Fix GH-12481: PHP crash with JIT enabled

2024-09-22 10:27:25 +00:00 · 2024-01-22 15:56:12 +03:00 · 2024-01-22 15:56:12 +03:00 · f120ac93a1
commit f120ac93a1
parent 242f89283e
2 changed files with 37 additions and 4 deletions
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@ -4426,8 +4426,14 @@ static int zend_jit_math_long_long(dasm_State    **Dst,
 		} else {
 			zend_reg tmp_reg;

-			if (Z_MODE(res_addr) == IS_MEM_ZVAL && Z_REG(res_addr) == ZREG_R0) {
-				tmp_reg = ZREG_R1;
+			if (Z_MODE(res_addr) == IS_MEM_ZVAL) {
+				if (Z_REG(res_addr) != ZREG_R0 && result_reg != ZREG_R0) {
+					tmp_reg = ZREG_R0;
+				} else if (Z_REG(res_addr) != ZREG_R1 && result_reg != ZREG_R1) {
+					tmp_reg = ZREG_R1;
+				} else {
+					tmp_reg = ZREG_R2;
+				}
 			} else if (result_reg != ZREG_R0) {
 				tmp_reg = ZREG_R0;
 			} else {
@ -5295,8 +5301,16 @@ static int zend_jit_long_math_helper(dasm_State    **Dst,
 	} else {
 		zend_reg tmp_reg;

-		if (Z_MODE(res_addr) == IS_MEM_ZVAL && Z_REG(res_addr) == ZREG_R0) {
-			tmp_reg = ZREG_R1;
+		if (Z_MODE(res_addr) == IS_MEM_ZVAL) {
+			if (Z_REG(res_addr) != ZREG_R0 && result_reg != ZREG_R0) {
+				tmp_reg = ZREG_R0;
+			} else if (Z_REG(res_addr) != ZREG_R1 && result_reg != ZREG_R1) {
+				tmp_reg = ZREG_R1;
+			} else {
+				tmp_reg = ZREG_R2;
+			}
+		} else if (Z_MODE(res_addr) == IS_MEM_ZVAL && Z_REG(res_addr) == ZREG_R1) {
+			tmp_reg = ZREG_R0;
 		} else if (result_reg != ZREG_R0) {
 			tmp_reg = ZREG_R0;
 		} else {
--- a/ext/opcache/tests/jit/gh12481.phpt
+++ b/ext/opcache/tests/jit/gh12481.phpt
@ -0,0 +1,19 @@
+--TEST--
+GH-12481: PHP crash on Windows 64-bit with JIT enabled
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+--FILE--
+<?php
+function foo(&$var) {
+    $var &= 0xFFFFFFFF;
+    return intval($var);
+}
+$v = 0x7FFFFFFF1;
+for ($i = 0; $i < 10; $i++) {
+    foo($v);
+}
+?>
+DONE
+--EXPECTF--
+DONE