Commit 1879ec1

committed

Merge branch 'PHP-8.4'

* PHP-8.4: Fix GH-17577: JIT packed type guard crash

2 parents 9b7e086 + 78da288 commit 1879ec1Copy full SHA for 1879ec1

File tree

2 files changed

+41

-6

lines changed

ext/opcache
- jit
  - zend_jit_trace.c
- tests/jit
  - gh17577.phpt

2 files changed

+41

-6

lines changed

`‎ext/opcache/jit/zend_jit_trace.c‎`

Lines changed: 14 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1872,7 +1872,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`1872`	`1872`	`if (!(orig_op1_type & IS_TRACE_PACKED)) {`
`1873`	`1873`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`1874`	`1874`
`1875`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`1875`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`1876`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`1876`	`1877`	`info->type \|= MAY_BE_PACKED_GUARD;`
`1877`	`1878`	`info->type &= ~MAY_BE_ARRAY_PACKED;`
`1878`	`1879`	`}`
`@@ -1881,7 +1882,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`1881`	`1882`	`&& val_type != IS_UNDEF) {`
`1882`	`1883`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`1883`	`1884`
`1884`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`1885`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`1886`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`1885`	`1887`	`info->type \|= MAY_BE_PACKED_GUARD;`
`1886`	`1888`	`info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH\|MAY_BE_ARRAY_STRING_HASH);`
`1887`	`1889`	`}`
`@@ -1965,7 +1967,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`1965`	`1967`
`1966`	`1968`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`1967`	`1969`
`1968`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`1970`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`1971`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`1969`	`1972`	`info->type \|= MAY_BE_PACKED_GUARD;`
`1970`	`1973`	`if (orig_op1_type & IS_TRACE_PACKED) {`
`1971`	`1974`	`info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH\|MAY_BE_ARRAY_STRING_HASH);`
`@@ -2067,7 +2070,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`2067`	`2070`
`2068`	`2071`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`2069`	`2072`
`2070`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`2073`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`2074`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`2071`	`2075`	`info->type \|= MAY_BE_PACKED_GUARD;`
`2072`	`2076`	`if (orig_op1_type & IS_TRACE_PACKED) {`
`2073`	`2077`	`info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH\|MAY_BE_ARRAY_STRING_HASH);`
`@@ -2097,7 +2101,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`2097`	`2101`
`2098`	`2102`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`2099`	`2103`
`2100`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`2104`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`2105`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`2101`	`2106`	`info->type \|= MAY_BE_PACKED_GUARD;`
`2102`	`2107`	`info->type &= ~MAY_BE_ARRAY_PACKED;`
`2103`	`2108`	`}`
`@@ -4236,10 +4241,13 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`4236`	`4241`	`if ((info & MAY_BE_PACKED_GUARD) != 0`
`4237`	`4242`	`&& (trace_buffer->stop == ZEND_JIT_TRACE_STOP_LOOP`
`4238`	`4243`	`\|\| trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_CALL`
`4239`		`- \|\| trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_RET)`
	`4244`	`+ \|\| (trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_RET`
	`4245`	`+ && EX_VAR_TO_NUM((opline-1)->result.var) == i))`
`4240`	`4246`	`&& (ssa->vars[i].use_chain != -1`
`4241`	`4247`	`\|\| (ssa->vars[i].phi_use_chain`
`4242`	`4248`	`&& !(ssa->var_info[ssa->vars[i].phi_use_chain->ssa_var].type & MAY_BE_PACKED_GUARD)))) {`
	`4249`	`+ ZEND_ASSERT(STACK_TYPE(stack, i) == IS_ARRAY);`
	`4250`	`+`
`4243`	`4251`	`if (!zend_jit_packed_guard(&ctx, opline, EX_NUM_TO_VAR(i), info)) {`
`4244`	`4252`	`goto jit_failure;`
`4245`	`4253`	`}`

`‎ext/opcache/tests/jit/gh17577.phpt‎`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+--TEST--`
	`2`	`+GH-17577 (JIT packed type guard crash)`
	`3`	`+--EXTENSIONS--`
	`4`	`+opcache`
	`5`	`+--INI--`
	`6`	`+opcache.jit_buffer_size=16M`
	`7`	`+opcache.jit_hot_func=1`
	`8`	`+--FILE--`
	`9`	`+<?php`
	`10`	`+$a = array(`
	`11`	`+ array(1,2,3),`
	`12`	`+ 0,`
	`13`	`+);`
	`14`	`+function my_dump($var) {`
	`15`	`+}`
	`16`	`+foreach($a as $b) {`
	`17`	`+ for ($i = 0; $i < 3; $i++) {`
	`18`	`+ my_dump($b[$i]);`
	`19`	`+ }`
	`20`	`+}`
	`21`	`+?>`
	`22`	`+--EXPECTF--`
	`23`	`+Warning: Trying to access array offset on int in %s on line %d`
	`24`	`+`
	`25`	`+Warning: Trying to access array offset on int in %s on line %d`
	`26`	`+`
	`27`	`+Warning: Trying to access array offset on int in %s on line %d`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 1879ec1

File tree

2 files changed

2 files changed

`‎ext/opcache/jit/zend_jit_trace.c‎`

`‎ext/opcache/tests/jit/gh17577.phpt‎`

0 commit comments