Mitigation for bug #81096

This issue is properly fixed by GH-7121 on master. For older branches, disable the use of range information in SCCP, to reduce impact of potentially incorrect ranges.
2026-03-24 00:02:20 +01:00 · 2021-06-10 10:52:53 +02:00
parent a1738d8bd1
commit 3f4bc94b00
2 changed files with 28 additions and 0 deletions
--- a/ext/opcache/Optimizer/sccp.c
+++ b/ext/opcache/Optimizer/sccp.c
@@ -2193,6 +2193,8 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 		return tmp;
 	}

+#if 0
+	/* Disabled due to bug #81096. */
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_LONG))
 			&& info->has_range
 			&& !info->range.overflow && !info->range.underflow
@@ -2200,6 +2202,7 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 		ZVAL_LONG(tmp, info->range.min);
 		return tmp;
 	}
+#endif

 	return NULL;
 }
--- a/ext/opcache/tests/ref_range_1.phpt
+++ b/ext/opcache/tests/ref_range_1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Range info for references (1)
+--FILE--
+<?php
+
+function test() {
+    escape_x($x);
+    $x = 0;
+    modify_x();
+    return (int) $x;
+}
+
+function escape_x(&$x) {
+    $GLOBALS['x'] =& $x;
+}
+
+function modify_x() {
+    $GLOBALS['x']++;
+}
+
+var_dump(test());
+
+?>
+--EXPECT--
+int(1)