Skip to content

Commit 7f06a9d

Browse files
dstogovdstogov
committed
Fix incorrect trace type inference in a false loop
Fixes oss-fuzz #63846
1 parent 420aced commit 7f06a9d

File tree

2 files changed

+38
-2
lines changed

2 files changed

+38
-2
lines changed

ext/opcache/jit/zend_jit_trace.c

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -787,6 +787,19 @@ static int zend_jit_trace_add_ret_phis(zend_jit_trace_rec *trace_buffer, uint32_
787787
return ssa_vars_count;
788788
}
789789

790+
static bool zend_jit_trace_is_false_loop(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op **tssa_opcodes, zend_ssa *tssa)
791+
{
792+
uint32_t b;
793+
zend_basic_block *bb;
794+
795+
ZEND_ASSERT(tssa->cfg.blocks_count == 2);
796+
ZEND_ASSERT(tssa->cfg.blocks[1].len > 0);
797+
798+
b = ssa->cfg.map[tssa_opcodes[0] - op_array->opcodes];
799+
bb = ssa->cfg.blocks + ssa->cfg.map[tssa_opcodes[tssa->cfg.blocks[1].len - 1] - op_array->opcodes];
800+
return bb->loop_header != b;
801+
}
802+
790803
static int zend_jit_trace_copy_ssa_var_info(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op **tssa_opcodes, zend_ssa *tssa, int ssa_var)
791804
{
792805
int var, use, def, src;
@@ -796,7 +809,8 @@ static int zend_jit_trace_copy_ssa_var_info(const zend_op_array *op_array, const
796809
uint32_t b = ssa->cfg.map[tssa_opcodes[0] - op_array->opcodes];
797810
zend_basic_block *bb = ssa->cfg.blocks + b;
798811

799-
if (bb->flags & ZEND_BB_LOOP_HEADER) {
812+
if ((bb->flags & ZEND_BB_LOOP_HEADER)
813+
&& !zend_jit_trace_is_false_loop(op_array, ssa, tssa_opcodes, tssa)) {
800814
zend_ssa_phi *phi = ssa->blocks[b].phis;
801815
zend_ssa_phi *pi = NULL;
802816

@@ -1391,7 +1405,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
13911405
tssa->cfg.blocks[0].successors = tssa->cfg.blocks[0].successors_storage;
13921406
tssa->cfg.blocks[0].successors[0] = 1;
13931407

1394-
tssa->cfg.blocks[0].flags = ZEND_BB_FOLLOW|ZEND_BB_TARGET|ZEND_BB_LOOP_HEADER|ZEND_BB_REACHABLE;
1408+
tssa->cfg.blocks[1].flags = ZEND_BB_FOLLOW|ZEND_BB_TARGET|ZEND_BB_LOOP_HEADER|ZEND_BB_REACHABLE;
1409+
tssa->cfg.blocks[1].len = ssa_ops_count;
13951410
tssa->cfg.blocks[1].successors_count = 1;
13961411
tssa->cfg.blocks[1].predecessors_count = 2;
13971412
tssa->cfg.blocks[1].successors = tssa->cfg.blocks[1].successors_storage;
@@ -1401,6 +1416,7 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
14011416
tssa->cfg.edges_count = 0;
14021417

14031418
tssa->cfg.blocks[0].flags = ZEND_BB_START|ZEND_BB_EXIT|ZEND_BB_REACHABLE;
1419+
tssa->cfg.blocks[0].len = ssa_ops_count;
14041420
tssa->cfg.blocks[0].successors_count = 0;
14051421
tssa->cfg.blocks[0].predecessors_count = 0;
14061422
}

ext/opcache/tests/jit/loop_004.phpt

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
--TEST--
2+
JIT LOOP: 004 Incorrect trace type inference in a false loop
3+
--INI--
4+
opcache.enable=1
5+
opcache.enable_cli=1
6+
opcache.jit_buffer_size=32M
7+
--FILE--
8+
<?php
9+
function foo() {
10+
for($i = 0; $i < 6; $i++) {
11+
$a ?: $y;
12+
$a = 3;
13+
for(;$y;) $a = $a;
14+
}
15+
}
16+
@foo();
17+
?>
18+
DONE
19+
--EXPECT--
20+
DONE

0 commit comments

Comments
 (0)