Start new block after loop free

In the attached test case we ended up not updating a leftover MATCH jump in the unreachable_free block. There's different ways this can be addressed, but in this case we can just make sure that a new block is started after the loop free, which will allow it to be dropped as unreachable. We only need to retain the free itself for live-range reconstruction. Fixes oss-fuzz #39516.
php · Oct 4, 2021 · 493c91c · 493c91c
1 parent 724c4fb
commit 493c91c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/Zend/Optimizer/zend_cfg.c b/Zend/Optimizer/zend_cfg.c
@@ -437,6 +437,9 @@ ZEND_API int zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, u
 			case ZEND_FE_FREE:
 				if (zend_optimizer_is_loop_var_free(opline)) {
 					BB_START(i);
+					if (i + 1 < op_array->last) {
+						BB_START(i + 1);
+					}
 					flags |= ZEND_FUNC_FREE_LOOP_VAR;
 				}
 				break;

diff --git a/Zend/tests/match/045.phpt b/Zend/tests/match/045.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Corrupted CFG due to unreachable free with match
+--FILE--
+<?php
+function test() {
+    var_dump(match(x){});
+    match(y){
+        3, 4 => 5,
+    };
+}
+try {
+    test();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Undefined constant "x"