Fix GH-20890: Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT

This is similar to f6c2e40a11 but for minimal JIT + tracing JIT. Most of the times the tracing JIT shouldn't rely on going to the VM, but in some cases, like in minimal JIT, it can and then it hits the same bug. Closes GH-20897.
2026-03-24 00:02:20 +01:00 · 2026-01-10 17:42:01 +01:00
parent 6a21a41b4a
commit 57c62eb2b3
3 changed files with 49 additions and 0 deletions
--- a/4
+++ b/4
@@ -25,6 +25,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-20836 (Stack overflow in mb_convert_variables with
    recursive array references). (alexandre-daubois)

+- Opcache:
+  . Fixed bug GH-20890 (Segfault in zval_undefined_cv with non-simple
+    property hook with minimal tracing JIT). (ndossche)
+
 - Phar:
  . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
    (ndossche)
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -328,6 +328,14 @@ static int zend_jit_trace_may_exit(const zend_op_array *op_array, const zend_op
 			// TODO: recompilation may change target ???
 			return 0;
 #endif
+		case ZEND_FETCH_OBJ_R:
+			if (opline->op2_type == IS_CONST) {
+				const zend_class_entry *ce = opline->op1_type == IS_UNUSED ? op_array->scope : NULL;
+				if (!ce || !(ce->ce_flags & ZEND_ACC_FINAL) || ce->num_hooked_props > 0) {
+					return 1;
+				}
+			}
+			break;
 		case ZEND_RETURN_BY_REF:
 		case ZEND_RETURN:
 			/* return */
--- a/ext/opcache/tests/jit/gh20890.phpt
+++ b/ext/opcache/tests/jit/gh20890.phpt
@@ -0,0 +1,37 @@
+--TEST--
+GH-20890 (Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT)
+--CREDITS--
+Moonster8282
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1251
+--FILE--
+<?php
+class HookJIT {
+    private int $readCount = 0;
+
+    public int $computed {
+        get {
+            $this->readCount++;
+            return $this->readCount * 2;
+        }
+    }
+}
+
+function hook_hot_path($obj, $iterations) {
+    $sum = 0;
+    for ($i = 0; $i < $iterations; $i++) {
+        $sum += $obj->computed;
+    }
+    return $sum;
+}
+
+echo "Testing property hook in hot path...\n";
+$obj = new HookJIT();
+$result = hook_hot_path($obj, 100);
+echo "Result: $result\n";
+?>
+--EXPECT--
+Testing property hook in hot path...
+Result: 10100