From fad87a24daa8a79f7bcb9d4088f7d96d6f405cac Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 16 Feb 2021 20:02:12 +0300
Subject: Fixed bug #80742 (Opcache JIT makes some boolean logic unexpectedly
 be true)

---
 NEWS                                |  2 +
 ext/opcache/jit/zend_jit_x86.dasc   |  6 +--
 ext/opcache/tests/jit/bug80742.phpt | 98 +++++++++++++++++++++++++++++++++++++
 3 files changed, 103 insertions(+), 3 deletions(-)
 create mode 100644 ext/opcache/tests/jit/bug80742.phpt

diff --git a/NEWS b/NEWS
index b39899c085..d8a37b4323 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
   . Fixed bug #80634 (write_property handler of internal classes is skipped on
     preloaded JITted code). (Dmitry)
   . Fixed bug #80682 (opcache doesn't honour pcre.jit option). (Remi)
+  . Fixed bug #80742 (Opcache JIT makes some boolean logic unexpectedly be
+    true). (Dmitry)
 
 - OpenSSL:
   . Fixed bug #80747 (Providing RSA key size < 512 generates key that crash
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 93e95886aa..ceaa2b9a5a 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -7138,7 +7138,7 @@ static int zend_jit_cmp_double_common(dasm_State **Dst, const zend_op *opline, z
 					break;
 				case ZEND_IS_NOT_IDENTICAL:
 					if (exit_addr) {
-						|1:
+						| jp >1
 						| je &exit_addr
 						|1:
 					} else {
@@ -7231,10 +7231,10 @@ static int zend_jit_cmp_double_common(dasm_State **Dst, const zend_op *opline, z
 				case ZEND_IS_NOT_EQUAL:
 				case ZEND_IS_NOT_IDENTICAL:
 					|	jp >1
-					|	SET_ZVAL_TYPE_INFO res_addr, IS_TRUE
+					|	SET_ZVAL_TYPE_INFO res_addr, IS_FALSE
 					|	je => target_label
 					|1:
-					|	SET_ZVAL_TYPE_INFO res_addr, IS_FALSE
+					|	SET_ZVAL_TYPE_INFO res_addr, IS_TRUE
 					break;
 				case ZEND_IS_SMALLER:
 					if (swap) {
diff --git a/ext/opcache/tests/jit/bug80742.phpt b/ext/opcache/tests/jit/bug80742.phpt
new file mode 100644
index 0000000000..a86fe1052b
--- /dev/null
+++ b/ext/opcache/tests/jit/bug80742.phpt
@@ -0,0 +1,98 @@
+--TEST--
+Bug #80742 (Opcache JIT makes some boolean logic unexpectedly be true)
+--FILE--
+<?php
+
+function checkGroundState(float $movY, float $dy) : void{
+	var_dump($movY != $dy, $movY < 0, ($movY != $dy and $movY < 0));
+	var_dump("wow!");
+}
+
+checkGroundState(0, 0);
+
+function eq(float $a, float $b, $c, $d) {
+	if ($a == $b) {
+		echo 1;
+	}
+	if ($a == $b) {
+	} else {
+		echo 2;
+	}
+	if ($a != $b) {
+		echo 3;
+	}
+	if ($a != $b) {
+	} else {
+		echo 4;
+	}
+	if ($a === $b) {
+		echo 5;
+	}
+	if ($a === $b) {
+	} else {
+		echo 6;
+	}
+	if ($a !== $b) {
+		echo 7;
+	}
+	if ($a !== $b) {
+	} else {
+		echo 8;
+	}
+	echo "\n";
+	var_dump(
+		$a == $b && $c,
+		$a != $b && $c,
+		$a === $b && $c,
+		$a !== $b && $c,);
+	var_dump(
+		$a == $b || $d,
+		$a != $b || $d,
+		$a === $b || $d,
+		$a !== $b || $d);
+}
+eq(3.0, 3.0, true, false);
+eq(3.0,	2.0, true, false);
+eq(3.0, NAN, true, false);
+eq(NAN, NAN, true, false);
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
+string(4) "wow!"
+1458
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+2367
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+2367
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+2367
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
+bool(false)
+bool(true)
-- 
cgit v1.2.1