Segfault with JIT and large match/switch statements

[therealgaxbo]

Description

Running this code with the JIT enabled results in a segfault (sometimes I have to run it 2-3 times before it happens): https://gist.github.com/therealgaxbo/5e7b111c994bf932e3e7870ac258babe

$ php -v
PHP 8.0.15 (cli) (built: Jan 18 2022 12:16:19) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.15, Copyright (c), by Zend Technologies

$ php -n -dzend_extension=/usr/lib64/php/modules/opcache.so -dopcache.enable_cli=1 -dopcache.jit_buffer_size=64M match.php
Segmentation fault (core dumped)

The same result happens with 8.1.2.

This is as minimal as I've managed to make the repro. It seems extremely sensitive to the precise order that the two different match arms are accessed.

A similar segfault happens with an equivalent switch statement, although the exact number of arms may need increasing.

PHP Version

PHP 8.0.15, PHP 8.1.2

Operating System

Fedora 35

[kocoten1992]

Confirmed, seeing similar result with php debian:

php -dopcache.jit_buffer_size=64M match.php
[1]    655079 segmentation fault (core dumped)  php -dopcache.jit_buffer_size=64M match.php

PHP 8.1.2 (cli) (built: Jan 24 2022 10:42:51) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies

[olivernybroe]

This might be related to #7854?

[therealgaxbo]

I thought the same, but had already ruled it out - cmb69 found the offending commit for that one (1f19401) and don't think that's in PHP 8.0.15.

I checked and can only trigger #7854 on 8.1.2, whereas my snipped segfaults on 8.0.15 as well.

[arnaud-lb]

Thank you !

This is now fixed in #8961