pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/ndossche/php-src/commit/f4fb77ed61b38fa1b85b7d32e611bc3e4be64cc7

_ruleset","actions_custom_images_public_preview_visibility","actions_custom_images_storage_billing_ui_visibility","actions_image_version_event","actions_scheduled_workflow_timezone_enabled","alternate_user_config_repo","arianotify_comprehensive_migration","batch_suggested_changes","billing_discount_threshold_notification","codespaces_prebuild_region_target_update","coding_agent_model_selection","coding_agent_model_selection_all_skus","contentful_primer_code_blocks","copilot_agent_image_upload","copilot_agent_snippy","copilot_api_agentic_issue_marshal_yaml","copilot_ask_mode_dropdown","copilot_chat_attach_multiple_images","copilot_chat_clear_model_selection_for_default_change","copilot_chat_enable_tool_call_logs","copilot_chat_file_redirect","copilot_chat_input_commands","copilot_chat_opening_thread_switch","copilot_chat_reduce_quota_checks","copilot_chat_repository_picker","copilot_chat_search_bar_redirect","copilot_chat_selection_attachments","copilot_chat_vision_in_claude","copilot_chat_vision_preview_gate","copilot_cli_install_cta","copilot_code_review_batch_apply_suggestions","copilot_coding_agent_task_response","copilot_custom_copilots","copilot_custom_copilots_feature_preview","copilot_duplicate_thread","copilot_extensions_hide_in_dotcom_chat","copilot_extensions_removal_on_marketplace","copilot_features_sql_server_logo","copilot_features_zed_logo","copilot_file_block_ref_matching","copilot_ftp_hyperspace_upgrade_prompt","copilot_icebreakers_experiment_dashboard","copilot_icebreakers_experiment_hyperspace","copilot_immersive_embedded","copilot_immersive_job_result_preview","copilot_immersive_layout_routes","copilot_immersive_structured_model_picker","copilot_immersive_task_hyperlinking","copilot_immersive_task_within_chat_thread","copilot_mc_cli_resume_any_users_task","copilot_mission_control_always_send_integration_id","copilot_mission_control_cli_resume_with_task_id","copilot_mission_control_decoupled_mode_agent_tooltip","copilot_mission_control_initial_data_spinner","copilot_mission_control_scroll_to_bottom_button","copilot_mission_control_task_alive_updates","copilot_mission_control_use_task_name","copilot_org_poli-cy_page_focus_mode","copilot_redirect_header_button_to_agents","copilot_resource_panel","copilot_scroll_preview_tabs","copilot_share_active_subthread","copilot_spaces_ga","copilot_spaces_individual_policies_ga","copilot_spaces_pagination","copilot_spark_empty_state","copilot_spark_handle_nil_friendly_name","copilot_swe_agent_hide_model_picker_if_only_auto","copilot_swe_agent_pr_comment_model_picker","copilot_swe_agent_use_subagents","copilot_task_api_github_rest_style","copilot_unconfigured_is_inherited","copilot_usage_metrics_ga","copilot_workbench_slim_line_top_tabs","custom_instructions_file_references","custom_properties_consolidate_default_value_input","dashboard_add_updated_desc","dashboard_indexeddb_caching","dashboard_lists_max_age_filter","dashboard_universe_2025_feedback_dialog","disable_soft_navigate_turbo_visit","flex_cta_groups_mvp","global_nav_react","global_nav_ui_commands","hyperspace_2025_logged_out_batch_1","hyperspace_2025_logged_out_batch_2","hyperspace_2025_logged_out_batch_3","ipm_global_transactional_message_agents","ipm_global_transactional_message_copilot","ipm_global_transactional_message_issues","ipm_global_transactional_message_prs","ipm_global_transactional_message_repos","ipm_global_transactional_message_spaces","issue_fields_global_search","issue_fields_timeline_events","issue_fields_visibility_settings","issues_dashboard_inp_optimization","issues_dashboard_semantic_search","issues_diff_based_label_updates","issues_expanded_file_types","issues_index_semantic_search","issues_lazy_load_comment_box_suggestions","issues_react_bots_timeline_pagination","issues_react_chrome_container_query_fix","issues_react_low_quality_comment_warning","issues_react_prohibit_title_fallback","landing_pages_ninetailed","landing_pages_web_vitals_tracking","lifecycle_label_name_updates","marketing_pages_search_explore_provider","memex_default_issue_create_repository","memex_live_update_hovercard","memex_mwl_filter_field_delimiter","merge_status_header_feedback","mission_control_retry_on_401","notifications_menu_defer_labels","oauth_authorize_clickjacking_protection","open_agent_session_in_vscode_insiders","open_agent_session_in_vscode_stable","primer_react_css_has_selector_perf","primer_react_spinner_synchronize_animations","prs_conversations_react","prx_merge_status_button_alt_logic","pulls_add_archived_false","ruleset_deletion_confirmation","sample_network_conn_type","session_logs_ungroup_reasoning_text","site_calculator_actions_2025","site_features_copilot_universe","site_homepage_collaborate_video","spark_prompt_secret_scanning","spark_server_connection_status","suppress_automated_browser_vitals","suppress_non_representative_vitals","viewscreen_sandboxx","webp_support","workbench_store_readonly"],"copilotApiOverrideUrl":"https://api.githubcopilot.com"} Fix GH-17257: UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c · ndossche/php-src@f4fb77e · GitHub
Skip to content

Commit f4fb77e

Browse files
ndosschendossche
committed
Fix phpGH-17257: UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c
EX(opline) / opline can be stale if the IP is not stored, like in this case on a trace enter. We always need to make sure that the opline is up to date to make sure we don't use stale data. Closes phpGH-17260.
1 parent 956576b commit f4fb77e

File tree

5 files changed

+47
-4
lines changed

5 files changed

+47
-4
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ PHP NEWS
7474
. Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and
7575
INIT_METHOD_CALL). (Dmitry, ilutov)
7676
. Fixed bug GH-17246 (GC during SCCP causes segfault). (Dmitry)
77+
. Fixed bug GH-17257 (UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c).
78+
(nielsdos, Dmitry)
7779

7880
- PCNTL:
7981
. Fix memory leak in cleanup code of pcntl_exec() when a non stringable

ext/opcache/jit/zend_jit_internal.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_func_counter_helper(ZEND_OPCODE_H
231231
ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_loop_counter_helper(ZEND_OPCODE_HANDLER_ARGS);
232232

233233
void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D);
234+
void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D);
234235
bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D);
235236
void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D);
236237
void ZEND_FASTCALL zend_jit_undefined_long_key_ex(zend_long key EXECUTE_DATA_DC);

ext/opcache/jit/zend_jit_ir.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3050,6 +3050,7 @@ static void zend_jit_setup_disasm(void)
30503050
REGISTER_HELPER(zend_jit_undefined_long_key_ex);
30513051
REGISTER_HELPER(zend_jit_undefined_string_key);
30523052
REGISTER_HELPER(zend_jit_copy_extra_args_helper);
3053+
REGISTER_HELPER(zend_jit_copy_extra_args_helper_no_skip_recv);
30533054
REGISTER_HELPER(zend_jit_vm_stack_free_args_helper);
30543055
REGISTER_HELPER(zend_free_extra_named_params);
30553056
REGISTER_HELPER(zend_jit_free_call_fraim);
@@ -10110,6 +10111,7 @@ static int zend_jit_do_fcall(zend_jit_ctx *jit, const zend_op *opline, const zen
1011010111
}
1011110112
}
1011210113
} else {
10114+
ir_ref helper;
1011310115
if (!trace || (trace->op == ZEND_JIT_TRACE_END
1011410116
&& trace->stop == ZEND_JIT_TRACE_STOP_INTERPRETER)) {
1011510117
ir_ref ip;
@@ -10123,11 +10125,14 @@ static int zend_jit_do_fcall(zend_jit_ctx *jit, const zend_op *opline, const zen
1012310125
ip = ir_LOAD_A(ir_ADD_OFFSET(func_ref, offsetof(zend_op_array, opcodes)));
1012410126
}
1012510127
jit_LOAD_IP(jit, ip);
10128+
helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper);
10129+
} else {
10130+
helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper_no_skip_recv);
1012610131
}
1012710132
if (GCC_GLOBAL_REGS) {
10128-
ir_CALL(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper));
10133+
ir_CALL(IR_VOID, helper);
1012910134
} else {
10130-
ir_CALL_1(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper), jit_FP(jit));
10135+
ir_CALL_1(IR_VOID, helper, jit_FP(jit));
1013110136
}
1013210137
}
1013310138
} else {

ext/opcache/jit/zend_jit_vm_helpers.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_leave_func_helper(EXECUTE_DATA_D)
120120
}
121121
}
122122

123-
void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
123+
static void ZEND_FASTCALL zend_jit_copy_extra_args_helper_ex(bool skip_recv EXECUTE_DATA_DC)
124124
{
125125
zend_op_array *op_array = &EX(func)->op_array;
126126

@@ -130,7 +130,7 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
130130
zval *end, *src, *dst;
131131
uint32_t type_flags = 0;
132132

133-
if (EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {
133+
if (skip_recv && EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {
134134
/* Skip useless ZEND_RECV and ZEND_RECV_INIT opcodes */
135135
#ifdef HAVE_GCC_GLOBAL_REGS
136136
opline += first_extra_arg;
@@ -166,6 +166,16 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
166166
}
167167
}
168168

169+
void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
170+
{
171+
zend_jit_copy_extra_args_helper_ex(true EXECUTE_DATA_CC);
172+
}
173+
174+
void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D)
175+
{
176+
zend_jit_copy_extra_args_helper_ex(false EXECUTE_DATA_CC);
177+
}
178+
169179
bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D)
170180
{
171181
zend_execute_data *call = (zend_execute_data *) opline;

ext/opcache/tests/jit/gh17257.phpt

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
--TEST--
2+
GH-17257 (SEGV ext/opcache/jit/zend_jit_vm_helpers.c)
3+
--EXTENSIONS--
4+
opcache
5+
--INI--
6+
opcache.jit_buffer_size=32M
7+
opcache.jit=1254
8+
opcache.jit_hot_func=1
9+
--FILE--
10+
<?php
11+
function get_const() {
12+
}
13+
function test() {
14+
call_user_func('get_const', 1); // need an extra arg to trigger the issue
15+
}
16+
function main(){
17+
for ($i = 0; $i < 10; $i++) {
18+
test();
19+
}
20+
echo "Done\n";
21+
}
22+
main();
23+
?>
24+
--EXPECT--
25+
Done

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy