Trcing JIT: remove unchecked type guards om ROPE_* instructions

Fixes oss-fuzz #46209
php · Apr 4, 2022 · 33704be · 33704be
1 parent 24bb178
commit 33704be
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -2062,7 +2062,9 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
 				case ZEND_ROPE_INIT:
 				case ZEND_ROPE_ADD:
 				case ZEND_ROPE_END:
-					ADD_OP2_TRACE_GUARD();
+					if (op2_type == IS_STRING) {
+						ADD_OP2_TRACE_GUARD();
+					}
 					break;
 				default:
 					break;

diff --git a/ext/opcache/tests/jit/rope_002.phpt b/ext/opcache/tests/jit/rope_002.phpt
@@ -0,0 +1,21 @@
+--TEST--
+JIT ROPE: 002 type guards are only checked for strings
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+	$a = 0;
+    for ($cnt = 0; $cnt < 6; $cnt++) {
+        $array[] = &$y;
+        $S["$array[$a] $y"] = $a += $y;
+     }
+}
+foo();
+?>
+DONE
+--EXPECT--
+DONE