Fix incorrect constant propagation for VERIFY_RETURN_TYPE

dstogov · dstogov · commit fa75bd078511 · 2022-06-20T11:30:07.000+03:00
This fixes oss-fuzz #48104
diff --git a/Zend/Optimizer/sccp.c b/Zend/Optimizer/sccp.c
@@ -1721,18 +1721,26 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 	}
 
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_NULL))) {
-		if (ssa->vars[var_num].definition >= 0 
+		if (ssa->vars[var_num].definition >= 0
 		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
 			return NULL;
 		}
 		ZVAL_NULL(tmp);
 		return tmp;
 	}
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_FALSE))) {
+		if (ssa->vars[var_num].definition >= 0
+		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
+			return NULL;
+		}
 		ZVAL_FALSE(tmp);
 		return tmp;
 	}
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_TRUE))) {
+		if (ssa->vars[var_num].definition >= 0
+		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
+			return NULL;
+		}
 		ZVAL_TRUE(tmp);
 		return tmp;
 	}
diff --git a/ext/opcache/tests/opt/sccp_041.phpt b/ext/opcache/tests/opt/sccp_041.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SCCP 041: Incorrect constant propagation for VERIFY_RETURN_TYPE
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function():false {
+    return y;
+}
+?>
+DONE
+--EXPECT--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -1721,18 +1721,26 @@ static zval value_from_type_and_range(sccp_ctx ctx, int var_num, zval *tmp) {`
`1721`	`1721`	`}`
`1722`	`1722`
`1723`	`1723`	`if (!(info->type & ((MAY_BE_ANY\|MAY_BE_UNDEF)-MAY_BE_NULL))) {`
`1724`		`- if (ssa->vars[var_num].definition >= 0`
	`1724`	`+ if (ssa->vars[var_num].definition >= 0`
`1725`	`1725`	`&& ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {`
`1726`	`1726`	`return NULL;`
`1727`	`1727`	`}`
`1728`	`1728`	`ZVAL_NULL(tmp);`
`1729`	`1729`	`return tmp;`
`1730`	`1730`	`}`
`1731`	`1731`	`if (!(info->type & ((MAY_BE_ANY\|MAY_BE_UNDEF)-MAY_BE_FALSE))) {`
	`1732`	`+ if (ssa->vars[var_num].definition >= 0`
	`1733`	`+ && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {`
	`1734`	`+ return NULL;`
	`1735`	`+ }`
`1732`	`1736`	`ZVAL_FALSE(tmp);`
`1733`	`1737`	`return tmp;`
`1734`	`1738`	`}`
`1735`	`1739`	`if (!(info->type & ((MAY_BE_ANY\|MAY_BE_UNDEF)-MAY_BE_TRUE))) {`
	`1740`	`+ if (ssa->vars[var_num].definition >= 0`
	`1741`	`+ && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {`
	`1742`	`+ return NULL;`
	`1743`	`+ }`
`1736`	`1744`	`ZVAL_TRUE(tmp);`
`1737`	`1745`	`return tmp;`
`1738`	`1746`	`}`