JIT: Fix missing register store

This fixes oss-fuzz #48023
2026-03-24 00:02:20 +01:00 · 2022-06-14 13:57:44 +03:00
parent 0b8e471b3c
commit 1cd8074743
2 changed files with 32 additions and 0 deletions
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -3967,6 +3967,16 @@ static int zend_jit_update_regs(dasm_State **Dst, uint32_t var, zend_jit_addr sr
 		} else {
 			ZEND_UNREACHABLE();
 		}
+	} else if (Z_MODE(dst) == IS_REG && Z_STORE(dst)) {
+		dst = ZEND_ADDR_MEM_ZVAL(ZREG_FP, var);
+		if (!zend_jit_spill_store(Dst, src, dst, info,
+				JIT_G(trigger) != ZEND_JIT_ON_HOT_TRACE ||
+				JIT_G(current_frame) == NULL ||
+				STACK_MEM_TYPE(JIT_G(current_frame)->stack, EX_VAR_TO_NUM(var)) == IS_UNKNOWN ||
+				(1 << STACK_MEM_TYPE(JIT_G(current_frame)->stack, EX_VAR_TO_NUM(var))) != (info & MAY_BE_ANY)
+		)) {
+			return 0;
+		}
 	}
 	return 1;
 }
--- a/ext/opcache/tests/jit/reg_alloc_015.phpt
+++ b/ext/opcache/tests/jit/reg_alloc_015.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Register Alloction 015: Missing store
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+    for ($i=0, $y = $a + $y = $a = $y %= !$y; $i < 5; $a = $y < $y = $a, $i++) {
+        4 >> -$y;
+    }
+}
+foo()
+?>
+DONE
+--EXPECTF--
+Warning: Undefined variable $y in %sreg_alloc_015.php on line 3
+
+Warning: Undefined variable $y in %sreg_alloc_015.php on line 3
+DONE