Commit 78da288

committed

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-17577: JIT packed type guard crash

2 parents 6d6380c + 0c3cf1f commit 78da288Copy full SHA for 78da288

File tree

3 files changed

+42

-6

lines changed

NEWS
ext/opcache
- jit
  - zend_jit_trace.c
- tests/jit
  - gh17577.phpt

3 files changed

+42

-6

lines changed

`‎NEWS‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ PHP NEWS`
`18`	`18`	`- Opcache:`
`19`	`19`	`. Fixed bug GH-17654 (Multiple classes using same trait causes function`
`20`	`20`	`JIT crash). (nielsdos)`
	`21`	`+ . Fixed bug GH-17577 (JIT packed type guard crash). (nielsdos, Dmitry)`
`21`	`22`
`22`	`23`	`- PHPDBG:`
`23`	`24`	`. Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)`

`‎ext/opcache/jit/zend_jit_trace.c‎`

Lines changed: 14 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1848,7 +1848,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`1848`	`1848`	`if (!(orig_op1_type & IS_TRACE_PACKED)) {`
`1849`	`1849`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`1850`	`1850`
`1851`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`1851`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`1852`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`1852`	`1853`	`info->type \|= MAY_BE_PACKED_GUARD;`
`1853`	`1854`	`info->type &= ~MAY_BE_ARRAY_PACKED;`
`1854`	`1855`	`}`
`@@ -1857,7 +1858,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`1857`	`1858`	`&& val_type != IS_UNDEF) {`
`1858`	`1859`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`1859`	`1860`
`1860`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`1861`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`1862`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`1861`	`1863`	`info->type \|= MAY_BE_PACKED_GUARD;`
`1862`	`1864`	`info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH\|MAY_BE_ARRAY_STRING_HASH);`
`1863`	`1865`	`}`
`@@ -1941,7 +1943,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`1941`	`1943`
`1942`	`1944`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`1943`	`1945`
`1944`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`1946`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`1947`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`1945`	`1948`	`info->type \|= MAY_BE_PACKED_GUARD;`
`1946`	`1949`	`if (orig_op1_type & IS_TRACE_PACKED) {`
`1947`	`1950`	`info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH\|MAY_BE_ARRAY_STRING_HASH);`
`@@ -2043,7 +2046,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`2043`	`2046`
`2044`	`2047`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`2045`	`2048`
`2046`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`2049`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`2050`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`2047`	`2051`	`info->type \|= MAY_BE_PACKED_GUARD;`
`2048`	`2052`	`if (orig_op1_type & IS_TRACE_PACKED) {`
`2049`	`2053`	`info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH\|MAY_BE_ARRAY_STRING_HASH);`
`@@ -2073,7 +2077,8 @@ static zend_ssa zend_jit_trace_build_tssa(zend_jit_trace_rec trace_buffer, uin`
`2073`	`2077`
`2074`	`2078`	`zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];`
`2075`	`2079`
`2076`		`- if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {`
	`2080`	`+ if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)`
	`2081`	`+ && (info->type & (MAY_BE_ANY\|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {`
`2077`	`2082`	`info->type \|= MAY_BE_PACKED_GUARD;`
`2078`	`2083`	`info->type &= ~MAY_BE_ARRAY_PACKED;`
`2079`	`2084`	`}`
`@@ -4212,10 +4217,13 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`4212`	`4217`	`if ((info & MAY_BE_PACKED_GUARD) != 0`
`4213`	`4218`	`&& (trace_buffer->stop == ZEND_JIT_TRACE_STOP_LOOP`
`4214`	`4219`	`\|\| trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_CALL`
`4215`		`- \|\| trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_RET)`
	`4220`	`+ \|\| (trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_RET`
	`4221`	`+ && EX_VAR_TO_NUM((opline-1)->result.var) == i))`
`4216`	`4222`	`&& (ssa->vars[i].use_chain != -1`
`4217`	`4223`	`\|\| (ssa->vars[i].phi_use_chain`
`4218`	`4224`	`&& !(ssa->var_info[ssa->vars[i].phi_use_chain->ssa_var].type & MAY_BE_PACKED_GUARD)))) {`
	`4225`	`+ ZEND_ASSERT(STACK_TYPE(stack, i) == IS_ARRAY);`
	`4226`	`+`
`4219`	`4227`	`if (!zend_jit_packed_guard(&ctx, opline, EX_NUM_TO_VAR(i), info)) {`
`4220`	`4228`	`goto jit_failure;`
`4221`	`4229`	`}`

`‎ext/opcache/tests/jit/gh17577.phpt‎`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+--TEST--`
	`2`	`+GH-17577 (JIT packed type guard crash)`
	`3`	`+--EXTENSIONS--`
	`4`	`+opcache`
	`5`	`+--INI--`
	`6`	`+opcache.jit_buffer_size=16M`
	`7`	`+opcache.jit_hot_func=1`
	`8`	`+--FILE--`
	`9`	`+<?php`
	`10`	`+$a = array(`
	`11`	`+ array(1,2,3),`
	`12`	`+ 0,`
	`13`	`+);`
	`14`	`+function my_dump($var) {`
	`15`	`+}`
	`16`	`+foreach($a as $b) {`
	`17`	`+ for ($i = 0; $i < 3; $i++) {`
	`18`	`+ my_dump($b[$i]);`
	`19`	`+ }`
	`20`	`+}`
	`21`	`+?>`
	`22`	`+--EXPECTF--`
	`23`	`+Warning: Trying to access array offset on int in %s on line %d`
	`24`	`+`
	`25`	`+Warning: Trying to access array offset on int in %s on line %d`
	`26`	`+`
	`27`	`+Warning: Trying to access array offset on int in %s on line %d`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 78da288

File tree

3 files changed

3 files changed

`‎NEWS‎`

`‎ext/opcache/jit/zend_jit_trace.c‎`

`‎ext/opcache/tests/jit/gh17577.phpt‎`

0 commit comments