Tracing JIT: Fix incorrect guard elimination

dstogov · dstogov · commit c9c51eb1f151 · 2022-08-22T15:38:41.000+03:00
Fixes oss-fuzz #49917
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -981,6 +981,9 @@ static int is_checked_guard(const zend_ssa *tssa, const zend_op **ssa_opcodes, u
 					 && (tssa->var_info[tssa->ops[idx].op1_use].type & MAY_BE_STRING)) {
 						return 0;
 					}
+					if (!(tssa->var_info[tssa->ops[idx].op1_use].type & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+						return 0;
+					}
 					return 1;
 				} else if (opline->opcode == ZEND_ASSIGN_OP
 				 && (opline->extended_value == ZEND_ADD
@@ -991,18 +994,25 @@ static int is_checked_guard(const zend_ssa *tssa, const zend_op **ssa_opcodes, u
 					  && (tssa->var_info[tssa->ops[idx].op2_use].type & MAY_BE_REF)) {
 						return 0;
 					}
+					if (!(tssa->var_info[tssa->ops[idx].op1_use].type & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+						return 0;
+					}
+					if (opline->op2_type == IS_CONST) {
+						zval *zv = RT_CONSTANT(opline, opline->op2);
+						if (Z_TYPE_P(zv) != IS_LONG && Z_TYPE_P(zv) != IS_DOUBLE) {
+							return 0;
+						}
+					} else if (!(tssa->var_info[tssa->ops[idx].op2_use].type & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+						return 0;
+					}
 					return 1;
 				}
 			}
 			if (tssa->ops[idx].result_def == var) {
 				const zend_op *opline = ssa_opcodes[idx];
 				if (opline->opcode == ZEND_ADD
 				 || opline->opcode == ZEND_SUB
-				 || opline->opcode == ZEND_MUL
-				 || opline->opcode == ZEND_PRE_DEC
-				 || opline->opcode == ZEND_PRE_INC
-				 || opline->opcode == ZEND_POST_DEC
-				 || opline->opcode == ZEND_POST_INC) {
+				 || opline->opcode == ZEND_MUL) {
 					if ((opline->op1_type & (IS_VAR|IS_CV))
 					  && tssa->ops[idx].op1_use >= 0
 					  && (tssa->var_info[tssa->ops[idx].op1_use].type & MAY_BE_REF)) {
@@ -1013,6 +1023,34 @@ static int is_checked_guard(const zend_ssa *tssa, const zend_op **ssa_opcodes, u
 					  && (tssa->var_info[tssa->ops[idx].op2_use].type & MAY_BE_REF)) {
 						return 0;
 					}
+					if (opline->op1_type == IS_CONST) {
+						zval *zv = RT_CONSTANT(opline, opline->op1);
+						if (Z_TYPE_P(zv) != IS_LONG && Z_TYPE_P(zv) != IS_DOUBLE) {
+							return 0;
+						}
+					} else if (!(tssa->var_info[tssa->ops[idx].op1_use].type & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+						return 0;
+					}
+					if (opline->op2_type == IS_CONST) {
+						zval *zv = RT_CONSTANT(opline, opline->op2);
+						if (Z_TYPE_P(zv) != IS_LONG && Z_TYPE_P(zv) != IS_DOUBLE) {
+							return 0;
+						}
+					} else if (!(tssa->var_info[tssa->ops[idx].op2_use].type & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+						return 0;
+					}
+				} else if (opline->opcode == ZEND_PRE_DEC
+				 || opline->opcode == ZEND_PRE_INC
+				 || opline->opcode == ZEND_POST_DEC
+				 || opline->opcode == ZEND_POST_INC) {
+					if ((opline->op1_type & (IS_VAR|IS_CV))
+					  && tssa->ops[idx].op1_use >= 0
+					  && (tssa->var_info[tssa->ops[idx].op1_use].type & MAY_BE_REF)) {
+						return 0;
+					}
+					if (!(tssa->var_info[tssa->ops[idx].op1_use].type & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+						return 0;
+					}
 					return 1;
 				}
 			}
diff --git a/ext/opcache/tests/jit/add_014.phpt b/ext/opcache/tests/jit/add_014.phpt
@@ -0,0 +1,25 @@
+--TEST--
+JIT ADD: 014 incorrect guard elimination
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function test() {
+	$s = null;
+    $i = $a + $a = $j = 2;
+    for ($a = 0; $i < 20; $a = !$a + $s .= 0xfff0001/34028236692903846346336*6) {
+	    $a = !$a + $a &= 74444444 - 444 >> 4 - $j++;
+        if ($j > 14) break;
+    }
+}
+try {
+    @test();
+} catch (Throwable $e) {
+	echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Bit shift by negative number
