Fix GH-17144: type inference narrowing on ZEND_FETCH_DIM_W#21674
Open
iliaal wants to merge 1 commit intophp:PHP-8.4from
Open
Fix GH-17144: type inference narrowing on ZEND_FETCH_DIM_W#21674iliaal wants to merge 1 commit intophp:PHP-8.4from
iliaal wants to merge 1 commit intophp:PHP-8.4from
Conversation
FETCH_DIM_W stripped MAY_BE_ARRAY_EMPTY only when key_type had valid key bits. When the key operand's type widened across loop iterations (from MAY_BE_ARRAY to include scalar types), key_type transitioned from 0 to non-zero, causing MAY_BE_ARRAY_EMPTY to be stripped on the second pass but not the first. This violated monotonicity. Strip MAY_BE_ARRAY_EMPTY for write opcodes (W, RW, LIST_W) regardless of key_type, since a dimension write makes the array non-empty. Closes phpGH-17144
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
FETCH_DIM_WstrippedMAY_BE_ARRAY_EMPTYonly inside a block guarded bykey_type & (MAY_BE_ARRAY_KEY_LONG|MAY_BE_ARRAY_KEY_STRING). When the key operand's type widened across loop iterations (e.g. fromMAY_BE_ARRAYto include scalar types),key_typewent from 0 to non-zero, causing the flag to be stripped on the second pass but not the first. This violated monotonicity and triggered the narrowing assertion.Strips
MAY_BE_ARRAY_EMPTYfor write opcodes (W, RW, LIST_W) regardless ofkey_type, since a dimension write makes the array non-empty.Fixes #17144