|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79358 JIT miscompile in composer
Submitted: 2020-03-09 10:52 UTC Modified: 2020-03-09 11:39 UTC
From: Assigned:
Status: Closed Package: opcache
PHP Version: master-Git-2020-03-09 (Git) OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2020-03-09 10:52 UTC]
The attached reduction is miscompiled, resulting in incorrect dependency resolution in composer.

Test script:

function test($x, $y)
    return ($x && $y && unimportant()) ||
           ($x < 0 && unimportant());

var_dump(test(1, []));

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-09 11:39 UTC]
Slightly better reduction:


function test(int $x)
    return ($x > 0xdead && unimportant()) ||
           ($x < 0xbeef && unimportant());


We see

            #7.T2 [bool] RANGE[0..1] = IS_SMALLER #6.CV0($x) [long] RANGE[-9223372036854775808..9223372036854775807] int(48879)
            #8.T1 [bool] RANGE[0..1] = JMPZ_EX #7.T2 [bool] RANGE[0..1] BB7
BB5: follow lines=[8-9] 


	mov 0x50(%r14), %rax
	cmp $0xbeef, %rax
	setl %al
	movzx %al, %eax
	lea 0x2(%rax), %eax
	mov %eax, 0x78(%r14)
	jge .L31

where 0x78 is T2. We should be either writing directly to T1 at 0x68, or copying from T2 to T1.
 [2020-03-09 11:55 UTC]
Automatic comment on behalf of
Log: Fix bug #79358: JIT miscompile in composer
 [2020-03-09 11:55 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Feb 28 04:01:27 2024 UTC