Fix GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)

ZEND_FETCH_DIM_FUNC_ARG should also be repeated on undefined access, consistent to how ZEND_FETCH_DIM_R is handled. The opcode was just missing from the assertion list. Closes GH-17148. Co-authored-by: Dmitry Stogov <dmitry@zend.com>
2026-03-24 00:02:20 +01:00 · 2024-12-13 18:24:31 +01:00
parent 7b2b2ecab9
commit 2104097a79
4 changed files with 76 additions and 1 deletions
--- a/2
+++ b/2
@@ -43,6 +43,8 @@ PHP                                                                        NEWS

 - Opcache:
  . opcache_get_configuration() properly reports jit_prof_threshold. (cmb)
+  . Fixed bug GH-17140 (Assertion failure in JIT trace exit with
+    ZEND_FETCH_DIM_FUNC_ARG). (nielsdos, Dmitry)

 - PCNTL:
  . Fix memory leak in cleanup code of pcntl_exec() when a non stringable
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -8585,7 +8585,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 				if (op->opcode == ZEND_FETCH_DIM_IS || op->opcode == ZEND_FETCH_OBJ_IS) {
 					ZVAL_NULL(EX_VAR_NUM(i));
 				} else {
-					assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R);
+					ZEND_ASSERT(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R || op->opcode == ZEND_FETCH_DIM_FUNC_ARG || op->opcode == ZEND_FETCH_OBJ_FUNC_ARG);
 					repeat_last_opline = 1;
 				}
 			} else {
--- a/ext/opcache/tests/jit/gh17140_1.phpt
+++ b/ext/opcache/tests/jit/gh17140_1.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+function test() {
+    $a['x'][1] = true;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x'][0]);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
--- a/ext/opcache/tests/jit/gh17140_2.phpt
+++ b/ext/opcache/tests/jit/gh17140_2.phpt
@@ -0,0 +1,40 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_OBJ_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+class X {
+        public $a = 1;
+        public $b;
+        function __construct() {
+                unset($this->b);
+        }
+}
+function test() {
+    $a['x'] = new X;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x']->b);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL