php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79358 JIT miscompile in composer
Submitted: 2020-03-09 10:52 UTC Modified: 2020-03-09 11:39 UTC
From: nikic@php.net Assigned:
Status: Closed Package: opcache
PHP Version: master-Git-2020-03-09 (Git) OS:
Private report: No CVE-ID: None
 [2020-03-09 10:52 UTC] nikic@php.net
Description:
------------
The attached reduction is miscompiled, resulting in incorrect dependency resolution in composer.

Test script:
---------------
<?php

function test($x, $y)
{
    return ($x && $y && unimportant()) ||
           ($x < 0 && unimportant());
}

var_dump(test(1, []));


Expected result:
----------------
bool(false)

Actual result:
--------------
UNKNOWN:0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-09 11:39 UTC] nikic@php.net
Slightly better reduction:

<?php

function test(int $x)
{
    return ($x > 0xdead && unimportant()) ||
           ($x < 0xbeef && unimportant());
}

var_dump(test(0xcccc));

We see

            #7.T2 [bool] RANGE[0..1] = IS_SMALLER #6.CV0($x) [long] RANGE[-9223372036854775808..9223372036854775807] int(48879)
            #8.T1 [bool] RANGE[0..1] = JMPZ_EX #7.T2 [bool] RANGE[0..1] BB7
BB5: follow lines=[8-9] 

and

.L17:
	mov 0x50(%r14), %rax
	cmp $0xbeef, %rax
	setl %al
	movzx %al, %eax
	lea 0x2(%rax), %eax
	mov %eax, 0x78(%r14)
	jge .L31

where 0x78 is T2. We should be either writing directly to T1 at 0x68, or copying from T2 to T1.
 [2020-03-09 11:55 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=191451da90b6fe81641d55bf782b551c65e4fd70
Log: Fix bug #79358: JIT miscompile in composer
 [2020-03-09 11:55 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Nov 30 16:03:36 2021 UTC