From 79aaeeafe5904307ac582efe2aa42f21a4d82a21 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 18 Nov 2024 14:27:08 +0300
Subject: [PATCH] Fix GH-16829: Segmentation fault with opcache.jit=tracing
 enabled on aarch64

---
 ext/opcache/jit/zend_jit_vm_helpers.c | 10 +++++++++-
 ext/opcache/tests/jit/gh16829.phpt    | 14 ++++++++++++++
 ext/opcache/tests/jit/gh16829_1.inc   | 16 ++++++++++++++++
 ext/opcache/tests/jit/gh16829_2.inc   | 23 +++++++++++++++++++++++
 4 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 ext/opcache/tests/jit/gh16829.phpt
 create mode 100644 ext/opcache/tests/jit/gh16829_1.inc
 create mode 100644 ext/opcache/tests/jit/gh16829_2.inc

diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c
index e37a0ef3af8..3e9ae93c106 100644
--- a/ext/opcache/jit/zend_jit_vm_helpers.c
+++ b/ext/opcache/jit/zend_jit_vm_helpers.c
@@ -925,7 +925,15 @@ zend_jit_trace_stop ZEND_FASTCALL zend_jit_trace_execute(zend_execute_data *ex,
 				(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(op_array);
 			if (UNEXPECTED(!jit_extension)
 			 || UNEXPECTED(!(jit_extension->func_info.flags & ZEND_FUNC_JIT_ON_HOT_TRACE))) {
-				stop = ZEND_JIT_TRACE_STOP_INTERPRETER;
+#ifdef HAVE_GCC_GLOBAL_REGS
+				if (execute_data->prev_execute_data != prev_execute_data) {
+#else
+				if (rc < 0) {
+#endif
+					stop = ZEND_JIT_TRACE_STOP_RETURN;
+				} else {
+					stop = ZEND_JIT_TRACE_STOP_INTERPRETER;
+				}
 				break;
 			}
 			offset = jit_extension->offset;
diff --git a/ext/opcache/tests/jit/gh16829.phpt b/ext/opcache/tests/jit/gh16829.phpt
new file mode 100644
index 00000000000..174a265cede
--- /dev/null
+++ b/ext/opcache/tests/jit/gh16829.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-16829 (Segmentation fault with opcache.jit=tracing enabled on aarch64)
+--INI--
+opcache.jit_buffer_size=32M
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+touch('gh16829_1.inc');
+require_once('gh16829_1.inc');
+?>
+DONE
+--EXPECT--
+DONE
diff --git a/ext/opcache/tests/jit/gh16829_1.inc b/ext/opcache/tests/jit/gh16829_1.inc
new file mode 100644
index 00000000000..2ba48f41419
--- /dev/null
+++ b/ext/opcache/tests/jit/gh16829_1.inc
@@ -0,0 +1,16 @@
+<?php
+# inline Reproducer class definition and segfaults will go away
+require_once('Reproducer.php');
+
+# remove $someVar1\2 or $someVar3 and loop at the end of the file and segfaults will go away
+$someVar2 = null;
+$someVar1 = null;
+$someVar3 = [];
+
+for ($i = 0; $i < 10; $i++) {
+    Reproducer::loops();
+}
+
+foreach ($someVar3 as $_) {
+}
+?>
\ No newline at end of file
diff --git a/ext/opcache/tests/jit/gh16829_2.inc b/ext/opcache/tests/jit/gh16829_2.inc
new file mode 100644
index 00000000000..8fddb035431
--- /dev/null
+++ b/ext/opcache/tests/jit/gh16829_2.inc
@@ -0,0 +1,23 @@
+<?php
+class Reproducer
+{
+    /**
+     * Remove $params arg and segfaults will go away
+     */
+    public static function loops(array $params = []): int
+    {
+        $arrCount = 2000;
+        # Replace `$arrCount % 16` with 0 and segfaults will go away
+        $arrCount2 = $arrCount - $arrCount % 16;
+        $result = 0;
+
+        for ($baseIdx = 0; $baseIdx < $arrCount2; $baseIdx++) {
+        }
+
+        while ($baseIdx < $arrCount) {
+        }
+
+        return $result;
+    }
+}
+?>
\ No newline at end of file