From 2104097a79d8c726bf9efbb7c2ed17ee72bb7022 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:24:31 +0100 Subject: [PATCH] Fix GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG) ZEND_FETCH_DIM_FUNC_ARG should also be repeated on undefined access, consistent to how ZEND_FETCH_DIM_R is handled. The opcode was just missing from the assertion list. Closes GH-17148. Co-authored-by: Dmitry Stogov --- NEWS | 2 ++ ext/opcache/jit/zend_jit_trace.c | 2 +- ext/opcache/tests/jit/gh17140_1.phpt | 33 +++++++++++++++++++++++ ext/opcache/tests/jit/gh17140_2.phpt | 40 ++++++++++++++++++++++++++++ 4 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 ext/opcache/tests/jit/gh17140_1.phpt create mode 100644 ext/opcache/tests/jit/gh17140_2.phpt diff --git a/NEWS b/NEWS index 675ca9f8dec..b44a0bcaaa0 100644 --- a/NEWS +++ b/NEWS @@ -43,6 +43,8 @@ PHP NEWS - Opcache: . opcache_get_configuration() properly reports jit_prof_threshold. (cmb) + . Fixed bug GH-17140 (Assertion failure in JIT trace exit with + ZEND_FETCH_DIM_FUNC_ARG). (nielsdos, Dmitry) - PCNTL: . Fix memory leak in cleanup code of pcntl_exec() when a non stringable diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c index da66a903c17..8f20c85da05 100644 --- a/ext/opcache/jit/zend_jit_trace.c +++ b/ext/opcache/jit/zend_jit_trace.c @@ -8585,7 +8585,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf if (op->opcode == ZEND_FETCH_DIM_IS || op->opcode == ZEND_FETCH_OBJ_IS) { ZVAL_NULL(EX_VAR_NUM(i)); } else { - assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R); + ZEND_ASSERT(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R || op->opcode == ZEND_FETCH_DIM_FUNC_ARG || op->opcode == ZEND_FETCH_OBJ_FUNC_ARG); repeat_last_opline = 1; } } else { diff --git a/ext/opcache/tests/jit/gh17140_1.phpt b/ext/opcache/tests/jit/gh17140_1.phpt new file mode 100644 index 00000000000..a37277f69ba --- /dev/null +++ b/ext/opcache/tests/jit/gh17140_1.phpt @@ -0,0 +1,33 @@ +--TEST-- +GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1254 +opcache.jit_buffer_size=32M +opcache.jit_hot_func=1 +opcache.jit_hot_side_exit=1 +--FILE-- + +--EXPECTF-- +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined array key 0 in %s on line %d +NULL + +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined array key 0 in %s on line %d +NULL + +Warning: Undefined array key 0 in %s on line %d +NULL diff --git a/ext/opcache/tests/jit/gh17140_2.phpt b/ext/opcache/tests/jit/gh17140_2.phpt new file mode 100644 index 00000000000..9ef3177c75f --- /dev/null +++ b/ext/opcache/tests/jit/gh17140_2.phpt @@ -0,0 +1,40 @@ +--TEST-- +GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_OBJ_FUNC_ARG) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1254 +opcache.jit_buffer_size=32M +opcache.jit_hot_func=1 +opcache.jit_hot_side_exit=1 +--FILE-- +b); + } +} +function test() { + $a['x'] = new X; + for ($fusion = 0; $i < 3; $i++) { + var_dump($a['x']->b); + } +} +test(); +?> +--EXPECTF-- +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined property: Foo\X::$b in %s on line %d +NULL + +Warning: Undefined variable $i in %s on line %d + +Warning: Undefined property: Foo\X::$b in %s on line %d +NULL + +Warning: Undefined property: Foo\X::$b in %s on line %d +NULL