Fixed incorrect narrowing to double

dstogov · dstogov · commit f9518c385098 · 2021-11-25T15:14:04.000+03:00
Fixes oss-fuzz #41223
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -3918,7 +3918,7 @@ static zend_bool can_convert_to_double(
 	for (phi = var->phi_use_chain; phi; phi = zend_ssa_next_use_phi(ssa, var_num, phi)) {
 		/* Check that narrowing can actually be useful */
 		type = ssa->var_info[phi->ssa_var].type;
-		if ((type & MAY_BE_ANY) & ~(MAY_BE_LONG|MAY_BE_DOUBLE)) {
+		if (type & ((MAY_BE_ANY|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) {
 			return 0;
 		}
 
diff --git a/ext/opcache/tests/jit/assign_047.phpt b/ext/opcache/tests/jit/assign_047.phpt
@@ -0,0 +1,25 @@
+--TEST--
+JIT ASSIGN: incorrect narrowing to double
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function test(){
+	$x = (object)['x'=>0];
+	for($i=0;$i<10;$i++){
+		+$a;
+		$a=$x->x;
+		$a=7;
+	}
+}
+test()
+?>
+DONE
+--EXPECTF--
+Warning: Undefined variable $a in %sassign_047.php on line 5
+DONE
+

Original file line number	Diff line number	Diff line change
`@@ -3918,7 +3918,7 @@ static zend_bool can_convert_to_double(`
`3918`	`3918`	`for (phi = var->phi_use_chain; phi; phi = zend_ssa_next_use_phi(ssa, var_num, phi)) {`
`3919`	`3919`	`/* Check that narrowing can actually be useful */`
`3920`	`3920`	`type = ssa->var_info[phi->ssa_var].type;`
`3921`		`- if ((type & MAY_BE_ANY) & ~(MAY_BE_LONG\|MAY_BE_DOUBLE)) {`
	`3921`	`+ if (type & ((MAY_BE_ANY\|MAY_BE_UNDEF) - (MAY_BE_LONG\|MAY_BE_DOUBLE))) {`
`3922`	`3922`	`return 0;`
`3923`	`3923`	`}`
`3924`	`3924`