clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-15652: Segmentation fault in the Zend engine when JIT enabled (#15717)

Browse Source
This commit is contained in:
Dmitry Stogov 2024-09-02 21:55:19 +03:00 committed by GitHub
parent 57f9041165
commit 1e78cf941c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 51 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ext/opcache/jit/zend_jit.c
View File

@ -669,16 +669,16 @@ static zend_property_info* zend_get_known_property_info(const zend_op_array *op_
return NULL;
}
static bool zend_may_be_dynamic_property(zend_class_entry *ce, zend_string *member, bool on_this, zend_string *filename)
static bool zend_may_be_dynamic_property(zend_class_entry *ce, zend_string *member, bool on_this, const zend_op_array *op_array)
{
zend_property_info *info;
if (!ce || (ce->ce_flags & ZEND_ACC_TRAIT)) {
if (!ce || (ce->ce_flags & ZEND_ACC_TRAIT) || (op_array->fn_flags & ZEND_ACC_TRAIT_CLONE)) {
return 1;
}
if (!(ce->ce_flags & ZEND_ACC_IMMUTABLE)) {
if (ce->info.user.filename != filename) {
if (ce->info.user.filename != op_array->filename) {
/* class declaration might be changed independently */
return 1;
}

2
ext/opcache/jit/zend_jit_arm64.dasc
View File

@ -12200,7 +12200,7 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
| cmp REG2, TMP1
| bne >5
| MEM_ACCESS_64_WITH_UOFFSET ldr, REG0, REG0, ((opline->extended_value & ~ZEND_FETCH_OBJ_FLAGS) + sizeof(void*)), TMP1
may_be_dynamic = zend_may_be_dynamic_property(ce, Z_STR_P(member), opline->op1_type == IS_UNUSED, op_array->filename);
may_be_dynamic = zend_may_be_dynamic_property(ce, Z_STR_P(member), opline->op1_type == IS_UNUSED, op_array);
if (may_be_dynamic) {
| tst REG0, REG0
if (opline->opcode == ZEND_FETCH_OBJ_W) {

2
ext/opcache/jit/zend_jit_x86.dasc
View File

@ -12964,7 +12964,7 @@ static int zend_jit_fetch_obj(dasm_State **Dst,
| cmp r2, aword [FCARG1a + offsetof(zend_object, ce)]
| jne >5
| mov r0, aword [r0 + (opline->extended_value & ~ZEND_FETCH_OBJ_FLAGS) + sizeof(void*)]
may_be_dynamic = zend_may_be_dynamic_property(ce, Z_STR_P(member), opline->op1_type == IS_UNUSED, op_array->filename);
may_be_dynamic = zend_may_be_dynamic_property(ce, Z_STR_P(member), opline->op1_type == IS_UNUSED, op_array);
if (may_be_dynamic) {
| test r0, r0
if (opline->opcode == ZEND_FETCH_OBJ_W) {

46
ext/opcache/tests/jit/gh15652.phpt Normal file
View File

@ -0,0 +1,46 @@
--TEST--
JIT: FETCH_OBJ 007
--INI--
opcache.enable=1
opcache.enable_cli=1
opcache.file_update_protection=0
opcache.jit_buffer_size=1M
opcache.jit_hot_func=2
--FILE--
<?php
class C {}
trait T {
public function equal(C $type): bool {
return $type instanceof self && $this->value === $type->value;
}
}
class C1 extends C {
use T;
public function __construct(private int $value) {}
}
class C2 extends C {
use T;
}
$x = new C1(1);
var_dump($x->equal($x));
var_dump($x->equal($x));
$a = new C2("aaa");
var_dump($a->equal($a));
var_dump($a->equal($a));
--EXPECTF--
bool(true)
bool(true)
Warning: Undefined property: C2::$value in %sgh15652.php on line 6
Warning: Undefined property: C2::$value in %sgh15652.php on line 6
bool(true)
Warning: Undefined property: C2::$value in %sgh15652.php on line 6
Warning: Undefined property: C2::$value in %sgh15652.php on line 6
bool(true)