From 19854371ed5a8202a868f3ef5fac7d8dcb7b9bf3 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 22 Sep 2021 00:43:56 +0300
Subject: [PATCH] Tracing JIT: Fixed bug in register allocator.

Type of variable might need to be checked (using type guard) before loading to register.
---
 ext/opcache/jit/zend_jit_trace.c         |  9 ++++++
 ext/opcache/tests/jit/reg_alloc_004.phpt | 40 ++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 ext/opcache/tests/jit/reg_alloc_004.phpt

diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index da26bd7903e..e99c9a841b6 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -3758,8 +3758,17 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 
 				if (ival) {
 					if (ival->flags & ZREG_LOAD) {
+						uint32_t info = ssa->var_info[phi->ssa_var].type;
 						ZEND_ASSERT(ival->reg != ZREG_NONE);
 
+						if (info & MAY_BE_GUARD) {
+							if (!zend_jit_type_guard(&dasm_state, opline, phi->var, concrete_type(info))) {
+								goto jit_failure;
+							}
+							info &= ~MAY_BE_GUARD;
+							ssa->var_info[phi->ssa_var].type = info;
+							SET_STACK_TYPE(stack, i, concrete_type(info), 1);
+						}
 						SET_STACK_REG_EX(stack, phi->var, ival->reg, ZREG_LOAD);
 						if (!zend_jit_load_var(&dasm_state, ssa->var_info[phi->ssa_var].type, ssa->vars[phi->ssa_var].var, ival->reg)) {
 							goto jit_failure;
diff --git a/ext/opcache/tests/jit/reg_alloc_004.phpt b/ext/opcache/tests/jit/reg_alloc_004.phpt
new file mode 100644
index 00000000000..e251a0cfe43
--- /dev/null
+++ b/ext/opcache/tests/jit/reg_alloc_004.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Register Alloction 004: Check guard before register load
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+opcache.jit=tracing
+opcache.jit_hot_func=1
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+function createTree($depth) {
+    if (!$depth) {
+        return;
+    }
+    $depth--;
+    [createTree($d), createTree($depth)]();
+}
+createTree(4);
+?>
+--EXPECTF--
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Warning: Undefined variable $d in %sreg_alloc_004.php on line 7
+
+Fatal error: Uncaught Error: First array member is not a valid class name or object in %sreg_alloc_004.php:7
+Stack trace:
+#0 %sreg_alloc_004.php(7): createTree(0)
+#1 %sreg_alloc_004.php(7): createTree(1)
+#2 %sreg_alloc_004.php(7): createTree(2)
+#3 %sreg_alloc_004.php(9): createTree(3)
+#4 {main}
+  thrown in %sreg_alloc_004.php on line 7