Fix GH-12481: PHP crash with JIT enabled

php · Jan 22, 2024 · f120ac9 · f120ac9
1 parent 242f892
commit f120ac9
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 4 deletions.
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -4426,8 +4426,14 @@ static int zend_jit_math_long_long(dasm_State    **Dst,
 		} else {
 			zend_reg tmp_reg;
 
-			if (Z_MODE(res_addr) == IS_MEM_ZVAL && Z_REG(res_addr) == ZREG_R0) {
-				tmp_reg = ZREG_R1;
+			if (Z_MODE(res_addr) == IS_MEM_ZVAL) {
+				if (Z_REG(res_addr) != ZREG_R0 && result_reg != ZREG_R0) {
+					tmp_reg = ZREG_R0;
+				} else if (Z_REG(res_addr) != ZREG_R1 && result_reg != ZREG_R1) {
+					tmp_reg = ZREG_R1;
+				} else {
+					tmp_reg = ZREG_R2;
+				}
 			} else if (result_reg != ZREG_R0) {
 				tmp_reg = ZREG_R0;
 			} else {
@@ -5295,8 +5301,16 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 	} else {
 		zend_reg tmp_reg;
 
-		if (Z_MODE(res_addr) == IS_MEM_ZVAL && Z_REG(res_addr) == ZREG_R0) {
-			tmp_reg = ZREG_R1;
+		if (Z_MODE(res_addr) == IS_MEM_ZVAL) {
+			if (Z_REG(res_addr) != ZREG_R0 && result_reg != ZREG_R0) {
+				tmp_reg = ZREG_R0;
+			} else if (Z_REG(res_addr) != ZREG_R1 && result_reg != ZREG_R1) {
+				tmp_reg = ZREG_R1;
+			} else {
+				tmp_reg = ZREG_R2;
+			}
+		} else if (Z_MODE(res_addr) == IS_MEM_ZVAL && Z_REG(res_addr) == ZREG_R1) {
+			tmp_reg = ZREG_R0;
 		} else if (result_reg != ZREG_R0) {
 			tmp_reg = ZREG_R0;
 		} else {

diff --git a/ext/opcache/tests/jit/gh12481.phpt b/ext/opcache/tests/jit/gh12481.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-12481: PHP crash on Windows 64-bit with JIT enabled
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+--FILE--
+<?php
+function foo(&$var) {
+    $var &= 0xFFFFFFFF;
+    return intval($var);
+}
+$v = 0x7FFFFFFF1;
+for ($i = 0; $i < 10; $i++) {
+    foo($v);
+}
+?>
+DONE
+--EXPECTF--
+DONE