Fix GH-21368 crash: use jit->current_op_array in escape_if_undef

iliaal · iliaal · commit 7c69d4bda191 · 2026-04-17T07:19:22.000-04:00
#21368 dispatched to orig_handler via exit_info->op_array. That pointer is set at parent-trace compile time from JIT_G(current_frame)->func, and can become stale by the time a side trace compiles for that exit, producing an access violation in zend_jit_escape_if_undef on long-lived IIS+FastCGI workers. Use jit->current_op_array instead. On the crash path (zend_jit_compile_side_trace -> zend_jit_trace), zend_jit_trace_start sets it to trace_buffer->op_array, which is freshly captured for the current compilation and avoids the parent's potentially stale reference. On the zend_jit_trace_exit_to_vm path, zend_jit_deoptimizer_start leaves current_op_array unset, so set it from exit_info->op_array there. The gh21267 tests still pass.
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -8068,7 +8068,7 @@ static int zend_jit_defined(zend_jit_ctx *jit, const zend_op *opline, uint8_t sm
 	return 1;
 }
 
-static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags, const zend_op *opline, const zend_op_array *op_array, int8_t reg)
+static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags, const zend_op *opline, int8_t reg)
 {
 	zend_jit_addr reg_addr = ZEND_ADDR_REF_ZVAL(zend_jit_deopt_rload(jit, IR_ADDR, reg));
 	ir_ref if_def = ir_IF(jit_Z_TYPE(jit, reg_addr));
@@ -8094,7 +8094,7 @@ static int zend_jit_escape_if_undef(zend_jit_ctx *jit, int var, uint32_t flags,
 
 	/* We can't use trace_escape() because opcode handler may be overridden by JIT */
 	zend_jit_op_array_trace_extension *jit_extension =
-		(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(op_array);
+		(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(jit->current_op_array);
 	size_t offset = jit_extension->offset;
 	ir_ref ref = ir_CONST_ADDR(ZEND_OP_TRACE_INFO((opline - 1), offset)->orig_handler);
 	if (GCC_GLOBAL_REGS) {
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -3603,7 +3603,7 @@ static int zend_jit_trace_deoptimization(
 
 		ZEND_ASSERT(STACK_FLAGS(parent_stack, check2) == ZREG_ZVAL_COPY);
 		ZEND_ASSERT(reg != ZREG_NONE);
-		if (!zend_jit_escape_if_undef(jit, check2, flags, opline, exit_info->op_array, reg)) {
+		if (!zend_jit_escape_if_undef(jit, check2, flags, opline, reg)) {
 			return 0;
 		}
 		if (!zend_jit_restore_zval(jit, EX_NUM_TO_VAR(check2), reg)) {
@@ -7374,6 +7374,8 @@ static const void *zend_jit_trace_exit_to_vm(uint32_t trace_num, uint32_t exit_n
 		zend_jit_traces[trace_num].stack_map + zend_jit_traces[trace_num].exit_info[exit_num].stack_offset :
 		NULL;
 
+	ctx.current_op_array = zend_jit_traces[trace_num].exit_info[exit_num].op_array;
+
 	if (!zend_jit_trace_deoptimization(&ctx,
 			&zend_jit_traces[trace_num].exit_info[exit_num],
 			stack, stack_size, NULL, NULL,
