JIT: Fix missing type store

Fixes oss-fuzz #45604
php · Mar 21, 2022 · e9fc81a · e9fc81a
1 parent 7051dc3
commit e9fc81a
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -4760,9 +4760,16 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 #else
 						res_use_info = MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
 #endif
+						res_addr = RES_REG_ADDR();
+						if (Z_MODE(res_addr) != IS_REG &&
+								STACK_TYPE(stack, EX_VAR_TO_NUM(opline->result.var)) !=
+								STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->result.var))) {
+							/* type may be not set */
+							res_use_info |= MAY_BE_NULL;
+						}
 						if (!zend_jit_qm_assign(&dasm_state, opline,
 								op1_info, op1_addr, op1_def_addr,
-								res_use_info, res_info, RES_REG_ADDR())) {
+								res_use_info, res_info, res_addr)) {
 							goto jit_failure;
 						}
 						if (opline->op1_type == IS_CV

diff --git a/ext/opcache/tests/jit/qm_assign_003.phpt b/ext/opcache/tests/jit/qm_assign_003.phpt
@@ -0,0 +1,31 @@
+--TEST--
+JIT QM_ASSIGN: 003 missing type store
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+    for($cnt2=0;$cnt<6;$cnt++) {
+        $a &= 15;
+        $a = "4294967295";
+        $a *= $a;
+        for ($i = 0; $i <= .1; $i++) {
+            for ($i = 0; $i << .1; $i++) {
+                $a &= $a . $a = "4294967295";
+            }
+        }
+    }
+}
+foo();
+?>
+DONE
+--EXPECTF--
+Warning: Undefined variable $cnt in %sqm_assign_003.php on line 3
+
+Warning: Undefined variable $a in %sqm_assign_003.php on line 4
+
+Warning: Undefined variable $cnt in %sqm_assign_003.php on line 3
+DONE