Merge branch 'PHP-8.1'

* PHP-8.1: JIT: Fix exception handling when next array element is already occupied
2026-04-19 05:51:02 +02:00 · 2021-11-29 21:57:38 +03:00
parent c0d890e918 23c5a6fd16
commit 8cdead1568
4 changed files with 34 additions and 2 deletions
--- a/Zend/Optimizer/dce.c
+++ b/Zend/Optimizer/dce.c
@@ -519,6 +519,10 @@ static inline bool may_break_varargs(const zend_op_array *op_array, const zend_s
 	return 0;
 }

+static inline bool may_throw_dce_exception(const zend_op *opline) {
+	return opline->opcode == ZEND_ADD_ARRAY_ELEMENT && opline->op2_type == IS_UNUSED;
+}
+
 int dce_optimize_op_array(zend_op_array *op_array, zend_ssa *ssa, bool reorder_dtor_effects) {
 	int i;
 	zend_ssa_phi *phi;
@@ -585,7 +589,8 @@ int dce_optimize_op_array(zend_op_array *op_array, zend_ssa *ssa, bool reorder_d
 					add_operands_to_worklists(&ctx, &op_array->opcodes[op_data], &ssa->ops[op_data], ssa, 0);
 				}
 			} else if (may_have_side_effects(op_array, ssa, &op_array->opcodes[i], &ssa->ops[i], ctx.reorder_dtor_effects)
-					|| zend_may_throw(&op_array->opcodes[i], &ssa->ops[i], op_array, ssa)
+					|| (zend_may_throw(&op_array->opcodes[i], &ssa->ops[i], op_array, ssa)
+						&& !may_throw_dce_exception(&op_array->opcodes[i]))
 					|| (has_varargs && may_break_varargs(op_array, ssa, &ssa->ops[i]))) {
 				if (op_array->opcodes[i].opcode == ZEND_NEW
 						&& op_array->opcodes[i+1].opcode == ZEND_DO_FCALL
--- a/Zend/Optimizer/sccp.c
+++ b/Zend/Optimizer/sccp.c
@@ -2279,6 +2279,12 @@ static int try_remove_definition(sccp_ctx *ctx, int var_num, zend_ssa_var *var,
 							return 0;
 						}
 						break;
+					case ZEND_INIT_ARRAY:
+					case ZEND_ADD_ARRAY_ELEMENT:
+						if (opline->op2_type == IS_UNUSED) {
+							return 0;
+						}
+						/* break missing intentionally */
 					default:
 						if (zend_may_throw(opline, ssa_op, op_array, ssa)) {
 							return 0;
--- a/Zend/Optimizer/zend_inference.c
+++ b/Zend/Optimizer/zend_inference.c
@@ -4862,8 +4862,9 @@ ZEND_API bool zend_may_throw_ex(const zend_op *opline, const zend_ssa_op *ssa_op
 		case ZEND_ROPE_END:
 			return t2 & (MAY_BE_ARRAY|MAY_BE_OBJECT);
 		case ZEND_INIT_ARRAY:
-		case ZEND_ADD_ARRAY_ELEMENT:
 			return (opline->op2_type != IS_UNUSED) && (t2 & (MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE));
+		case ZEND_ADD_ARRAY_ELEMENT:
+			return (opline->op2_type == IS_UNUSED) || (t2 & (MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE));
 		case ZEND_STRLEN:
 			return (t1 & MAY_BE_ANY) != MAY_BE_STRING;
 		case ZEND_COUNT:
--- a/ext/opcache/tests/jit/array_elem_002.phpt
+++ b/ext/opcache/tests/jit/array_elem_002.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Occupied next element
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+$float = 100000000000000000000000000000000000000;
+$string_float= PHP_INT_MAX;
+$a = [$float => 'a', $string_float => 'b', 'c', 'd'];
+?>
+--EXPECTF--
+Deprecated: Implicit conversion from float 1.0E+38 to int loses precision in %sarray_elem_002.php on line 4
+
+Fatal error: Uncaught Error: Cannot add element to the array as the next element is already occupied in %sarray_elem_002.php:4
+Stack trace:
+#0 {main}
+  thrown in %sarray_elem_002.php on line 4