Skip to content

Commit e7b31f5

Browse files
committed
JIT: Fix incorrect code produced for BOOL_NOT and [double, undef] operand
Fixes oss-fuzz #41531
1 parent df434f0 commit e7b31f5

File tree

2 files changed

+32
-1
lines changed

2 files changed

+32
-1
lines changed

ext/opcache/jit/zend_jit_x86.dasc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8651,7 +8651,7 @@ static int zend_jit_bool_jmpznz(dasm_State **Dst, const zend_op *opline, uint32_
86518651
}
86528652
} else if (false_label != (uint32_t)-1) {
86538653
| jmp =>false_label
8654-
} else if (op1_info & MAY_BE_LONG) {
8654+
} else if ((op1_info & MAY_BE_LONG) || (op1_info & MAY_BE_ANY) == MAY_BE_DOUBLE) {
86558655
| jmp >9
86568656
}
86578657
}
@@ -8698,6 +8698,7 @@ static int zend_jit_bool_jmpznz(dasm_State **Dst, const zend_op *opline, uint32_
86988698
}
86998699

87008700
if ((op1_info & MAY_BE_ANY) == MAY_BE_DOUBLE) {
8701+
|2:
87018702
if (CAN_USE_AVX()) {
87028703
| vxorps xmm0, xmm0, xmm0
87038704
} else {
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
--TEST--
2+
JIT BOOL_NOT: 002 Incorrect function JIT for MAY_BE_DOUBLE|MAY_BE_UNDEF
3+
--INI--
4+
opcache.enable=1
5+
opcache.enable_cli=1
6+
opcache.file_update_protection=0
7+
opcache.jit_buffer_size=1M
8+
opcache.protect_memory=1
9+
--FILE--
10+
<?php
11+
function test() {
12+
$j = 2;
13+
for ($i = 0; $i < 10;
14+
$a = !$i + $c[0] = 0xfff0001/34028236692903846346336*6) {
15+
$a =!$a + $a &= 74444444 - 444 >> 4 - $j++;
16+
if ($j > 14) break;
17+
}
18+
}
19+
test();
20+
?>
21+
--EXPECTF--
22+
Warning: Undefined variable $a in %sbool_not_002.php on line 6
23+
24+
Warning: Undefined variable $a in %sbool_not_002.php on line 6
25+
26+
Fatal error: Uncaught ArithmeticError: Bit shift by negative number in %sbool_not_002.php:6
27+
Stack trace:
28+
#0 %sbool_not_002.php(10): test()
29+
#1 {main}
30+
thrown in %sbool_not_002.php on line 6

0 commit comments

Comments
 (0)