Dev news

Commit f61b1fc0368 for php.net

commit f61b1fc03682ae72df84d58c0d0d7972c7b386bf
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date:   Tue Jan 6 00:01:51 2026 +0100

    Fix block_pass JMP[N]Z optimization

    In the following optimization:

    JMPZ(X,L1) JMP(L2) L1: -> JMPNZ(X,L2) NOP

    L1 must not be followed by another block, so that it may safely be followed by
    the block containing the JMPNZ. get_next_block() is used to verify L1 is the
    direct follower. This function also skips empty blocks, including live, empty
    target blocks, which will then implicitly follow the new follow block. This will
    result in L1 being followed by two separate blocks, which is not possible.

    Resolve this by get_next_block() stopping at target blocks.

    Fixes OSS-Fuzz #472563272
    Closes GH-20850

diff --git a/NEWS b/NEWS
index 8201bf8cf9c..ab7bea69fb6 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown
     function triggered by bailout in php_output_lock_error()). (timwolla)
   . Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). (ilutov)
+  . Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). (ilutov)

 - MbString:
   . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is
diff --git a/Zend/Optimizer/block_pass.c b/Zend/Optimizer/block_pass.c
index 6fcbd04f12a..ee70d021f4a 100644
--- a/Zend/Optimizer/block_pass.c
+++ b/Zend/Optimizer/block_pass.c
@@ -1152,7 +1152,7 @@ static zend_always_inline zend_basic_block *get_next_block(const zend_cfg *cfg,
 		}
 		next_block++;
 	}
-	while (next_block->len == 0 && !(next_block->flags & ZEND_BB_PROTECTED)) {
+	while (next_block->len == 0 && !(next_block->flags & (ZEND_BB_TARGET|ZEND_BB_PROTECTED))) {
 		next_block = cfg->blocks + next_block->successors[0];
 	}
 	return next_block;
diff --git a/ext/opcache/tests/oss-fuzz-472563272.phpt b/ext/opcache/tests/oss-fuzz-472563272.phpt
new file mode 100644
index 00000000000..39519abe9ae
--- /dev/null
+++ b/ext/opcache/tests/oss-fuzz-472563272.phpt
@@ -0,0 +1,14 @@
+--TEST--
+OSS-Fuzz #472563272: Borked block_pass JMP[N]Z optimization
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+--FILE--
+<?php
+false || (true ? true : false) || (false ? true : false) || true;
+?>
+===DONE===
+--EXPECT--
+===DONE===