Skip to content

Commit 78da288

Browse files
nielsdosnielsdos
committed
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3: Fix GH-17577: JIT packed type guard crash
2 parents 6d6380c + 0c3cf1f commit 78da288

File tree

3 files changed

+42
-6
lines changed

3 files changed

+42
-6
lines changed

NEWS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ PHP NEWS
1818
- Opcache:
1919
. Fixed bug GH-17654 (Multiple classes using same trait causes function
2020
JIT crash). (nielsdos)
21+
. Fixed bug GH-17577 (JIT packed type guard crash). (nielsdos, Dmitry)
2122

2223
- PHPDBG:
2324
. Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)

ext/opcache/jit/zend_jit_trace.c

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1848,7 +1848,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
18481848
if (!(orig_op1_type & IS_TRACE_PACKED)) {
18491849
zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];
18501850

1851-
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {
1851+
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)
1852+
&& (info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
18521853
info->type |= MAY_BE_PACKED_GUARD;
18531854
info->type &= ~MAY_BE_ARRAY_PACKED;
18541855
}
@@ -1857,7 +1858,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
18571858
&& val_type != IS_UNDEF) {
18581859
zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];
18591860

1860-
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {
1861+
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)
1862+
&& (info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
18611863
info->type |= MAY_BE_PACKED_GUARD;
18621864
info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH|MAY_BE_ARRAY_STRING_HASH);
18631865
}
@@ -1941,7 +1943,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
19411943

19421944
zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];
19431945

1944-
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {
1946+
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)
1947+
&& (info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
19451948
info->type |= MAY_BE_PACKED_GUARD;
19461949
if (orig_op1_type & IS_TRACE_PACKED) {
19471950
info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH|MAY_BE_ARRAY_STRING_HASH);
@@ -2043,7 +2046,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
20432046

20442047
zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];
20452048

2046-
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {
2049+
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)
2050+
&& (info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
20472051
info->type |= MAY_BE_PACKED_GUARD;
20482052
if (orig_op1_type & IS_TRACE_PACKED) {
20492053
info->type &= ~(MAY_BE_ARRAY_NUMERIC_HASH|MAY_BE_ARRAY_STRING_HASH);
@@ -2073,7 +2077,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
20732077

20742078
zend_ssa_var_info *info = &tssa->var_info[tssa->ops[idx].op1_use];
20752079

2076-
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)) {
2080+
if (MAY_BE_PACKED(info->type) && MAY_BE_HASH(info->type)
2081+
&& (info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY) {
20772082
info->type |= MAY_BE_PACKED_GUARD;
20782083
info->type &= ~MAY_BE_ARRAY_PACKED;
20792084
}
@@ -4212,10 +4217,13 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
42124217
if ((info & MAY_BE_PACKED_GUARD) != 0
42134218
&& (trace_buffer->stop == ZEND_JIT_TRACE_STOP_LOOP
42144219
|| trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_CALL
4215-
|| trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_RET)
4220+
|| (trace_buffer->stop == ZEND_JIT_TRACE_STOP_RECURSIVE_RET
4221+
&& EX_VAR_TO_NUM((opline-1)->result.var) == i))
42164222
&& (ssa->vars[i].use_chain != -1
42174223
|| (ssa->vars[i].phi_use_chain
42184224
&& !(ssa->var_info[ssa->vars[i].phi_use_chain->ssa_var].type & MAY_BE_PACKED_GUARD)))) {
4225+
ZEND_ASSERT(STACK_TYPE(stack, i) == IS_ARRAY);
4226+
42194227
if (!zend_jit_packed_guard(&ctx, opline, EX_NUM_TO_VAR(i), info)) {
42204228
goto jit_failure;
42214229
}

ext/opcache/tests/jit/gh17577.phpt

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
--TEST--
2+
GH-17577 (JIT packed type guard crash)
3+
--EXTENSIONS--
4+
opcache
5+
--INI--
6+
opcache.jit_buffer_size=16M
7+
opcache.jit_hot_func=1
8+
--FILE--
9+
<?php
10+
$a = array(
11+
array(1,2,3),
12+
0,
13+
);
14+
function my_dump($var) {
15+
}
16+
foreach($a as $b) {
17+
for ($i = 0; $i < 3; $i++) {
18+
my_dump($b[$i]);
19+
}
20+
}
21+
?>
22+
--EXPECTF--
23+
Warning: Trying to access array offset on int in %s on line %d
24+
25+
Warning: Trying to access array offset on int in %s on line %d
26+
27+
Warning: Trying to access array offset on int in %s on line %d

0 commit comments

Comments
 (0)