Fix GH-21368 follow-up: escape_if_undef on CALL VM

iliaal · iliaal · commit 6b855af572cb · 2026-05-12T15:56:17.000-04:00
Two issues reachable on debug Clang/CALL builds of PHP-8.4.

ir_CONST_ADDR for orig_handler trips jit_CONST_FUNC_PROTO's FUNC_ADDR
assertion when another site reuses the same handler via
ir_CONST_FC_FUNC in the same trace compile (Symfony HttpClient test
suite repro).

The ir_TAILCALL_1 to orig_handler leaves execute_ex with stale
execute_data after a frame-changing handler. PHP-8.4's CALL VM needs a
non-zero return to reload from EG(current_execute_data); the tail-call
discards that signal. gh21267.phpt with aggressive jit_hot_* ini
reproduces a crash in ZEND_DO_FCALL.

Use ir_CONST_FC_FUNC to register the handler as FUNC_ADDR, and mirror
zend_jit_tail_handler's ZEND_FUNC_RECURSIVE_DIRECTLY branch (ir_CALL_1
+ ir_RETURN(1)) so execute_ex reloads. The ir_CAST_FC_FUNC on x86
becomes dead.
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -8096,14 +8096,12 @@ static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags,
 	zend_jit_op_array_trace_extension *jit_extension =
 		(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(op_array);
 	size_t offset = jit_extension->offset;
-	ir_ref ref = ir_CONST_ADDR(ZEND_OP_TRACE_INFO((opline - 1), offset)->orig_handler);
+	ir_ref ref = ir_CONST_FC_FUNC(ZEND_OP_TRACE_INFO((opline - 1), offset)->orig_handler);
 	if (GCC_GLOBAL_REGS) {
 		ir_TAILCALL(IR_VOID, ref);
 	} else {
-#if defined(IR_TARGET_X86)
-		ref = ir_CAST_FC_FUNC(ref);
-#endif
-		ir_TAILCALL_1(IR_I32, ref, jit_FP(jit));
+		ir_CALL_1(IR_I32, ref, jit_FP(jit));
+		ir_RETURN(ir_CONST_I32(1));
 	}
 
 	ir_IF_TRUE(if_def);
diff --git a/ext/opcache/tests/jit/gh21368_call_vm.phpt b/ext/opcache/tests/jit/gh21368_call_vm.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GH-21368 (JIT escape_if_undef SEGV on CALL VM with aggressive trace counters)
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit_buffer_size=64M
+opcache.jit=tracing
+opcache.protect_memory=1
+opcache.jit_hot_loop=1
+opcache.jit_hot_func=1
+opcache.jit_hot_return=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+class C {
+    public $x = true;
+    public function __get($name) { return null; }
+    public function getX() { return $this->x; }
+}
+
+$o1 = new C;
+$o2 = new C;
+$o2->x = false;
+$o3 = new C;
+unset($o3->x);
+$a = [$o1, $o2, $o3];
+
+for ($i = 0; $i < 8; $i++) {
+    $m = $a[$i % 3];
+    $m->getX();
+    $m->getX();
+}
+?>
+OK
+--EXPECT--
+OK
