Fix GH-20838: JIT compiler produces wrong arithmetic results#21383
Open
iliaal wants to merge 1 commit intophp:masterfrom
Open
Fix GH-20838: JIT compiler produces wrong arithmetic results#21383iliaal wants to merge 1 commit intophp:masterfrom
iliaal wants to merge 1 commit intophp:masterfrom
Conversation
When an opcode falls through to the handler path and an operand has MAY_BE_GUARD, the guard is widened to MAY_BE_ANY but not emitted. The handler can then produce a result type different from the TSSA prediction (e.g. IS_LONG instead of IS_DOUBLE for MUL with mixed types), but SET_STACK_TYPE unconditionally records the predicted type as mem_type. Side traces reading this slot from memory then interpret the raw bytes as the wrong type. Don't trust the TSSA concrete result type when the handler path is taken and any operand had MAY_BE_GUARD. Closes phpGH-20838
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MAY_BE_GUARD, the guard is widened toMAY_BE_ANYbut never emitted as a runtime type checkIS_LONGinstead ofIS_DOUBLEfor MUL with mixed string/numeric operands), butSET_STACK_TYPEunconditionally records the predicted concrete type asmem_typeIS_LONGbytes as IEEE 754 double (producing values like3.7054923438093E-322instead of75)MAY_BE_GUARDFixes #20838