JIT: Fix missing exception handling

Fixes oss-fuzz #45649
php · Mar 18, 2022 · 3d6a7e2 · 3d6a7e2
1 parent d0417eb
commit 3d6a7e2
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -5843,7 +5843,16 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 			}
 
 			if (opline->opcode != ZEND_NOP && opline->opcode != ZEND_JMP) {
-				if (!zend_jit_trace_handler(&dasm_state, op_array, opline, zend_may_throw(opline, ssa_op, op_array, ssa), p + 1)) {
+				op1_info = OP1_INFO();
+				op2_info = OP2_INFO();
+				if (op1_info & MAY_BE_GUARD) {
+					op1_info = MAY_BE_RC1 | MAY_BE_RCN | MAY_BE_REF | MAY_BE_ANY  | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF;
+				}
+				if (op2_info & MAY_BE_GUARD) {
+					op2_info = MAY_BE_RC1 | MAY_BE_RCN | MAY_BE_REF | MAY_BE_ANY  | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF;
+				}
+				if (!zend_jit_trace_handler(&dasm_state, op_array, opline,
+						zend_may_throw_ex(opline, ssa_op, op_array, ssa, op1_info, op2_info), p + 1)) {
 					goto jit_failure;
 				}
 			}

diff --git a/ext/opcache/tests/jit/bw_not_002.phpt b/ext/opcache/tests/jit/bw_not_002.phpt
@@ -0,0 +1,24 @@
+--TEST--
+JIT BW_NOT: 002 Exception handling
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function test() {
+	$j = 0;
+    for ($i = 0; $i < 10; $i++) {
+        $a = ~$j - $a = $j + $j = !$j = $j++;
+    }
+}
+test();
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot perform bitwise not on bool in %sbw_not_002.php:5
+Stack trace:
+#0 %sbw_not_002.php(8): test()
+#1 {main}
+  thrown in %sbw_not_002.php on line 5