Skip to content

Commit 73fd2da

Browse files
nikicnikic
committed
Make sure all cases of fetch_dim_w adjustment are handled
Use EMPTY_SWITCH_DEFAULT_CASE() to trigger an assertion in case we miss something. Add missing FE_RESET_RW case.
1 parent 1086198 commit 73fd2da

File tree

1 file changed

+60
-56
lines changed

1 file changed

+60
-56
lines changed

ext/opcache/Optimizer/zend_inference.c

Lines changed: 60 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -3407,63 +3407,67 @@ static int zend_update_type_info(const zend_op_array *op_array,
34073407
tmp |= t1 & (MAY_BE_RC1|MAY_BE_RCN);
34083408
}
34093409
}
3410-
j = ssa_vars[ssa_ops[i].result_def].use_chain;
3411-
while (j >= 0) {
3412-
switch (op_array->opcodes[j].opcode) {
3413-
case ZEND_FETCH_DIM_W:
3414-
case ZEND_FETCH_DIM_RW:
3415-
case ZEND_FETCH_DIM_FUNC_ARG:
3416-
case ZEND_FETCH_LIST_W:
3417-
case ZEND_ASSIGN_DIM:
3418-
case ZEND_ASSIGN_DIM_OP:
3419-
tmp |= MAY_BE_ARRAY | MAY_BE_ARRAY_OF_ARRAY;
3420-
break;
3421-
case ZEND_FETCH_OBJ_W:
3422-
case ZEND_FETCH_OBJ_RW:
3423-
case ZEND_FETCH_OBJ_FUNC_ARG:
3424-
case ZEND_ASSIGN_OBJ:
3425-
case ZEND_ASSIGN_OBJ_OP:
3426-
case ZEND_ASSIGN_OBJ_REF:
3427-
case ZEND_PRE_INC_OBJ:
3428-
case ZEND_PRE_DEC_OBJ:
3429-
case ZEND_POST_INC_OBJ:
3430-
case ZEND_POST_DEC_OBJ:
3431-
tmp |= MAY_BE_ARRAY_OF_OBJECT;
3432-
break;
3433-
case ZEND_SEND_VAR_EX:
3434-
case ZEND_SEND_FUNC_ARG:
3435-
case ZEND_SEND_VAR_NO_REF:
3436-
case ZEND_SEND_VAR_NO_REF_EX:
3437-
case ZEND_SEND_REF:
3438-
case ZEND_ASSIGN_REF:
3439-
case ZEND_YIELD:
3440-
case ZEND_INIT_ARRAY:
3441-
case ZEND_ADD_ARRAY_ELEMENT:
3442-
case ZEND_RETURN_BY_REF:
3443-
case ZEND_VERIFY_RETURN_TYPE:
3444-
case ZEND_MAKE_REF:
3445-
tmp |= MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF;
3446-
break;
3447-
case ZEND_PRE_INC:
3448-
case ZEND_PRE_DEC:
3449-
case ZEND_POST_INC:
3450-
case ZEND_POST_DEC:
3451-
if (tmp & MAY_BE_ARRAY_OF_LONG) {
3452-
/* may overflow */
3453-
tmp |= MAY_BE_ARRAY_OF_DOUBLE;
3454-
} else if (!(tmp & (MAY_BE_ARRAY_OF_LONG|MAY_BE_ARRAY_OF_DOUBLE))) {
3455-
tmp |= MAY_BE_ARRAY_OF_LONG | MAY_BE_ARRAY_OF_DOUBLE;
3456-
}
3457-
break;
3458-
case ZEND_UNSET_DIM:
3459-
case ZEND_UNSET_OBJ:
3460-
case ZEND_FETCH_DIM_UNSET:
3461-
case ZEND_FETCH_OBJ_UNSET:
3462-
break;
3463-
default :
3464-
break;
3410+
if (opline->opcode == ZEND_FETCH_DIM_RW
3411+
|| opline->opcode == ZEND_FETCH_DIM_W
3412+
|| opline->opcode == ZEND_FETCH_DIM_FUNC_ARG
3413+
|| opline->opcode == ZEND_FETCH_LIST_W) {
3414+
j = ssa_vars[ssa_ops[i].result_def].use_chain;
3415+
while (j >= 0) {
3416+
switch (op_array->opcodes[j].opcode) {
3417+
case ZEND_FETCH_DIM_W:
3418+
case ZEND_FETCH_DIM_RW:
3419+
case ZEND_FETCH_DIM_FUNC_ARG:
3420+
case ZEND_FETCH_LIST_W:
3421+
case ZEND_ASSIGN_DIM:
3422+
case ZEND_ASSIGN_DIM_OP:
3423+
tmp |= MAY_BE_ARRAY | MAY_BE_ARRAY_OF_ARRAY;
3424+
break;
3425+
case ZEND_FETCH_OBJ_W:
3426+
case ZEND_FETCH_OBJ_RW:
3427+
case ZEND_FETCH_OBJ_FUNC_ARG:
3428+
case ZEND_ASSIGN_OBJ:
3429+
case ZEND_ASSIGN_OBJ_OP:
3430+
case ZEND_ASSIGN_OBJ_REF:
3431+
case ZEND_PRE_INC_OBJ:
3432+
case ZEND_PRE_DEC_OBJ:
3433+
case ZEND_POST_INC_OBJ:
3434+
case ZEND_POST_DEC_OBJ:
3435+
tmp |= MAY_BE_ARRAY_OF_OBJECT;
3436+
break;
3437+
case ZEND_SEND_VAR_EX:
3438+
case ZEND_SEND_FUNC_ARG:
3439+
case ZEND_SEND_VAR_NO_REF:
3440+
case ZEND_SEND_VAR_NO_REF_EX:
3441+
case ZEND_SEND_REF:
3442+
case ZEND_ASSIGN_REF:
3443+
case ZEND_YIELD:
3444+
case ZEND_INIT_ARRAY:
3445+
case ZEND_ADD_ARRAY_ELEMENT:
3446+
case ZEND_RETURN_BY_REF:
3447+
case ZEND_VERIFY_RETURN_TYPE:
3448+
case ZEND_MAKE_REF:
3449+
case ZEND_FE_RESET_RW:
3450+
tmp |= MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF;
3451+
break;
3452+
case ZEND_PRE_INC:
3453+
case ZEND_PRE_DEC:
3454+
case ZEND_POST_INC:
3455+
case ZEND_POST_DEC:
3456+
if (tmp & MAY_BE_ARRAY_OF_LONG) {
3457+
/* may overflow */
3458+
tmp |= MAY_BE_ARRAY_OF_DOUBLE;
3459+
} else if (!(tmp & (MAY_BE_ARRAY_OF_LONG|MAY_BE_ARRAY_OF_DOUBLE))) {
3460+
tmp |= MAY_BE_ARRAY_OF_LONG | MAY_BE_ARRAY_OF_DOUBLE;
3461+
}
3462+
break;
3463+
case ZEND_SEND_VAR:
3464+
/* This can occur if a DIM_FETCH_FUNC_ARG with UNUSED op2 is left
3465+
* behind, because it can't be converted to DIM_FETCH_R. */
3466+
break;
3467+
EMPTY_SWITCH_DEFAULT_CASE()
3468+
}
3469+
j = zend_ssa_next_use(ssa_ops, ssa_ops[i].result_def, j);
34653470
}
3466-
j = zend_ssa_next_use(ssa_ops, ssa_ops[i].result_def, j);
34673471
}
34683472
if ((tmp & MAY_BE_ARRAY) && (tmp & MAY_BE_ARRAY_KEY_ANY)) {
34693473
UPDATE_SSA_TYPE(tmp, ssa_ops[i].op1_def);

0 commit comments

Comments
 (0)