Fixed incorrect narrowing to double

Fixes oss-fuzz #41223
2025-01-24 12:43:38 +08:00 · 2021-11-25 15:14:04 +03:00 · 2021-11-25 15:14:04 +03:00 · f9518c3850
commit f9518c3850
parent 3c53a9fd73
2 changed files with 26 additions and 1 deletions
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@ -3918,7 +3918,7 @@ static zend_bool can_convert_to_double(
 	for (phi = var->phi_use_chain; phi; phi = zend_ssa_next_use_phi(ssa, var_num, phi)) {
 		/* Check that narrowing can actually be useful */
 		type = ssa->var_info[phi->ssa_var].type;
-		if ((type & MAY_BE_ANY) & ~(MAY_BE_LONG|MAY_BE_DOUBLE)) {
+		if (type & ((MAY_BE_ANY|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) {
 			return 0;
 		}

--- a/ext/opcache/tests/jit/assign_047.phpt
+++ b/ext/opcache/tests/jit/assign_047.phpt
@ -0,0 +1,25 @@
+--TEST--
+JIT ASSIGN: incorrect narrowing to double
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+function test(){
+	$x = (object)['x'=>0];
+	for($i=0;$i<10;$i++){
+		+$a;
+		$a=$x->x;
+		$a=7;
+	}
+}
+test()
+?>
+DONE
+--EXPECTF--
+Warning: Undefined variable $a in %sassign_047.php on line 5
+DONE
+