JIT: Fix incorrect code produced for BOOL_NOT and [double, undef] ope…

…rand Fixes oss-fuzz #41531
php · Nov 30, 2021 · e7b31f5 · e7b31f5
1 parent df434f0
commit e7b31f5
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -8651,7 +8651,7 @@ static int zend_jit_bool_jmpznz(dasm_State **Dst, const zend_op *opline, uint32_
 					}
 				} else if (false_label != (uint32_t)-1) {
 					|	jmp =>false_label
-				} else if (op1_info & MAY_BE_LONG) {
+				} else if ((op1_info & MAY_BE_LONG) || (op1_info & MAY_BE_ANY) == MAY_BE_DOUBLE) {
 					|	jmp >9
 				}
 			}
@@ -8698,6 +8698,7 @@ static int zend_jit_bool_jmpznz(dasm_State **Dst, const zend_op *opline, uint32_
 	}
 
 	if ((op1_info & MAY_BE_ANY) == MAY_BE_DOUBLE) {
+		|2:
 		if (CAN_USE_AVX()) {
 			|	vxorps xmm0, xmm0, xmm0
 		} else {

diff --git a/ext/opcache/tests/jit/bool_not_002.phpt b/ext/opcache/tests/jit/bool_not_002.phpt
@@ -0,0 +1,30 @@
+--TEST--
+JIT BOOL_NOT: 002 Incorrect function JIT for MAY_BE_DOUBLE|MAY_BE_UNDEF
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function test() {
+	$j = 2;
+    for ($i = 0; $i < 10;
+    	$a = !$i + $c[0] = 0xfff0001/34028236692903846346336*6) {
+	    $a =!$a + $a &= 74444444 - 444 >> 4 - $j++;
+        if ($j > 14) break;
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $a in %sbool_not_002.php on line 6
+
+Warning: Undefined variable $a in %sbool_not_002.php on line 6
+
+Fatal error: Uncaught ArithmeticError: Bit shift by negative number in %sbool_not_002.php:6
+Stack trace:
+#0 %sbool_not_002.php(10): test()
+#1 {main}
+  thrown in %sbool_not_002.php on line 6