Fix GH-15981: Segfault with frameless jumps and minimal JIT

Minimal JIT shouldn't generate a call to the complex handler, but instead rely on the VM and then check for a two-way jump. This moves the frameless codegen under the check `JIT_G(opt_level) >= ZEND_JIT_LEVEL_INLINE`.
2025-08-16 05:58:45 +02:00 · 2025-01-02 23:48:47 +01:00 · 2025-01-02 23:48:47 +01:00 · 72184abd2f
commit 72184abd2f
parent b666dc9788
3 changed files with 34 additions and 5 deletions
--- a/4
+++ b/4
@ -36,6 +36,10 @@ PHP                                                                        NEWS
 - Intl:
  . Fixed bug GH-11874 (intl causing segfault in docker images). (nielsdos)
 
+- Opcache:
+  . Fixed bug GH-15981 (Segfault with frameless jumps and minimal JIT).
+    (nielsdos)
+
 - PHPDBG:
  . Fix crashes in function registration + test. (nielsdos, Girgias)

--- a/ext/opcache/jit/zend_jit.c
+++ b/ext/opcache/jit/zend_jit.c
@ -2489,6 +2489,11 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 							goto jit_failure;
 						}
 						goto done;
+					case ZEND_JMP_FRAMELESS:
+						if (!zend_jit_jmp_frameless(&ctx, opline, /* exit_addr */ NULL, /* guard */ 0)) {
+							goto jit_failure;
+						}
+						goto done;
 					case ZEND_INIT_METHOD_CALL:
 						if (opline->op2_type != IS_CONST
 						 || Z_TYPE_P(RT_CONSTANT(opline, opline->op2)) != IS_STRING) {
@ -2644,17 +2649,13 @@ static int zend_jit(const zend_op_array *op_array, zend_ssa *ssa, const zend_op
 				case ZEND_FE_FETCH_R:
 				case ZEND_FE_FETCH_RW:
 				case ZEND_BIND_INIT_STATIC_OR_JMP:
+				case ZEND_JMP_FRAMELESS:
 					if (!zend_jit_handler(&ctx, opline,
 							zend_may_throw(opline, ssa_op, op_array, ssa)) ||
 					    !zend_jit_cond_jmp(&ctx, opline + 1, ssa->cfg.blocks[b].successors[0])) {
 						goto jit_failure;
 					}
 					break;
-				case ZEND_JMP_FRAMELESS:
-					if (!zend_jit_jmp_frameless(&ctx, opline, /* exit_addr */ NULL, /* guard */ 0)) {
-						goto jit_failure;
-					}
-					break;
 				case ZEND_NEW:
 					if (!zend_jit_handler(&ctx, opline, 1)) {
 						return 0;
--- a/ext/opcache/tests/jit/gh15981.phpt
+++ b/ext/opcache/tests/jit/gh15981.phpt
@ -0,0 +1,24 @@
+--TEST--
+GH-15981 (Segfault with frameless jumps and minimal JIT)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1111
+--FILE--
+<?php
+
+namespace NS { // Namespace is important to reproduce the issue
+    class Tester {
+        static public function findExecutable(): string {
+            return dirname(__DIR__);
+        }
+    }
+}
+
+namespace {
+    var_dump(NS\Tester::findExecutable());
+}
+
+?>
+--EXPECTF--
+string(%d) "%s"