Fix GH-21368 crash: resolve orig_handler at side-trace compile time

iliaal · iliaal · commit 0777c515f2c4 · 2026-05-12T09:05:59.000-04:00
zend_jit_escape_if_undef read orig_handler via an op_array pointer
captured at parent-trace compile time. That pointer goes stale by the
time a side trace compiles for the exit, producing the access violation
reported by vibbow on PHP 8.5.5 Windows x64 NTS+FastCGI.

Resolve orig_handler against jit-&gt;current_op_array.
zend_jit_trace_start sets it to trace_buffer-&gt;op_array during side-trace
compilation; zend_jit_deoptimizer_start leaves it unset, so seed it
from exit_info-&gt;op_array in zend_jit_trace_exit_to_vm.

Create the IR ref via ir_CONST_FC_FUNC so jit-&gt;addr_hash registers the
handler as IR_FUNC_ADDR. A later ir_CONST_FC_FUNC for the same handler
otherwise trips the FUNC_ADDR assertion in jit_CONST_FUNC_PROTO. The
x86 ir_CAST_FC_FUNC becomes dead.
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -8068,7 +8068,7 @@ static int zend_jit_defined(zend_jit_ctx *jit, const zend_op *opline, uint8_t sm
 	return 1;
 }
 
-static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags, const zend_op *opline, const zend_op_array *op_array, int8_t reg)
+static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags, const zend_op *opline, int8_t reg)
 {
 	zend_jit_addr reg_addr = ZEND_ADDR_REF_ZVAL(zend_jit_deopt_rload(jit, IR_ADDR, reg));
 	ir_ref if_def = ir_IF(jit_Z_TYPE(jit, reg_addr));
@@ -8094,15 +8094,12 @@ static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags,
 
 	/* We can't use trace_escape() because opcode handler may be overridden by JIT */
 	zend_jit_op_array_trace_extension *jit_extension =
-		(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(op_array);
+		(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(jit->current_op_array);
 	size_t offset = jit_extension->offset;
-	ir_ref ref = ir_CONST_ADDR(ZEND_OP_TRACE_INFO((opline - 1), offset)->orig_handler);
+	ir_ref ref = ir_CONST_FC_FUNC(ZEND_OP_TRACE_INFO((opline - 1), offset)->orig_handler);
 	if (GCC_GLOBAL_REGS) {
 		ir_TAILCALL(IR_VOID, ref);
 	} else {
-#if defined(IR_TARGET_X86)
-		ref = ir_CAST_FC_FUNC(ref);
-#endif
 		ir_TAILCALL_1(IR_I32, ref, jit_FP(jit));
 	}
 
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -3603,7 +3603,7 @@ static int zend_jit_trace_deoptimization(
 
 		ZEND_ASSERT(STACK_FLAGS(parent_stack, check2) == ZREG_ZVAL_COPY);
 		ZEND_ASSERT(reg != ZREG_NONE);
-		if (!zend_jit_escape_if_undef(jit, check2, flags, opline, exit_info->op_array, reg)) {
+		if (!zend_jit_escape_if_undef(jit, check2, flags, opline, reg)) {
 			return 0;
 		}
 		if (!zend_jit_restore_zval(jit, EX_NUM_TO_VAR(check2), reg)) {
@@ -7374,6 +7374,8 @@ static const void *zend_jit_trace_exit_to_vm(uint32_t trace_num, uint32_t exit_n
 		zend_jit_traces[trace_num].stack_map + zend_jit_traces[trace_num].exit_info[exit_num].stack_offset :
 		NULL;
 
+	ctx.current_op_array = zend_jit_traces[trace_num].exit_info[exit_num].op_array;
+
 	if (!zend_jit_trace_deoptimization(&ctx,
 			&zend_jit_traces[trace_num].exit_info[exit_num],
 			stack, stack_size, NULL, NULL,
