JIT: Fix missing type store

dstogov · dstogov · commit 4b884bedc8de · 2022-08-29T14:36:16.000+03:00
Fixes oss-fuzz #50653
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -6377,7 +6377,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 					}
 					SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op2.var), type,
 						(gen_handler || type == IS_UNKNOWN || !ra ||
-							(!ra[ssa_op->op2_def] && !ssa->vars[ssa_op->op2_def].no_val)));
+							(!ra[ssa_op->op2_def] /*&& !ssa->vars[ssa_op->op2_def].no_val*/)));
 					if (type != IS_UNKNOWN) {
 						ssa->var_info[ssa_op->op2_def].type &= ~MAY_BE_GUARD;
 						if (ra && ra[ssa_op->op2_def]) {
diff --git a/ext/opcache/tests/jit/assign_054.phpt b/ext/opcache/tests/jit/assign_054.phpt
@@ -0,0 +1,24 @@
+--TEST--
+JIT ASSIGN: missing type store
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function foo($a) {
+    $b = $a = $a + $b & $a += $a;
+    $b = $a = $a + $b & $b & $b = $a = $a + $b = $a = $a + $b = $a += $a;
+    $b = !$a = $a + $b & $b & $b = $b = $a = $a + $b & $a += $a;
+	$a + $b & $b & $b = $a = $a + $b = $a = $a + $b = $a += $a;
+}
+
+@foo(39087589046889428661);
+@foo(390875890468877606478);
+@foo(390875890468877606478);
+?>
+DONE
+--EXPECT--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -6377,7 +6377,7 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`6377`	`6377`	`}`
`6378`	`6378`	`SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op2.var), type,`
`6379`	`6379`	`(gen_handler \|\| type == IS_UNKNOWN \|\| !ra \|\|`
`6380`		`- (!ra[ssa_op->op2_def] && !ssa->vars[ssa_op->op2_def].no_val)));`
	`6380`	`+ (!ra[ssa_op->op2_def] /&& !ssa->vars[ssa_op->op2_def].no_val/)));`
`6381`	`6381`	`if (type != IS_UNKNOWN) {`
`6382`	`6382`	`ssa->var_info[ssa_op->op2_def].type &= ~MAY_BE_GUARD;`
`6383`	`6383`	`if (ra && ra[ssa_op->op2_def]) {`