]> granicus.if.org Git - php/commitdiff
Fixed bug #80861 (erronous array key overflow in 2D array with JIT)
authorDmitry Stogov <dmitry@zend.com>
Wed, 17 Mar 2021 19:59:59 +0000 (22:59 +0300)
committerDmitry Stogov <dmitry@zend.com>
Wed, 17 Mar 2021 19:59:59 +0000 (22:59 +0300)
NEWS
ext/opcache/jit/zend_jit_x86.dasc
ext/opcache/tests/jit/bug80861.phpt [new file with mode: 0644]

diff --git a/NEWS b/NEWS
index ac6b906abaef8c1c1f0536f6bf848371d1f20fd6..07451ebd004bf004a648a25d4a4780261b47acea 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
 
 - Opcache:
   . Fixed bug #80839 (PHP problem with JIT). (Dmitry)
+  . Fixed bug #80861 (erronous array key overflow in 2D array with JIT).
+    (Dmitry)
 
 01 Apr 2021, PHP 8.0.4
 
index 04243cf34a54274f93b65688b37ae34a42f3415e..3b96db9361cde77179599c40fc208e92b5ca0050 100644 (file)
@@ -15511,7 +15511,7 @@ static zend_regset zend_jit_get_scratch_regset(const zend_op *opline, const zend
                        op2_info = OP2_INFO();
                        if (opline->op1_type == IS_CV
                         && !(op2_info & MAY_BE_UNDEF)
-                        && !(op1_info & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_RESOURCE|MAY_BE_REF))) {
+                        && !(op1_info & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
                                if ((op2_info & (MAY_BE_ANY|MAY_BE_REF)) == MAY_BE_DOUBLE) {
                                        regset = ZEND_REGSET(ZREG_XMM0);
                                } else if ((op2_info & (MAY_BE_ANY|MAY_BE_REF)) == MAY_BE_LONG) {
diff --git a/ext/opcache/tests/jit/bug80861.phpt b/ext/opcache/tests/jit/bug80861.phpt
new file mode 100644 (file)
index 0000000..3ae93d6
--- /dev/null
@@ -0,0 +1,111 @@
+--TEST--
+Bug #80839: PHP problem with JIT
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit_buffer_size=1M
+opcache.jit=tracing
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+declare(strict_types=1);
+
+// --------------------------------------------------------------------
+class Node
+{
+    public $column = null;
+    public $left = null;
+    public $right = null;
+    public $up = null;
+    public $down = null;
+
+    public static function joinLR(Node $a, Node $b): void
+    {
+        $a->right = $b;
+        $b->left = $a;
+    }
+
+    public static function joinDU(Node $a, Node $b): void
+    {
+        $a->up = $b;
+        $b->down = $a;
+    }
+}
+
+// --------------------------------------------------------------------
+class Column extends Node
+{
+    public function __construct()
+    {
+        $this->column = $this;
+        $this->up = $this;
+        $this->down = $this;
+    }
+}
+
+// --------------------------------------------------------------------
+class Matrix
+{
+    public $head = null;
+
+    public function __construct()
+    {
+        $this->head = new Node();
+        Node::joinLR($this->head, $this->head);
+    }
+
+    // $from is array[][] of bool
+    public static function fromArray(array $from): Matrix
+    {
+        $m = new Matrix();
+        $rowCount = count($from);
+        if ($rowCount == 0) {
+            return $m;
+        }
+        $columnCount = count($from[0]);
+        if ($columnCount == 0) {
+            return $m;
+        }
+        // we generate 2D double linked circular list of nodes from the input 2D bool array
+        // might be not relevant for the bug
+        $c = new Column();
+        Node::joinLR($m->head, $c);
+        for ($j = 1; $j < $columnCount; $j++) {
+            $nextCol = new Column();
+            Node::joinLR($c, $nextCol);
+            $c = $c->right;
+        }
+        Node::joinLR($c, $m->head);
+        $c = $m->head->right;
+        error_log("These are the array bounds: $rowCount * $columnCount");
+        for ($j = 0; $j < $columnCount; $j++) {
+            $prev = $c;
+            for ($i = 0; $i < $rowCount; $i++) {
+                // next line generates the warnings despite $i and $j is within bounds
+                if ($from[$i][$j]) {
+                    $node = new Node();
+                    $node->column = $c;
+                    Node::joinDU($node, $prev);
+                    Node::joinLR($node, $node);
+                    $prev = $node;
+                    // ... code to generate $m excluded
+                }
+            }
+            Node::joinDU($c, $prev);
+            $c = $c->right;
+        }
+        return $m;
+    }
+}
+
+// --------------------------------------------------------------------
+// simple driver code - fills up a 2D bool matrix and calls the static matrix constructing function above
+for ($y = 0; $y < 10; $y++) {
+    for ($x = 0; $x < 10; $x++) {
+        $a[$y][$x] = true;
+    }
+}
+$m = Matrix::fromArray($a);
+--EXPECT--
+These are the array bounds: 10 * 10