NUM_TO_VAR(i), op_type)) {`
`4134`	`4134`	`goto jit_failure;`
`4135`	`4135`	`}`
`4136`	`4136`	`SET_STACK_TYPE(stack, i, op_type, 1);`
`@@ -4163,7 +4163,7 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`4163`	`4163`	`ZEND_ASSERT(ival->reg != ZREG_NONE);`
`4164`	`4164`
`4165`	`4165`	`if (info & MAY_BE_GUARD) {`
`4166`		`- if (!zend_jit_type_guard(&dasm_state, opline, phi->var, concrete_type(info))) {`
	`4166`	`+ if (!zend_jit_type_guard(&dasm_state, opline, EX_NUM_TO_VAR(phi->var), concrete_type(info))) {`
`4167`	`4167`	`goto jit_failure;`
`4168`	`4168`	`}`
`4169`	`4169`	`info &= ~MAY_BE_GUARD;`
`@@ -6274,8 +6274,7 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`6274`	`6274`	`\|\| opline->opcode == ZEND_COALESCE`
`6275`	`6275`	`\|\| opline->opcode == ZEND_JMP_NULL`
`6276`	`6276`	`\|\| opline->opcode == ZEND_FE_RESET_R) {`
`6277`		`- if (!ra[ssa_op->op1_use]`
`6278`		`- \|\| ra[ssa_op->op1_use]->reg != ra[ssa_op->op1_def]->reg) {`
	`6277`	`+ if (!ra[ssa_op->op1_use]) {`
`6279`	`6278`	`flags \|= ZREG_LOAD;`
`6280`	`6279`	`}`
`6281`	`6280`	`}`