Fix RC inference for INIT_METHOD_CALL

iluuu1994 · iluuu1994 · commit 348386c0e137 · 2024-12-14T19:21:50.000+01:00
diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
@@ -3926,6 +3926,16 @@ static zend_always_inline zend_result _zend_update_type_info(
 				}
 			}
 			break;
+		case ZEND_INIT_METHOD_CALL:
+			if (ssa_op->op1_def >= 0) {
+				tmp = t1;
+				if (tmp & (MAY_BE_RC1|MAY_BE_RCN)) {
+					tmp |= (MAY_BE_RC1|MAY_BE_RCN);
+				}
+				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
+				COPY_SSA_OBJ_TYPE(ssa_op->op1_use, ssa_op->op1_def);
+			}
+			break;
 		case ZEND_CALLABLE_CONVERT:
 			UPDATE_SSA_TYPE(MAY_BE_OBJECT | MAY_BE_RC1 | MAY_BE_RCN, ssa_op->result_def);
 			UPDATE_SSA_OBJ_TYPE(zend_ce_closure, /* is_instanceof */ false, ssa_op->result_def);
diff --git a/Zend/Optimizer/zend_ssa.c b/Zend/Optimizer/zend_ssa.c
@@ -806,6 +806,11 @@ static zend_always_inline int _zend_ssa_rename_op(const zend_op_array *op_array,
 				goto add_op1_def;
 			}
 			break;
+		case ZEND_INIT_METHOD_CALL:
+			if ((build_flags & ZEND_SSA_RC_INFERENCE) && (opline->op1_type & (IS_CV|IS_VAR|IS_TMP_VAR))) {
+				goto add_op1_def;
+			}
+			break;
 		default:
 			break;
 	}
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -6539,14 +6539,20 @@ static int zend_jit_assign_to_variable(zend_jit_ctx   *jit,
 			}
 			counter = jit_GC_DELREF(jit, ref);
 
-			if_not_zero = ir_IF(counter);
-			ir_IF_FALSE(if_not_zero);
-			jit_ZVAL_DTOR(jit, ref, var_info, opline);
-			if (check_exception) {
-				zend_jit_check_exception(jit);
+			if (RC_MAY_BE_1(var_info) && RC_MAY_BE_N(var_info)) {
+				if_not_zero = ir_IF(counter);
+				ir_IF_FALSE(if_not_zero);
+			}
+			if (RC_MAY_BE_1(var_info)) {
+				jit_ZVAL_DTOR(jit, ref, var_info, opline);
+				if (check_exception) {
+					zend_jit_check_exception(jit);
+				}
+			}
+			if (RC_MAY_BE_1(var_info) && RC_MAY_BE_N(var_info)) {
+				ir_refs_add(end_inputs, ir_END());
+				ir_IF_TRUE(if_not_zero);
 			}
-			ir_refs_add(end_inputs, ir_END());
-			ir_IF_TRUE(if_not_zero);
 			if (RC_MAY_BE_N(var_info) && (var_info & (MAY_BE_ARRAY|MAY_BE_OBJECT)) != 0) {
 				ir_ref if_may_leak = jit_if_GC_MAY_NOT_LEAK(jit, ref);
 				ir_IF_FALSE(if_may_leak);
diff --git a/ext/opcache/tests/jit/gh17152_3.phpt b/ext/opcache/tests/jit/gh17152_3.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-17151: Method calls may modify RC of ZEND_INIT_METHOD_CALL op1
+--FILE--
+<?php
+
+class C {
+    public static $prop;
+
+    public function storeThis() {
+        self::$prop = $this;
+    }
+}
+
+function test() {
+    $c = new C();
+    $c->storeThis();
+    $c = null;
+}
+
+test();
+
+?>
+===DONE===
+--EXPECT--
+===DONE===

Original file line number	Diff line number	Diff line change
`@@ -806,6 +806,11 @@ static zend_always_inline int _zend_ssa_rename_op(const zend_op_array *op_array,`
`806`	`806`	`goto add_op1_def;`
`807`	`807`	`}`
`808`	`808`	`break;`
	`809`	`+ case ZEND_INIT_METHOD_CALL:`
	`810`	`+ if ((build_flags & ZEND_SSA_RC_INFERENCE) && (opline->op1_type & (IS_CV\|IS_VAR\|IS_TMP_VAR))) {`
	`811`	`+ goto add_op1_def;`
	`812`	`+ }`
	`813`	`+ break;`
`809`	`814`	`default:`
`810`	`815`	`break;`
`811`	`816`	`}`