Fix GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)

nielsdos · dstogov · nielsdos · commit 2104097a79d8 · 2024-12-16T19:46:11.000+01:00
ZEND_FETCH_DIM_FUNC_ARG should also be repeated on undefined access, consistent to how ZEND_FETCH_DIM_R is handled. The opcode was just missing from the assertion list. Closes GH-17148. Co-authored-by: Dmitry Stogov <dmitry@zend.com>
diff --git a/NEWS b/NEWS
@@ -43,6 +43,8 @@ PHP                                                                        NEWS
 
 - Opcache:
   . opcache_get_configuration() properly reports jit_prof_threshold. (cmb)
+  . Fixed bug GH-17140 (Assertion failure in JIT trace exit with
+    ZEND_FETCH_DIM_FUNC_ARG). (nielsdos, Dmitry)
 
 - PCNTL:
   . Fix memory leak in cleanup code of pcntl_exec() when a non stringable
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -8585,7 +8585,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 				if (op->opcode == ZEND_FETCH_DIM_IS || op->opcode == ZEND_FETCH_OBJ_IS) {
 					ZVAL_NULL(EX_VAR_NUM(i));
 				} else {
-					assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R);
+					ZEND_ASSERT(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R || op->opcode == ZEND_FETCH_DIM_FUNC_ARG || op->opcode == ZEND_FETCH_OBJ_FUNC_ARG);
 					repeat_last_opline = 1;
 				}
 			} else {
diff --git a/ext/opcache/tests/jit/gh17140_1.phpt b/ext/opcache/tests/jit/gh17140_1.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+function test() {
+    $a['x'][1] = true;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x'][0]);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
diff --git a/ext/opcache/tests/jit/gh17140_2.phpt b/ext/opcache/tests/jit/gh17140_2.phpt
@@ -0,0 +1,40 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_OBJ_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+class X {
+        public $a = 1;
+        public $b;
+        function __construct() {
+                unset($this->b);
+        }
+}
+function test() {
+    $a['x'] = new X;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x']->b);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL

Original file line number	Diff line number	Diff line change
`@@ -8585,7 +8585,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf`
`8585`	`8585`	`if (op->opcode == ZEND_FETCH_DIM_IS \|\| op->opcode == ZEND_FETCH_OBJ_IS) {`
`8586`	`8586`	`ZVAL_NULL(EX_VAR_NUM(i));`
`8587`	`8587`	`} else {`
`8588`		`- assert(op->opcode == ZEND_FETCH_DIM_R \|\| op->opcode == ZEND_FETCH_LIST_R \|\| op->opcode == ZEND_FETCH_OBJ_R);`
	`8588`	`+ ZEND_ASSERT(op->opcode == ZEND_FETCH_DIM_R \|\| op->opcode == ZEND_FETCH_LIST_R \|\| op->opcode == ZEND_FETCH_OBJ_R \|\| op->opcode == ZEND_FETCH_DIM_FUNC_ARG \|\| op->opcode == ZEND_FETCH_OBJ_FUNC_ARG);`
`8589`	`8589`	`repeat_last_opline = 1;`
`8590`	`8590`	`}`
`8591`	`8591`	`} else {`