Skip to content

Fix incorrect opline after deoptimization #19535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix incorrect opline after deoptimization #19535

wants to merge 2 commits into from
+44 −10

Conversation

arnaud-lb
Copy link
Member

@arnaud-lb arnaud-lb commented Aug 20, 2025
edited
Loading

Fixes GH-19486 introduced by 76d7c61.

Blacklisted side traces (aka JIT'ed exits) may return the previous opline after calling the original op handler. As a result, the op handler is called again by the VM.

Fix this by always returning the opline returned by the original op handler.

Always use zend_jit_vm_enter(jit, ref) to signal the VM that it must reload EG(current_execute_data) as it may have changed during the execution of the trace.

This is consistent with non-JIT'ed exits:

php-src/ext/opcache/jit/zend_jit_ir.c

Lines 2488 to 2489 in 0bf2959

ref = ir_CALL_2(IR_ADDR, addr, jit_FP(jit), jit_IP(jit));
zend_jit_vm_enter(jit, ref);

And with the previous version of this code (ir_RETURN(ref) and ir_RETURN(ir_CONST_I32(2)) have the same effect in this case) :

php-src/ext/opcache/jit/zend_jit_ir.c

Lines 17108 to 17119 in bc05bfe

if (opline &&
(opline->opcode == ZEND_RETURN
|| opline->opcode == ZEND_RETURN_BY_REF
|| opline->opcode == ZEND_GENERATOR_RETURN
|| opline->opcode == ZEND_GENERATOR_CREATE
|| opline->opcode == ZEND_YIELD
|| opline->opcode == ZEND_YIELD_FROM)) {
ir_RETURN(ref);
return 1;
}
}
ir_RETURN(ir_CONST_I32(2)); // ZEND_VM_LEAVE

Analysis of the reproducer code in GH-19486:

The function floodFill() performs a deep recursion, exhausting the VM stack, causing a side exit in zend_jit_push_call_frame(). The JIT'ed code of this side exit mistakenly returns the previous opline to the VM, causing the same opline (INIT_FCALL) to be executed twice:

  • The first time, the stack is extended and the new call frame is marked with ZEND_CALL_ALLOCATED
  • The second time, we re-use the newly allocated stack, so the frame is not marked

The first frame never make it to the call stack. Returning from the second frame to its parent creates the inconsistency that causes the assertion failure (the frame doesn't have ZEND_CALL_ALLOCATED, so EG(vm_stack) is not freed and set to EG(vm_stack)->prev).

@arnaud-lb arnaud-lb marked this pull request as ready for review August 20, 2025 17:50
@arnaud-lb arnaud-lb requested a review from dstogov as a code owner August 20, 2025 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstogov dstogov Awaiting requested review from dstogov dstogov is a code owner

Assignees
No one assigned
Labels
Extension: opcache
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

8.5beta1 JIT: zend_mm_heap corrupted error
1 participant
@arnaud-lb