JIT: Fix named arguments handling

Fixes oss-fuzz #41486
php · Nov 29, 2021 · d955415 · d955415
1 parent 8f4cfe0
commit d955415
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c
@@ -2392,6 +2392,7 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 						 && (i + 1) <= end
 						 && (opline+1)->opcode == ZEND_SEND_VAL
 						 && (opline+1)->op1_type == IS_TMP_VAR
+						 && (opline+1)->op2_type != IS_CONST
 						 && (opline+1)->op1.var == opline->result.var) {
 							i++;
 							res_use_info = -1;
@@ -2446,6 +2447,7 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 						 && (i + 1) <= end
 						 && (opline+1)->opcode == ZEND_SEND_VAL
 						 && (opline+1)->op1_type == IS_TMP_VAR
+						 && (opline+1)->op2_type != IS_CONST
 						 && (opline+1)->op1.var == opline->result.var) {
 							i++;
 							res_use_info = -1;
@@ -2504,6 +2506,7 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 						 && (i + 1) <= end
 						 && (opline+1)->opcode == ZEND_SEND_VAL
 						 && (opline+1)->op1_type == IS_TMP_VAR
+						 && (opline+1)->op2_type != IS_CONST
 						 && (opline+1)->op1.var == opline->result.var) {
 							i++;
 							res_addr = ZEND_ADDR_MEM_ZVAL(ZREG_RX, (opline+1)->result.var);
@@ -2727,6 +2730,7 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 							 && (i + 1) <= end
 							 && (opline+1)->opcode == ZEND_SEND_VAL
 							 && (opline+1)->op1_type == IS_TMP_VAR
+							 && (opline+1)->op2_type != IS_CONST
 							 && (opline+1)->op1.var == opline->result.var
 							 && (!(op1_info & MAY_HAVE_DTOR) || !(op1_info & MAY_BE_RC1))) {
 								i++;

diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -15520,10 +15520,11 @@ static zend_bool zend_jit_opline_supports_reg(const zend_op_array *op_array, zen
 	uint32_t op1_info, op2_info;
 
 	switch (opline->opcode) {
-		case ZEND_QM_ASSIGN:
 		case ZEND_SEND_VAR:
 		case ZEND_SEND_VAL:
 		case ZEND_SEND_VAL_EX:
+			return (opline->op2_type != IS_CONST);
+		case ZEND_QM_ASSIGN:
 		case ZEND_IS_SMALLER:
 		case ZEND_IS_SMALLER_OR_EQUAL:
 		case ZEND_IS_EQUAL:
@@ -15717,6 +15718,9 @@ static zend_regset zend_jit_get_scratch_regset(const zend_op *opline, const zend
 			/* break missing intentionally */
 		case ZEND_SEND_VAL:
 		case ZEND_SEND_VAL_EX:
+			if (opline->op2_type == IS_CONST) {
+				break;
+			}
 			if (ssa_op->op1_use == current_var) {
 				regset = ZEND_REGSET(ZREG_R0);
 				break;
@@ -15733,6 +15737,9 @@ static zend_regset zend_jit_get_scratch_regset(const zend_op *opline, const zend
 			}
 			break;
 		case ZEND_SEND_VAR:
+			if (opline->op2_type == IS_CONST) {
+				break;
+			}
 			if (ssa_op->op1_use == current_var ||
 			    ssa_op->op1_def == current_var) {
 				regset = ZEND_REGSET_EMPTY;