Tracing JIT: Fixed bug in register allocator.

Type of variable might need to be checked (using type guard) before loading to register.
php · Sep 21, 2021 · 1985437 · 1985437
1 parent 6144524
commit 1985437
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -3758,8 +3758,17 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 
 				if (ival) {
 					if (ival->flags & ZREG_LOAD) {
+						uint32_t info = ssa->var_info[phi->ssa_var].type;
 						ZEND_ASSERT(ival->reg != ZREG_NONE);
 
+						if (info & MAY_BE_GUARD) {
+							if (!zend_jit_type_guard(&dasm_state, opline, phi->var, concrete_type(info))) {
+								goto jit_failure;
+							}
+							info &= ~MAY_BE_GUARD;
+							ssa->var_info[phi->ssa_var].type = info;
+							SET_STACK_TYPE(stack, i, concrete_type(info), 1);
+						}
 						SET_STACK_REG_EX(stack, phi->var, ival->reg, ZREG_LOAD);
 						if (!zend_jit_load_var(&dasm_state, ssa->var_info[phi->ssa_var].type, ssa->vars[phi->ssa_var].var, ival->reg)) {
 							goto jit_failure;

diff --git a/ext/opcache/tests/jit/reg_alloc_004.phpt b/ext/opcache/tests/jit/reg_alloc_004.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Register Alloction 004: Check guard before register load
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+opcache.jit=tracing
+opcache.jit_hot_func=1
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+function createTree($depth) {
+    if (!$depth) {
+        return;
+    }
+    $depth--;
+    [createTree($d), createTree($depth)]();
+}
+createTree(4);
+?>
+--EXPECTF--
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Fatal error: Uncaught Error: First array member is not a valid class name or object in %sreg_alloc_004.php:7
+Stack trace:
+#0 %sreg_alloc_004.php(7): createTree(0)
+#1 %sreg_alloc_004.php(7): createTree(1)
+#2 %sreg_alloc_004.php(7): createTree(2)
+#3 %sreg_alloc_004.php(9): createTree(3)
+#4 {main}
+  thrown in %sreg_alloc_004.php on line 7