php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix incorrect trace type inference in a false loop

Browse Source 
Fixes oss-fuzz #63846
This commit is contained in:
Dmitry Stogov
2023-11-08 11:19:52 +03:00
parent 11f46117d0
commit 01f24bb708
1 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
ext/opcache/jit/zend_jit_trace.c
View File

@@ -787,6 +787,25 @@ static int zend_jit_trace_add_ret_phis(zend_jit_trace_rec *trace_buffer, uint32_
return ssa_vars_count;
}
static bool zend_jit_trace_is_false_loop(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op **tssa_opcodes, zend_ssa *tssa)
{
const zend_op *opline;
uint32_t b;
zend_basic_block *bb;
ZEND_ASSERT(tssa->cfg.blocks_count == 2);
ZEND_ASSERT(tssa->cfg.blocks[1].len > 0);
b = ssa->cfg.map[tssa_opcodes[0] - op_array->opcodes];
opline = tssa_opcodes[tssa->cfg.blocks[1].len - 1];
if (opline >= op_array->opcodes && opline < op_array->opcodes + op_array->last) {
bb = ssa->cfg.blocks + ssa->cfg.map[opline - op_array->opcodes];
return bb->loop_header != b;
} else {
return 0;
}
}
static int zend_jit_trace_copy_ssa_var_info(const zend_op_array *op_array, const zend_ssa *ssa, const zend_op **tssa_opcodes, zend_ssa *tssa, int ssa_var)
{
int var, use, def, src;
@@ -796,7 +815,8 @@ static int zend_jit_trace_copy_ssa_var_info(const zend_op_array *op_array, const
uint32_t b = ssa->cfg.map[tssa_opcodes[0] - op_array->opcodes];
zend_basic_block *bb = ssa->cfg.blocks + b;
if (bb->flags & ZEND_BB_LOOP_HEADER) {
if ((bb->flags & ZEND_BB_LOOP_HEADER)
&& !zend_jit_trace_is_false_loop(op_array, ssa, tssa_opcodes, tssa)) {
zend_ssa_phi *phi = ssa->blocks[b].phis;
zend_ssa_phi *pi = NULL;
@@ -1391,7 +1411,8 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
tssa->cfg.blocks[0].successors = tssa->cfg.blocks[0].successors_storage;
tssa->cfg.blocks[0].successors[0] = 1;
tssa->cfg.blocks[0].flags = ZEND_BB_FOLLOW|ZEND_BB_TARGET|ZEND_BB_LOOP_HEADER|ZEND_BB_REACHABLE;
tssa->cfg.blocks[1].flags = ZEND_BB_FOLLOW|ZEND_BB_TARGET|ZEND_BB_LOOP_HEADER|ZEND_BB_REACHABLE;
tssa->cfg.blocks[1].len = ssa_ops_count;
tssa->cfg.blocks[1].successors_count = 1;
tssa->cfg.blocks[1].predecessors_count = 2;
tssa->cfg.blocks[1].successors = tssa->cfg.blocks[1].successors_storage;
@@ -1401,6 +1422,7 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
tssa->cfg.edges_count = 0;
tssa->cfg.blocks[0].flags = ZEND_BB_START|ZEND_BB_EXIT|ZEND_BB_REACHABLE;
tssa->cfg.blocks[0].len = ssa_ops_count;
tssa->cfg.blocks[0].successors_count = 0;
tssa->cfg.blocks[0].predecessors_count = 0;
}