From 25ad171f63b7ba8b8fd323e26466951f512a666f Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 2 May 2023 12:02:20 +0300
Subject: [PATCH] JIT: Fixed inaccurate range inference usage for
 UNDEF/NULL/FALSE

Fixes oss-fuzz #58459
---
 ext/opcache/jit/zend_jit_arm64.dasc |  2 +-
 ext/opcache/jit/zend_jit_x86.dasc   |  2 +-
 ext/opcache/tests/jit/mod_007.phpt  | 23 +++++++++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 ext/opcache/tests/jit/mod_007.phpt

diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc
index a1f60030574..0621d7e76c4 100644
--- a/ext/opcache/jit/zend_jit_arm64.dasc
+++ b/ext/opcache/jit/zend_jit_arm64.dasc
@@ -4834,7 +4834,7 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				op2_reg = Z_REG(op2_addr);
 			}
 
-			if (!op2_range || (op2_range->min <= 0 && op2_range->max >= 0)) {
+			if ((op2_type & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE)) || !op2_range || (op2_range->min <= 0 && op2_range->max >= 0)) {
 				|	cbz Rx(op2_reg), >1
 				|.cold_code
 				|1:
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 44e14d1f112..d47e346989d 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -5272,7 +5272,7 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 				}
 			}
 		} else {
-			if (!op2_range || (op2_range->min <= 0 && op2_range->max >= 0)) {
+			if ((op2_type & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE)) || !op2_range || (op2_range->min <= 0 && op2_range->max >= 0)) {
 				if (Z_MODE(op2_addr) == IS_MEM_ZVAL) {
 					|	cmp aword [Ra(Z_REG(op2_addr))+Z_OFFSET(op2_addr)], 0
 				} else if (Z_MODE(op2_addr) == IS_REG) {
diff --git a/ext/opcache/tests/jit/mod_007.phpt b/ext/opcache/tests/jit/mod_007.phpt
new file mode 100644
index 00000000000..c83bd0e5a05
--- /dev/null
+++ b/ext/opcache/tests/jit/mod_007.phpt
@@ -0,0 +1,23 @@
+--TEST--
+JIT MOD: 007
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function test($a) {
+    for(;$a < -2;) {
+      $n % $n = $a + $a;
+    }
+}
+test(null);
+?>
+--EXPECTF--
+Fatal error: Uncaught DivisionByZeroError: Modulo by zero in %smod_007.php:4
+Stack trace:
+#0 %smod_007.php(7): test(NULL)
+#1 {main}
+  thrown in %smod_007.php on line 4
\ No newline at end of file