php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81409 Incorrect JIT code for ADD with a reference to array
Submitted: 2021-09-02 07:50 UTC Modified: 2021-09-02 07:50 UTC
From: dmitry@php.net Assigned: dmitry (profile)
Status: Closed Package: JIT
PHP Version: 8.1Git-2021-09-02 (Git) OS: *
Private report: No CVE-ID: None
 [2021-09-02 07:50 UTC] dmitry@php.net
Description:
------------
Tracing JIT doesn't take into account the dereference and pass into zend_jit_add_arrays_helper() a reference instead of array.

Test script:
---------------
<?php
function foo(&$a) {
    $n = count($a);	
    $a = $a + [$n=>1];
}
function bar() {
    $x = [];
    for ($i = 0; $i < 200; $i++) {
        foo($x);
    }
    var_dump(count($x));
}
bar();
?>

Expected result:
----------------
int(200)

Actual result:
--------------
int(1) or crash, assertion, ASAN failure

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-02 07:50 UTC] dmitry@php.net
-Assigned To: +Assigned To: dmitry
 [2021-09-02 08:18 UTC] git@php.net
-Status: Assigned +Status: Closed
 [2021-09-02 08:18 UTC] git@php.net
Automatic comment on behalf of dstogov
Revision: https://github.com/php/php-src/commit/cbc925e510fd04f18538e98ce532c67ea5840196
Log: Fixed bug #81409 (Incorrect JIT code for ADD with a reference to array)
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Nov 28 10:03:16 2021 UTC