diff options
| -rw-r--r-- | ext/opcache/Optimizer/zend_inference.c | 37 | ||||
| -rw-r--r-- | ext/opcache/tests/bug76074.phpt | 16 |
2 files changed, 47 insertions, 6 deletions
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c index 346958b651..c3cbef84cd 100644 --- a/ext/opcache/Optimizer/zend_inference.c +++ b/ext/opcache/Optimizer/zend_inference.c @@ -158,6 +158,17 @@ } \ } while (0) +static inline zend_bool add_will_overflow(zend_long a, zend_long b) { + return (b > 0 && a > ZEND_LONG_MAX - b) + || (b < 0 && a < ZEND_LONG_MIN - b); +} +#if 0 +static inline zend_bool sub_will_overflow(zend_long a, zend_long b) { + return (b > 0 && a < ZEND_LONG_MIN + b) + || (b < 0 && a > ZEND_LONG_MAX + b); +} +#endif + static void zend_ssa_check_scc_var(const zend_op_array *op_array, zend_ssa *ssa, int var, int *index, int *dfs, int *root, zend_worklist_stack *stack) /* {{{ */ { #ifdef SYM_RANGE @@ -894,7 +905,9 @@ int zend_inference_calc_range(const zend_op_array *op_array, zend_ssa *ssa, int #ifdef SYM_RANGE } else if (narrowing && ssa->var_info[constraint->min_ssa_var].has_range) { tmp->underflow = ssa->var_info[constraint->min_ssa_var].range.underflow && tmp->underflow; - tmp->min = MAX(ssa->var_info[constraint->min_ssa_var].range.min + constraint->range.min, tmp->min); + if (!add_will_overflow(ssa->var_info[constraint->min_ssa_var].range.min, constraint->range.min)) { + tmp->min = MAX(ssa->var_info[constraint->min_ssa_var].range.min + constraint->range.min, tmp->min); + } #endif } if (constraint->max_ssa_var < 0) { @@ -902,7 +915,9 @@ int zend_inference_calc_range(const zend_op_array *op_array, zend_ssa *ssa, int tmp->overflow = constraint->range.overflow && tmp->overflow; #ifdef SYM_RANGE } else if (narrowing && ssa->var_info[constraint->max_ssa_var].has_range) { - tmp->max = MIN(ssa->var_info[constraint->max_ssa_var].range.max + constraint->range.max, tmp->max); + if (!add_will_overflow(ssa->var_info[constraint->max_ssa_var].range.max, constraint->range.max)) { + tmp->max = MIN(ssa->var_info[constraint->max_ssa_var].range.max + constraint->range.max, tmp->max); + } tmp->overflow = ssa->var_info[constraint->max_ssa_var].range.overflow && tmp->overflow; #endif } @@ -912,8 +927,13 @@ int zend_inference_calc_range(const zend_op_array *op_array, zend_ssa *ssa, int tmp->min = constraint->range.min; #ifdef SYM_RANGE } else if (narrowing && ssa->var_info[constraint->min_ssa_var].has_range) { - tmp->underflow = ssa->var_info[constraint->min_ssa_var].range.underflow; - tmp->min = ssa->var_info[constraint->min_ssa_var].range.min + constraint->range.min; + if (add_will_overflow(ssa->var_info[constraint->min_ssa_var].range.min, constraint->range.min)) { + tmp->underflow = 1; + tmp->min = ZEND_LONG_MIN; + } else { + tmp->underflow = ssa->var_info[constraint->min_ssa_var].range.underflow; + tmp->min = ssa->var_info[constraint->min_ssa_var].range.min + constraint->range.min; + } #endif } else { tmp->underflow = 1; @@ -924,8 +944,13 @@ int zend_inference_calc_range(const zend_op_array *op_array, zend_ssa *ssa, int tmp->overflow = constraint->range.overflow; #ifdef SYM_RANGE } else if (narrowing && ssa->var_info[constraint->max_ssa_var].has_range) { - tmp->max = ssa->var_info[constraint->max_ssa_var].range.max + constraint->range.max; - tmp->overflow = ssa->var_info[constraint->max_ssa_var].range.overflow; + if (add_will_overflow(ssa->var_info[constraint->max_ssa_var].range.max, constraint->range.max)) { + tmp->overflow = 1; + tmp->max = ZEND_LONG_MAX; + } else { + tmp->max = ssa->var_info[constraint->max_ssa_var].range.max + constraint->range.max; + tmp->overflow = ssa->var_info[constraint->max_ssa_var].range.overflow; + } #endif } else { tmp->max = ZEND_LONG_MAX; diff --git a/ext/opcache/tests/bug76074.phpt b/ext/opcache/tests/bug76074.phpt new file mode 100644 index 0000000000..b6ad7cb587 --- /dev/null +++ b/ext/opcache/tests/bug76074.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #76074 (opcache corrupts variable in for-loop) +--FILE-- +<?php + +function test(int $nr) { + for ($i = $nr; $i <= $nr + 1; $i++) + var_dump($i); +} + +test(1); + +?> +--EXPECT-- +int(1) +int(2) |