Fix GH-15981: Segfault with frameless jumps and minimal JIT

nielsdos · nielsdos · commit 72184abd2f47 · 2025-01-09T19:59:03.000+01:00
Minimal JIT shouldn't generate a call to the complex handler, but
instead rely on the VM and then check for a two-way jump.
This moves the frameless codegen under the check `JIT_G(opt_level) &gt;=
ZEND_JIT_LEVEL_INLINE`.
diff --git a/NEWS b/NEWS
@@ -36,6 +36,10 @@ PHP                                                                        NEWS
 - Intl:
   . Fixed bug GH-11874 (intl causing segfault in docker images). (nielsdos)
  
+- Opcache:
+  . Fixed bug GH-15981 (Segfault with frameless jumps and minimal JIT).
+    (nielsdos)
+
 - PHPDBG:
   . Fix crashes in function registration + test. (nielsdos, Girgias)
 
diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c
@@ -2489,6 +2489,11 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 							goto jit_failure;
 						}
 						goto done;
+					case ZEND_JMP_FRAMELESS:
+						if (!zend_jit_jmp_frameless(&ctx, opline, /* exit_addr */ NULL, /* guard */ 0)) {
+							goto jit_failure;
+						}
+						goto done;
 					case ZEND_INIT_METHOD_CALL:
 						if (opline->op2_type != IS_CONST
 						 || Z_TYPE_P(RT_CONSTANT(opline, opline->op2)) != IS_STRING) {
@@ -2644,17 +2649,13 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 				case ZEND_FE_FETCH_R:
 				case ZEND_FE_FETCH_RW:
 				case ZEND_BIND_INIT_STATIC_OR_JMP:
+				case ZEND_JMP_FRAMELESS:
 					if (!zend_jit_handler(&ctx, opline,
 							zend_may_throw(opline, ssa_op, op_array, ssa)) ||
 					    !zend_jit_cond_jmp(&ctx, opline + 1, ssa->cfg.blocks[b].successors[0])) {
 						goto jit_failure;
 					}
 					break;
-				case ZEND_JMP_FRAMELESS:
-					if (!zend_jit_jmp_frameless(&ctx, opline, /* exit_addr */ NULL, /* guard */ 0)) {
-						goto jit_failure;
-					}
-					break;
 				case ZEND_NEW:
 					if (!zend_jit_handler(&ctx, opline, 1)) {
 						return 0;
diff --git a/ext/opcache/tests/jit/gh15981.phpt b/ext/opcache/tests/jit/gh15981.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-15981 (Segfault with frameless jumps and minimal JIT)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1111
+--FILE--
+<?php
+
+namespace NS { // Namespace is important to reproduce the issue
+    class Tester {
+        static public function findExecutable(): string {
+            return dirname(__DIR__);
+        }
+    }
+}
+
+namespace {
+    var_dump(NS\Tester::findExecutable());
+}
+
+?>
+--EXPECTF--
+string(%d) "%s"
