From c28fe2734d1b2c2f905cb4968806c3804ff036ad Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Fri, 3 Jun 2022 11:23:05 +0300
Subject: [PATCH] Validate operand types

---
 ir.g                      | 16 ++++++++++------
 ir_private.h              |  6 +++---
 tests/debug/memop_003.irt |  2 +-
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/ir.g b/ir.g
index 59bcdf3..7ad6a54 100644
--- a/ir.g
+++ b/ir.g
@@ -161,12 +161,12 @@ ir_insn(ir_parser_ctx *p):
 			{if (count.i32 < 0 || count.i32 > 255) yy_error("bad bumber of operands");}
 			{ref = ir_emit_N(p->ctx, IR_OPT(op, t), count.i32);}
 			(	"("
-				(	val(p, 1, &op1)
+				(	val(p, op, 1, &op1)
 					{n = 1;}
 					{if (n > count.i32) yy_error("too many operands");}
 					{ir_set_op(p->ctx, ref, n, op1);}
 					(	","
-						val(p, n,  &op1)
+						val(p, op, n,  &op1)
 						{n++;}
 						{if (n > count.i32) yy_error("too many operands");}
 						{ir_set_op(p->ctx, ref, n, op1);}
@@ -176,11 +176,11 @@ ir_insn(ir_parser_ctx *p):
 			)?
 		|
 			(	"("
-				(	val(p, 1, &op1)
+				(	val(p, op, 1, &op1)
 					(	","
-						val(p, 2,  &op2)
+						val(p, op, 2, &op2)
 						(	","
-							val(p, 3, &op3)
+							val(p, op, 3, &op3)
 						)?
 					)?
 				)?
@@ -222,15 +222,19 @@ func(uint8_t *op):
 	{*op = ref - 1;}
 ;
 
-val(ir_parser_ctx *p, uint32_t n, ir_ref *ref):
+val(ir_parser_ctx *p, uint8_t op, uint32_t n, ir_ref *ref):
 	{const char *str;}
 	{size_t len;}
 	{ir_val val;}
+	{uint32_t kind = IR_OPND_KIND(ir_op_flags[op], n);}
 	(	ID(&str, &len)
+		{if (kind < IR_OPND_DATA || kind > IR_OPND_VAR) yy_error("unexpected reference");}
 		{*ref = ir_use_var(p, n, str, len);}
 	|   STRING(&str, &len)
+		{if (kind != IR_OPND_STR) yy_error("unexpected string");}
 		{*ref = ir_strl(p->ctx, str, len);}
 	|	DECNUMBER(IR_I32, &val)
+		{if (kind != IR_OPND_NUM && kind != IR_OPND_PROB) yy_error("unexpected number");}
 		{if (val.u64 < 0 && val.u64 >= 0x7ffffff) yy_error("number out of range");}
 		{*ref = val.u64;}
 	)
diff --git a/ir_private.h b/ir_private.h
index 940a973..c89a5fc 100644
--- a/ir_private.h
+++ b/ir_private.h
@@ -555,9 +555,9 @@ extern const char *ir_op_name[IR_LAST_OP];
 #define IR_OPND_CONTROL           0x2
 #define IR_OPND_CONTROL_DEP       0x3
 #define IR_OPND_CONTROL_REF       0x4
-#define IR_OPND_STR               0x5
-#define IR_OPND_NUM               0x6
-#define IR_OPND_VAR               0x7
+#define IR_OPND_VAR               0x5
+#define IR_OPND_STR               0x6
+#define IR_OPND_NUM               0x7
 #define IR_OPND_PROB              0x8
 
 #define IR_OP_FLAGS(op_flags, op1_flags, op2_flags, op3_flags) \
diff --git a/tests/debug/memop_003.irt b/tests/debug/memop_003.irt
index 6a7a738..eb30074 100644
--- a/tests/debug/memop_003.irt
+++ b/tests/debug/memop_003.irt
@@ -12,7 +12,7 @@ x86_64
 	int32_t v = VAR(l_1, "_spill_");
 	l_2 = VSTORE(l_1, v, y);
 	int32_t z, l_3 = VLOAD(l_2, v);
-	int32_t y2 = ADD(y, 2);
+	int32_t y2 = ADD(y, y);
 	int32_t ret = AND(y2, z);
 	l_4 = VSTORE(l_3, v, ret);
 	l_5 = RETURN(l_4);