Fix incorrect comparison in block optimization pass

nielsdos · devnexen · commit dfe9c2af19a0 · 2023-01-16T20:41:33.000Z
We're in the case of ZEND_JMPZ_EX or ZEND_JMPNZ_EX. The opcode gets overwritten and only after the overwriting gets checked if we're in a JMPZ or JMPNZ case. This results in a wrong optimization. Close GH-10329
diff --git a/NEWS b/NEWS
@@ -9,6 +9,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-10072 (PHP crashes when execute_ex is overridden and a __call
     trampoline is used from internal code). (Derick)
   . Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed). (nielsdos)
+  . Fix wrong comparison in block optimisation pass after opcode update. (nieldsdos)
 
 - Date:
   . Fixed bug GH-9891 (DateTime modify with unixtimestamp (@) must work like
diff --git a/Zend/Optimizer/block_pass.c b/Zend/Optimizer/block_pass.c
@@ -671,13 +671,13 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 			case ZEND_JMPNZ_EX:
 				while (1) {
 					if (opline->op1_type == IS_CONST) {
-						if (zend_is_true(&ZEND_OP1_LITERAL(opline)) ==
-						    (opline->opcode == ZEND_JMPZ_EX)) {
+						bool is_jmpz_ex = opline->opcode == ZEND_JMPZ_EX;
+						if (zend_is_true(&ZEND_OP1_LITERAL(opline)) == is_jmpz_ex) {
 
 							++(*opt_count);
 							opline->opcode = ZEND_QM_ASSIGN;
 							zval_ptr_dtor_nogc(&ZEND_OP1_LITERAL(opline));
-							ZVAL_BOOL(&ZEND_OP1_LITERAL(opline), opline->opcode == ZEND_JMPZ_EX);
+							ZVAL_BOOL(&ZEND_OP1_LITERAL(opline), is_jmpz_ex);
 							opline->op2.num = 0;
 							block->successors_count = 1;
 							block->successors[0] = block->successors[1];
