Valgrind warning with ini_get + preg_match and pcre.jit=1

[chschneider]

Description

The following code:

<?php

preg_match('!X!', ini_get('display_errors'));

When called with

valgrind --track-origins=yes sapi/cli/php -n -r 'preg_match("!X!", ini_get("display_errors"));'

resulted in this output:

==7649== Conditional jump or move depends on uninitialised value(s)
==7649==    at 0x523FEBF: ???
==7649==    by 0x4BA8E37: ???
==7649==    by 0x4BA8E37: ???
==7649==    by 0x4BA8E38: ???
==7649==    by 0x4CEC5DF: ???
==7649==    by 0x4BA8E37: ???
==7649==  Uninitialised value was created by a heap allocation
==7649==    at 0x4841984: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7649==    by 0x7D0D18: __zend_malloc (zend_alloc.c:3543)
==7649==    by 0x8BC36C: zend_string_alloc (zend_string.h:167)
==7649==    by 0x8BC36C: zend_string_init (zend_string.h:189)
==7649==    by 0x8BC36C: zend_string_init_interned_permanent (zend_string.c:278)
==7649==    by 0x8BC685: zend_interned_strings_init (zend_string.c:110)
==7649==    by 0x8C867F: zend_startup (zend.c:1058)
==7649==    by 0x766B9E: php_module_startup (main.c:2253)
==7649==    by 0x47FCC4: main (php_cli.c:1329)

This was on x86 with openSUSE Leap 15.6, compiling the current master with --disable-all.

I could reproduce the warning with all PHP 8.x and older versions seem to have even more warnings which were fixed at some point.

Interestingly the warning disappears with -d pcre.jit=0 and I assume it happens in the JIT-generated code.
Additionally when changing the preg_match pattern or ini_get-Option the warning sometimes disappears so it seems to depend on certain values/value lengths.

PHP Version

PHP 8.6.0-dev (cli) (built: Jan 21 2026 13:29:58) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

openSUSE Leap 15.6

[iluuu1994]

Sorry for the late response. This happens because the padding for zend_string in zend_string_init() remains uninitialized. PCRE2 uses SIMD for string matching, likely with a fallback for mismatched padding. Accessing the uninitialized padding will trigger valgrind.

I remember a PR that proposed initializing all padding to 0, which might lead to some more optimized code for comparing string. But I can't seem to find it now. Another option might be to just initialize the padding in debug builds, though that won't fix running Valgrind on production builds.

[iluuu1994]

So, zend_string_equal_val() is making use of the same trick, so we probably would not benefit much from initializing these trailing bytes. To avoid the same error, we replace the function zend_string_equal_val() for Valgrind at runtime:

php-src/Zend/zend_string.c

Lines 390 to 393 in 8c42cf4

	ZEND_API bool ZEND_FASTCALL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(const zend_string *s1, const zend_string *s2)
	{
	return !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
	}

Hence, I think this issue should be closed and this should be solved on PCRE2's side. There's a related issue open there as well. PCRE2Project/pcre2#654

Nonetheless, thank for the report!