Fix memory leak

dstogov · dstogov · commit a8bd342397cc · 2022-11-14T12:35:09.000+03:00
Fizes oss-fuzz #53143
diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc
@@ -5579,7 +5579,8 @@ static int zend_jit_simple_assign(dasm_State    **Dst,
                                   uint32_t        val_info,
                                   zend_jit_addr   res_addr,
                                   int             in_cold,
-                                  int             save_r1)
+                                  int             save_r1,
+                                  bool            check_exception)
 /* Labels: 1,2,3 */
 {
 	zend_reg tmp_reg;
@@ -5629,7 +5630,9 @@ static int zend_jit_simple_assign(dasm_State    **Dst,
 			ZEND_ASSERT(Z_MODE(val_addr) == IS_MEM_ZVAL && Z_REG(val_addr) == ZREG_FP);
 			|	LOAD_32BIT_VAL FCARG1w, Z_OFFSET(val_addr)
 			|	EXT_CALL zend_jit_undefined_op_helper, REG0
-			|	cbz RETVALx, ->exception_handler_undef
+			if (check_exception) {
+				|	cbz RETVALx, ->exception_handler_undef
+			}
 			if (save_r1) {
 				|	ldr FCARG1x, T1	// restore
 			}
@@ -5938,15 +5941,15 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 				if (!keep_gc) {
 					|	str Rx(tmp_reg), T1 // save
 				}
-				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0)) {
+				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0, 0)) {
 					return 0;
 				}
 				if (!keep_gc) {
 					|	ldr FCARG1x, T1     // restore
 				}
 			} else {
 				|	GET_ZVAL_PTR FCARG1x, var_use_addr, TMP1
-				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1)) {
+				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1, 0)) {
 					return 0;
 				}
 			}
@@ -5958,7 +5961,7 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 			}
 			|	ZVAL_DTOR_FUNC var_info, opline, TMP1
 			if (in_cold || (RC_MAY_BE_N(var_info) && (var_info & (MAY_BE_ARRAY|MAY_BE_OBJECT)) != 0)) {
-				if (check_exception) {
+				if (check_exception && !(val_info & MAY_BE_UNDEF)) {
 					|	MEM_LOAD_64_ZTS ldr, REG0, executor_globals, exception, TMP1
 					|	cbz REG0, >8
 					|	b ->exception_handler
@@ -5974,6 +5977,12 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 					|	b >8
 				}
 			}
+			if (check_exception && (val_info & MAY_BE_UNDEF)) {
+				|8:
+				|	MEM_LOAD_64_ZTS ldr, REG0, executor_globals, exception, TMP1
+				|	cbz REG0, >8
+				|	b ->exception_handler
+			}
 			if (in_cold) {
 				|.code
 			} else {
@@ -6002,7 +6011,7 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 	    }
 	}
 
-	if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0)) {
+	if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0, check_exception)) {
 		return 0;
 	}
 
@@ -6102,7 +6111,7 @@ static int zend_jit_assign_dim(dasm_State **Dst, const zend_op *opline, uint32_t
 			|	b >9
 			|.code
 
-			if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {
+			if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0, 0)) {
 				return 0;
 			}
 		} else {
@@ -8453,7 +8462,7 @@ static int zend_jit_qm_assign(dasm_State **Dst, const zend_op *opline, uint32_t
 		}
 	}
 
-	if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0)) {
+	if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0, 1)) {
 		return 0;
 	}
 	if (!zend_jit_store_var_if_necessary(Dst, opline->result.var, res_addr, res_info)) {
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -6096,7 +6096,8 @@ static int zend_jit_simple_assign(dasm_State    **Dst,
                                   uint32_t        val_info,
                                   zend_jit_addr   res_addr,
                                   int             in_cold,
-                                  int             save_r1)
+                                  int             save_r1,
+                                  bool            check_exception)
 /* Labels: 1,2,3 */
 {
 	zend_reg tmp_reg;
@@ -6146,8 +6147,10 @@ static int zend_jit_simple_assign(dasm_State    **Dst,
 			ZEND_ASSERT(Z_MODE(val_addr) == IS_MEM_ZVAL && Z_REG(val_addr) == ZREG_FP);
 			|	mov FCARG1d, Z_OFFSET(val_addr)
 			|	EXT_CALL zend_jit_undefined_op_helper, r0
-			|	test r0, r0
-			|	jz ->exception_handler_undef
+			if (check_exception) {
+				|	test r0, r0
+				|	jz ->exception_handler_undef
+			}
 			if (save_r1) {
 				|	mov FCARG1a, aword T1 // restore
 			}
@@ -6462,15 +6465,15 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 				if (!keep_gc) {
 					|	mov aword T1, Ra(tmp_reg) // save
 				}
-				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0)) {
+				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0, 0)) {
 					return 0;
 				}
 				if (!keep_gc) {
 					|	mov FCARG1a, aword T1 // restore
 				}
 			} else {
 				|	GET_ZVAL_PTR FCARG1a, var_use_addr
-				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1)) {
+				if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1, 0)) {
 					return 0;
 				}
 			}
@@ -6482,7 +6485,7 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 			}
 			|	ZVAL_DTOR_FUNC var_info, opline
 			if (in_cold || (RC_MAY_BE_N(var_info) && (var_info & (MAY_BE_ARRAY|MAY_BE_OBJECT)) != 0)) {
-				if (check_exception) {
+				if (check_exception && !(val_info & MAY_BE_UNDEF)) {
 					|	MEM_CMP_ZTS aword, executor_globals, exception, 0, r0
 					|	je >8
 					|	jmp ->exception_handler
@@ -6498,6 +6501,12 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 					|	jmp >8
 				}
 			}
+			if (check_exception && (val_info & MAY_BE_UNDEF)) {
+				|8:
+				|	MEM_CMP_ZTS aword, executor_globals, exception, 0, r0
+				|	je >8
+				|	jmp ->exception_handler
+			}
 			if (in_cold) {
 				|.code
 			} else {
@@ -6526,7 +6535,7 @@ static int zend_jit_assign_to_variable(dasm_State    **Dst,
 	    }
 	}
 
-	if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0)) {
+	if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0, check_exception)) {
 		return 0;
 	}
 
@@ -6624,7 +6633,7 @@ static int zend_jit_assign_dim(dasm_State **Dst, const zend_op *opline, uint32_t
 			|	jmp >9
 			|.code
 
-			if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {
+			if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0, 0)) {
 				return 0;
 			}
 		} else {
@@ -9045,7 +9054,7 @@ static int zend_jit_qm_assign(dasm_State **Dst, const zend_op *opline, uint32_t
 		}
 	}
 
-	if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0)) {
+	if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0, 1)) {
 		return 0;
 	}
 	if (!zend_jit_store_var_if_necessary(Dst, opline->result.var, res_addr, res_info)) {
diff --git a/ext/opcache/tests/jit/assign_055.phpt b/ext/opcache/tests/jit/assign_055.phpt
@@ -0,0 +1,25 @@
+--TEST--
+JIT ASSIGN: memory leak
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+set_error_handler(function() {
+    (y);
+});
+$ret = new stdClass;
+try {
+    $ret = $y;
+} catch (y) {
+}
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Undefined constant "y" in %sassign_055.php:3
+Stack trace:
+#0 %sassign_055.php(7): {closure}(2, 'Undefined varia...', '%s', 7)
+#1 {main}
+  thrown in %sassign_055.php on line 3

Original file line number	Diff line number	Diff line change
`@@ -5579,7 +5579,8 @@ static int zend_jit_simple_assign(dasm_State **Dst,`
`5579`	`5579`	`uint32_t val_info,`
`5580`	`5580`	`zend_jit_addr res_addr,`
`5581`	`5581`	`int in_cold,`
`5582`		`- int save_r1)`
	`5582`	`+ int save_r1,`
	`5583`	`+ bool check_exception)`
`5583`	`5584`	`/* Labels: 1,2,3 */`
`5584`	`5585`	`{`
`5585`	`5586`	`zend_reg tmp_reg;`
`@@ -5629,7 +5630,9 @@ static int zend_jit_simple_assign(dasm_State **Dst,`
`5629`	`5630`	`ZEND_ASSERT(Z_MODE(val_addr) == IS_MEM_ZVAL && Z_REG(val_addr) == ZREG_FP);`
`5630`	`5631`	`\| LOAD_32BIT_VAL FCARG1w, Z_OFFSET(val_addr)`
`5631`	`5632`	`\| EXT_CALL zend_jit_undefined_op_helper, REG0`
`5632`		`- \| cbz RETVALx, ->exception_handler_undef`
	`5633`	`+ if (check_exception) {`
	`5634`	`+ \| cbz RETVALx, ->exception_handler_undef`
	`5635`	`+ }`
`5633`	`5636`	`if (save_r1) {`
`5634`	`5637`	`\| ldr FCARG1x, T1 // restore`
`5635`	`5638`	`}`
`@@ -5938,15 +5941,15 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`5938`	`5941`	`if (!keep_gc) {`
`5939`	`5942`	`\| str Rx(tmp_reg), T1 // save`
`5940`	`5943`	`}`
`5941`		`- if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0)) {`
	`5944`	`+ if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0, 0)) {`
`5942`	`5945`	`return 0;`
`5943`	`5946`	`}`
`5944`	`5947`	`if (!keep_gc) {`
`5945`	`5948`	`\| ldr FCARG1x, T1 // restore`
`5946`	`5949`	`}`
`5947`	`5950`	`} else {`
`5948`	`5951`	`\| GET_ZVAL_PTR FCARG1x, var_use_addr, TMP1`
`5949`		`- if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1)) {`
	`5952`	`+ if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1, 0)) {`
`5950`	`5953`	`return 0;`
`5951`	`5954`	`}`
`5952`	`5955`	`}`
`@@ -5958,7 +5961,7 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`5958`	`5961`	`}`
`5959`	`5962`	`\| ZVAL_DTOR_FUNC var_info, opline, TMP1`
`5960`	`5963`	`if (in_cold \|\| (RC_MAY_BE_N(var_info) && (var_info & (MAY_BE_ARRAY\|MAY_BE_OBJECT)) != 0)) {`
`5961`		`- if (check_exception) {`
	`5964`	`+ if (check_exception && !(val_info & MAY_BE_UNDEF)) {`
`5962`	`5965`	`\| MEM_LOAD_64_ZTS ldr, REG0, executor_globals, exception, TMP1`
`5963`	`5966`	`\| cbz REG0, >8`
`5964`	`5967`	`\| b ->exception_handler`
`@@ -5974,6 +5977,12 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`5974`	`5977`	`\| b >8`
`5975`	`5978`	`}`
`5976`	`5979`	`}`
	`5980`	`+ if (check_exception && (val_info & MAY_BE_UNDEF)) {`
	`5981`	`+ \|8:`
	`5982`	`+ \| MEM_LOAD_64_ZTS ldr, REG0, executor_globals, exception, TMP1`
	`5983`	`+ \| cbz REG0, >8`
	`5984`	`+ \| b ->exception_handler`
	`5985`	`+ }`
`5977`	`5986`	`if (in_cold) {`
`5978`	`5987`	`\|.code`
`5979`	`5988`	`} else {`
`@@ -6002,7 +6011,7 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`6002`	`6011`	`}`
`6003`	`6012`	`}`
`6004`	`6013`
`6005`		`- if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0)) {`
	`6014`	`+ if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0, check_exception)) {`
`6006`	`6015`	`return 0;`
`6007`	`6016`	`}`
`6008`	`6017`
`@@ -6102,7 +6111,7 @@ static int zend_jit_assign_dim(dasm_State *Dst, const zend_op opline, uint32_t`
`6102`	`6111`	`\| b >9`
`6103`	`6112`	`\|.code`
`6104`	`6113`
`6105`		`- if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {`
	`6114`	`+ if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0, 0)) {`
`6106`	`6115`	`return 0;`
`6107`	`6116`	`}`
`6108`	`6117`	`} else {`
`@@ -8453,7 +8462,7 @@ static int zend_jit_qm_assign(dasm_State *Dst, const zend_op opline, uint32_t`
`8453`	`8462`	`}`
`8454`	`8463`	`}`
`8455`	`8464`
`8456`		`- if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0)) {`
	`8465`	`+ if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0, 1)) {`
`8457`	`8466`	`return 0;`
`8458`	`8467`	`}`
`8459`	`8468`	`if (!zend_jit_store_var_if_necessary(Dst, opline->result.var, res_addr, res_info)) {`
Original file line number	Diff line number	Diff line change
`@@ -6096,7 +6096,8 @@ static int zend_jit_simple_assign(dasm_State **Dst,`
`6096`	`6096`	`uint32_t val_info,`
`6097`	`6097`	`zend_jit_addr res_addr,`
`6098`	`6098`	`int in_cold,`
`6099`		`- int save_r1)`
	`6099`	`+ int save_r1,`
	`6100`	`+ bool check_exception)`
`6100`	`6101`	`/* Labels: 1,2,3 */`
`6101`	`6102`	`{`
`6102`	`6103`	`zend_reg tmp_reg;`
`@@ -6146,8 +6147,10 @@ static int zend_jit_simple_assign(dasm_State **Dst,`
`6146`	`6147`	`ZEND_ASSERT(Z_MODE(val_addr) == IS_MEM_ZVAL && Z_REG(val_addr) == ZREG_FP);`
`6147`	`6148`	`\| mov FCARG1d, Z_OFFSET(val_addr)`
`6148`	`6149`	`\| EXT_CALL zend_jit_undefined_op_helper, r0`
`6149`		`- \| test r0, r0`
`6150`		`- \| jz ->exception_handler_undef`
	`6150`	`+ if (check_exception) {`
	`6151`	`+ \| test r0, r0`
	`6152`	`+ \| jz ->exception_handler_undef`
	`6153`	`+ }`
`6151`	`6154`	`if (save_r1) {`
`6152`	`6155`	`\| mov FCARG1a, aword T1 // restore`
`6153`	`6156`	`}`
`@@ -6462,15 +6465,15 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`6462`	`6465`	`if (!keep_gc) {`
`6463`	`6466`	`\| mov aword T1, Ra(tmp_reg) // save`
`6464`	`6467`	`}`
`6465`		`- if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0)) {`
	`6468`	`+ if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 0, 0)) {`
`6466`	`6469`	`return 0;`
`6467`	`6470`	`}`
`6468`	`6471`	`if (!keep_gc) {`
`6469`	`6472`	`\| mov FCARG1a, aword T1 // restore`
`6470`	`6473`	`}`
`6471`	`6474`	`} else {`
`6472`	`6475`	`\| GET_ZVAL_PTR FCARG1a, var_use_addr`
`6473`		`- if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1)) {`
	`6476`	`+ if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, in_cold, 1, 0)) {`
`6474`	`6477`	`return 0;`
`6475`	`6478`	`}`
`6476`	`6479`	`}`
`@@ -6482,7 +6485,7 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`6482`	`6485`	`}`
`6483`	`6486`	`\| ZVAL_DTOR_FUNC var_info, opline`
`6484`	`6487`	`if (in_cold \|\| (RC_MAY_BE_N(var_info) && (var_info & (MAY_BE_ARRAY\|MAY_BE_OBJECT)) != 0)) {`
`6485`		`- if (check_exception) {`
	`6488`	`+ if (check_exception && !(val_info & MAY_BE_UNDEF)) {`
`6486`	`6489`	`\| MEM_CMP_ZTS aword, executor_globals, exception, 0, r0`
`6487`	`6490`	`\| je >8`
`6488`	`6491`	`\| jmp ->exception_handler`
`@@ -6498,6 +6501,12 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`6498`	`6501`	`\| jmp >8`
`6499`	`6502`	`}`
`6500`	`6503`	`}`
	`6504`	`+ if (check_exception && (val_info & MAY_BE_UNDEF)) {`
	`6505`	`+ \|8:`
	`6506`	`+ \| MEM_CMP_ZTS aword, executor_globals, exception, 0, r0`
	`6507`	`+ \| je >8`
	`6508`	`+ \| jmp ->exception_handler`
	`6509`	`+ }`
`6501`	`6510`	`if (in_cold) {`
`6502`	`6511`	`\|.code`
`6503`	`6512`	`} else {`
`@@ -6526,7 +6535,7 @@ static int zend_jit_assign_to_variable(dasm_State **Dst,`
`6526`	`6535`	`}`
`6527`	`6536`	`}`
`6528`	`6537`
`6529`		`- if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0)) {`
	`6538`	`+ if (!done && !zend_jit_simple_assign(Dst, opline, var_addr, var_info, var_def_info, val_type, val_addr, val_info, res_addr, 0, 0, check_exception)) {`
`6530`	`6539`	`return 0;`
`6531`	`6540`	`}`
`6532`	`6541`
`@@ -6624,7 +6633,7 @@ static int zend_jit_assign_dim(dasm_State *Dst, const zend_op opline, uint32_t`
`6624`	`6633`	`\| jmp >9`
`6625`	`6634`	`\|.code`
`6626`	`6635`
`6627`		`- if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {`
	`6636`	`+ if (!zend_jit_simple_assign(Dst, opline, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0, 0)) {`
`6628`	`6637`	`return 0;`
`6629`	`6638`	`}`
`6630`	`6639`	`} else {`
`@@ -9045,7 +9054,7 @@ static int zend_jit_qm_assign(dasm_State *Dst, const zend_op opline, uint32_t`
`9045`	`9054`	`}`
`9046`	`9055`	`}`
`9047`	`9056`
`9048`		`- if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0)) {`
	`9057`	`+ if (!zend_jit_simple_assign(Dst, opline, res_addr, res_use_info, res_info, opline->op1_type, op1_addr, op1_info, 0, 0, 0, 1)) {`
`9049`	`9058`	`return 0;`
`9050`	`9059`	`}`
`9051`	`9060`	`if (!zend_jit_store_var_if_necessary(Dst, opline->result.var, res_addr, res_info)) {`