Fixed incorrect dead edge elimination during IR construction

Fixes oss-fuzz #63931
2026-03-24 00:02:20 +01:00 · 2023-11-07 11:41:23 +03:00
parent fa59bbe662
commit a30d809290
2 changed files with 23 additions and 1 deletions
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@@ -3540,11 +3540,14 @@ static void _zend_jit_fix_merges(zend_jit_ctx *jit)
 							phi->op = IR_COPY;
 							phi->op1 = phi->op2;
 							phi->op2 = 1;
+							phi->inputs_count = 0;
+						} else {
+							phi->inputs_count = k + 1;
 						}
 						n2 = 1 + ((n + 1) >> 2);
 						k2 = 1 + ((k + 1) >> 2);
 						while (k2 != n2) {
-							(insn+k2)->optx = IR_NOP;
+							(phi+k2)->optx = IR_NOP;
 							k2++;
 						}
 						phi += 1 + ((n + 1) >> 2);
--- a/ext/opcache/tests/jit/loop_003.phpt
+++ b/ext/opcache/tests/jit/loop_003.phpt
@@ -0,0 +1,19 @@
+--TEST--
+JIT LOOP: 003 Incorrect dead IR edge elimination
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit_buffer_size=32M
+--FILE--
+<?php
+function () {
+    $a = 0;
+    while (y) {
+        $a &= $y & $y;
+        if (y) die &("");
+     }
+};
+?>
+DONE
+--EXPECT--
+DONE