Skip to content

Commit b89d7ff

Browse files
dstogovdstogov
authored
Fix phpGH-16821: runtime error: member access within misaligned address when running phpseclib tests (php#16951)
1 parent 5ff67f8 commit b89d7ff

File tree

1 file changed

+29
-6
lines changed

1 file changed

+29
-6
lines changed

ext/opcache/jit/zend_jit_ir.c

Lines changed: 29 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17381,8 +17381,15 @@ static void jit_frameless_icall2(zend_jit_ctx *jit, const zend_op *opline, uint3
1738117381

1738217382
jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);
1738317383
/* Set OP1 to UNDEF in case FREE_OP2() throws. */
17384-
if ((opline->op1_type & (IS_VAR|IS_TMP_VAR)) != 0 && (opline->op2_type & (IS_VAR|IS_TMP_VAR)) != 0) {
17384+
if ((opline->op1_type & (IS_VAR|IS_TMP_VAR)) != 0
17385+
&& (opline->op2_type & (IS_VAR|IS_TMP_VAR)) != 0
17386+
&& (op2_info & MAY_BE_RC1)
17387+
&& (op2_info & (MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_ARRAY_OF_OBJECT|MAY_BE_ARRAY_OF_RESOURCE|MAY_BE_ARRAY_OF_ARRAY))) {
1738517388
jit_set_Z_TYPE_INFO(jit, op1_addr, IS_UNDEF);
17389+
if (JIT_G(current_frame)) {
17390+
SET_STACK_TYPE(JIT_G(current_frame)->stack,
17391+
EX_VAR_TO_NUM(opline->op1.var), IS_UNKNOWN, 1);
17392+
}
1738617393
}
1738717394
jit_FREE_OP(jit, opline->op2_type, opline->op2, op2_info, NULL);
1738817395
zend_jit_check_exception(jit);
@@ -17455,18 +17462,34 @@ static void jit_frameless_icall3(zend_jit_ctx *jit, const zend_op *opline, uint3
1745517462

1745617463
jit_FREE_OP(jit, opline->op1_type, opline->op1, op1_info, NULL);
1745717464
/* Set OP1 to UNDEF in case FREE_OP2() throws. */
17465+
bool op1_undef = false;
1745817466
if ((opline->op1_type & (IS_VAR|IS_TMP_VAR))
17459-
&& ((opline->op2_type & (IS_VAR|IS_TMP_VAR))
17460-
|| (op_data_type & (IS_VAR|IS_TMP_VAR)))) {
17467+
&& (((opline->op2_type & (IS_VAR|IS_TMP_VAR))
17468+
&& (op2_info & MAY_BE_RC1)
17469+
&& (op2_info & (MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_ARRAY_OF_OBJECT|MAY_BE_ARRAY_OF_RESOURCE|MAY_BE_ARRAY_OF_ARRAY)))
17470+
|| ((op_data_type & (IS_VAR|IS_TMP_VAR))
17471+
&& (op1_data_info & MAY_BE_RC1)
17472+
&& (op1_data_info & (MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_ARRAY_OF_OBJECT|MAY_BE_ARRAY_OF_RESOURCE|MAY_BE_ARRAY_OF_ARRAY))))) {
17473+
op1_undef = true;
1746117474
jit_set_Z_TYPE_INFO(jit, op1_addr, IS_UNDEF);
17475+
if (JIT_G(current_frame)) {
17476+
SET_STACK_TYPE(JIT_G(current_frame)->stack,
17477+
EX_VAR_TO_NUM(opline->op1.var), IS_UNKNOWN, 1);
17478+
}
1746217479
}
1746317480
jit_FREE_OP(jit, opline->op2_type, opline->op2, op2_info, NULL);
17464-
/* If OP1 is a TMP|VAR, we don't need to set OP2 to UNDEF on free because
17481+
/* If OP1 is set to UNDEF, we don't need to set OP2 to UNDEF on free because
1746517482
* zend_fetch_debug_backtrace aborts when it encounters the first UNDEF TMP|VAR. */
17466-
if (!(opline->op1_type & (IS_VAR|IS_TMP_VAR))
17483+
if (!op1_undef
1746717484
&& (opline->op2_type & (IS_VAR|IS_TMP_VAR)) != 0
17468-
&& (op_data_type & (IS_VAR|IS_TMP_VAR)) != 0) {
17485+
&& (op_data_type & (IS_VAR|IS_TMP_VAR)) != 0
17486+
&& (op1_data_info & MAY_BE_RC1)
17487+
&& (op1_data_info & (MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_ARRAY_OF_OBJECT|MAY_BE_ARRAY_OF_RESOURCE|MAY_BE_ARRAY_OF_ARRAY))) {
1746917488
jit_set_Z_TYPE_INFO(jit, op2_addr, IS_UNDEF);
17489+
if (JIT_G(current_frame)) {
17490+
SET_STACK_TYPE(JIT_G(current_frame)->stack,
17491+
EX_VAR_TO_NUM(opline->op2.var), IS_UNKNOWN, 1);
17492+
}
1747017493
}
1747117494
jit_FREE_OP(jit, (opline+1)->op1_type, (opline+1)->op1, op1_data_info, NULL);
1747217495
zend_jit_check_exception(jit);

0 commit comments

Comments
 (0)