Fix GH-17428: Assertion failure ext/opcache/jit/zend_jit_ir.c:8940

nielsdos · nielsdos · commit b18303f7ff70 · 2025-01-10T20:35:49.000+01:00
The code to update the call_level in that case skips the opline itself,
as that's handled by the tail handler, and then wants to set the opline
to the last opline of the block because the code below the switch will
update the call_level for that opline.
However, the test has a block with a single opline (THROW). The block
after that has ZEND_INIT_FCALL, because `i` points to ZEND_INIT_FCALL
now, it erroneously causes the call_level after the switch.
Although it suffices to change `i` to `end` (none of the opcodes here
occur in `zend_jit_dec_call_level`), I added a goto label as well to be
safer for the future in case the list of opcodes changes.
diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c
@@ -2633,8 +2633,8 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 							call_level--;
 						}
 					}
-					opline = op_array->opcodes + i;
-					break;
+					opline = op_array->opcodes + end;
+					goto done_no_dec_call_level;
 				/* stackless execution */
 				case ZEND_INCLUDE_OR_EVAL:
 				case ZEND_DO_FCALL:
@@ -2727,6 +2727,7 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 			if (zend_jit_dec_call_level(opline->opcode)) {
 				call_level--;
 			}
+done_no_dec_call_level:
 		}
 		zend_jit_bb_end(&ctx, b);
 	}
diff --git a/ext/opcache/tests/jit/gh17428.phpt b/ext/opcache/tests/jit/gh17428.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-17428 (Assertion failure ext/opcache/jit/zend_jit_ir.c:8940)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1205
+--FILE--
+<?php
+new EmptyIterator();
+srand(1000);
+error_reporting(E_ALL);
+testConversion('', '');
+testConversion('', '');
+testConversion('', '');
+testConversion('', '');
+testConversion('', '');
+function testRoundTrip($data) {
+}
+for ($iterations = 0; $iterations < 100; $iterations++) {
+    $strlen = rand(1, 100);
+    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    $randstring = '';
+    for ($i = 0; $i < $strlen; $i++) {
+        $randstring .= $characters[rand(0, strlen($characters) - 1)];
+    }
+    die($randstring);
+}
+echo "Done!\n";
+throw new Hello(new stdClass);
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Call to undefined function testConversion() in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d

Original file line number	Diff line number	Diff line change
`@@ -2633,8 +2633,8 @@ static int zend_jit(const zend_op_array op_array, zend_ssa ssa, const zend_op`
`2633`	`2633`	`call_level--;`
`2634`	`2634`	`}`
`2635`	`2635`	`}`
`2636`		`- opline = op_array->opcodes + i;`
`2637`		`- break;`
	`2636`	`+ opline = op_array->opcodes + end;`
	`2637`	`+ goto done_no_dec_call_level;`
`2638`	`2638`	`/* stackless execution */`
`2639`	`2639`	`case ZEND_INCLUDE_OR_EVAL:`
`2640`	`2640`	`case ZEND_DO_FCALL:`
`@@ -2727,6 +2727,7 @@ static int zend_jit(const zend_op_array op_array, zend_ssa ssa, const zend_op`
`2727`	`2727`	`if (zend_jit_dec_call_level(opline->opcode)) {`
`2728`	`2728`	`call_level--;`
`2729`	`2729`	`}`
	`2730`	`+done_no_dec_call_level:`
`2730`	`2731`	`}`
`2731`	`2732`	`zend_jit_bb_end(&ctx, b);`
`2732`	`2733`	`}`