Fix borked FETCH_W+ZEND_FETCH_GLOBAL_LOCK optimization (GH-21121)

Fixes OSS-Fuzz #481014628 Introduced in GH-20628 Co-authored-by: Arnaud Le Blanc <365207+arnaud-lb@users.noreply.github.com>
2026-03-24 16:22:37 +01:00 · 2026-02-09 13:22:35 +01:00
parent e1b2f1f5cb
commit fcff846a73
2 changed files with 30 additions and 1 deletions
--- a/Zend/Optimizer/block_pass.c
+++ b/Zend/Optimizer/block_pass.c
@@ -176,7 +176,9 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 					 && zend_optimizer_update_op1_const(op_array, opline, &c)) {
 						VAR_SOURCE(op1) = NULL;
 						if (opline->opcode != ZEND_JMP_NULL
-						 && !zend_bitset_in(used_ext, VAR_NUM(src->result.var))) {
+						 && !zend_bitset_in(used_ext, VAR_NUM(src->result.var))
+						 /* FETCH_W with ZEND_FETCH_GLOBAL_LOCK does not free op1, which will be used again. */
+						 && !(opline->opcode == ZEND_FETCH_W && (opline->extended_value & ZEND_FETCH_GLOBAL_LOCK))) {
 							literal_dtor(&ZEND_OP1_LITERAL(src));
 							MAKE_NOP(src);
 						}
--- a/ext/opcache/tests/oss-fuzz-481014628.phpt
+++ b/ext/opcache/tests/oss-fuzz-481014628.phpt
@@ -0,0 +1,27 @@
+--TEST--
+OSS-Fuzz #481014628: Borked FETCH_W+ZEND_FETCH_GLOBAL_LOCK optimization
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+--FILE--
+<?php
+
+function f() {
+    return 'foo';
+}
+
+function test() {
+    global ${f()};
+    var_dump($foo);
+}
+
+test();
+$foo = 42;
+test();
+
+?>
+--EXPECT--
+NULL
+int(42)