Fixed code generation for ASSIGN_DIM

dstogov · dstogov · commit c163ff68dabb · 2023-10-25T12:01:28.000+03:00
Fixes oss-fuzz #63563
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -12799,19 +12799,21 @@ static int zend_jit_assign_dim(zend_jit_ctx *jit, const zend_op *opline, uint32_
 				var_info |= MAY_BE_RC1;
 			}
 
-			ir_MERGE_N(found_inputs->count, found_inputs->refs);
-			ref = ir_PHI_N(IR_ADDR, found_values->count, found_values->refs);
-			var_addr = ZEND_ADDR_REF_ZVAL(ref);
+			if (found_inputs->count) {
+				ir_MERGE_N(found_inputs->count, found_inputs->refs);
+				ref = ir_PHI_N(IR_ADDR, found_values->count, found_values->refs);
+				var_addr = ZEND_ADDR_REF_ZVAL(ref);
 
-			// JIT: value = zend_assign_to_variable(variable_ptr, value, OP_DATA_TYPE);
-			if (opline->op1_type == IS_VAR) {
-				ZEND_ASSERT(opline->result_type == IS_UNUSED);
-				if (!zend_jit_assign_to_variable_call(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0)) {
-					return 0;
-				}
-			} else {
-				if (!zend_jit_assign_to_variable(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {
-					return 0;
+				// JIT: value = zend_assign_to_variable(variable_ptr, value, OP_DATA_TYPE);
+				if (opline->op1_type == IS_VAR) {
+					ZEND_ASSERT(opline->result_type == IS_UNUSED);
+					if (!zend_jit_assign_to_variable_call(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0)) {
+						return 0;
+					}
+				} else {
+					if (!zend_jit_assign_to_variable(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {
+						return 0;
+					}
 				}
 			}
 		}
diff --git a/ext/opcache/tests/jit/assign_dim_016.phpt b/ext/opcache/tests/jit/assign_dim_016.phpt
@@ -0,0 +1,20 @@
+--TEST--
+JIT ASSIGN_DIM: 016
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+    $y[~$y] = 42;
+}
+@foo();
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot perform bitwise not on null in %sassign_dim_016.php:3
+Stack trace:
+#0 %sassign_dim_016.php(5): foo()
+#1 {main}
+  thrown in %sassign_dim_016.php on line 3
