Skip to content

Commit c29f6ba

Browse files
dstogovdstogov
committed
JIT: Fix incorrect elimination of type store
Fixes oss-fuzz #41995
1 parent aa72802 commit c29f6ba

File tree

2 files changed

+35
-3
lines changed

2 files changed

+35
-3
lines changed

ext/opcache/jit/zend_jit.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2341,7 +2341,9 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
23412341
if (opline->result_type != IS_UNUSED) {
23422342
res_use_info = -1;
23432343

2344-
if (opline->result_type == IS_CV) {
2344+
if (opline->result_type == IS_CV
2345+
&& ssa_op->result_use >= 0
2346+
&& !ssa->vars[ssa_op->result_use].no_val) {
23452347
zend_jit_addr res_use_addr = RES_USE_REG_ADDR();
23462348

23472349
if (Z_MODE(res_use_addr) != IS_REG
@@ -2403,7 +2405,9 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
24032405
} else {
24042406
res_use_info = -1;
24052407

2406-
if (opline->result_type == IS_CV) {
2408+
if (opline->result_type == IS_CV
2409+
&& ssa_op->result_use >= 0
2410+
&& !ssa->vars[ssa_op->result_use].no_val) {
24072411
zend_jit_addr res_use_addr = RES_USE_REG_ADDR();
24082412

24092413
if (Z_MODE(res_use_addr) != IS_REG
@@ -2458,7 +2462,9 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
24582462
} else {
24592463
res_use_info = -1;
24602464

2461-
if (opline->result_type == IS_CV) {
2465+
if (opline->result_type == IS_CV
2466+
&& ssa_op->result_use >= 0
2467+
&& !ssa->vars[ssa_op->result_use].no_val) {
24622468
zend_jit_addr res_use_addr = RES_USE_REG_ADDR();
24632469

24642470
if (Z_MODE(res_use_addr) != IS_REG

ext/opcache/tests/jit/mul_008.phpt

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
--TEST--
2+
JIT MUL: 008 incorrect elimination of type store
3+
--INI--
4+
opcache.enable=1
5+
opcache.enable_cli=1
6+
opcache.file_update_protection=0
7+
opcache.jit_buffer_size=1M
8+
opcache.protect_memory=1
9+
--SKIPIF--
10+
<?php if (PHP_INT_SIZE != 8) die("skip: 64-bit only"); ?>
11+
--FILE--
12+
<?php
13+
function foo(int $a){
14+
$a=$a%10;
15+
$a=$f=$a*(6158978401740);
16+
$a=$f=$a*(261740);
17+
$a%0;
18+
}
19+
foo(3);
20+
?>
21+
--EXPECTF--
22+
Fatal error: Uncaught DivisionByZeroError: Modulo by zero in %smul_008.php:6
23+
Stack trace:
24+
#0 %smul_008.php(8): foo(%d)
25+
#1 {main}
26+
thrown in %smul_008.php on line 6

0 commit comments

Comments
 (0)