Skip to content

Fix GH-18847: set EX(opline) when the tracing JIT enters a call frame#142

Closed
iliaal wants to merge 1 commit into
masterfrom
fix/gh-18847-jit-opline-backtrace
Closed

Fix GH-18847: set EX(opline) when the tracing JIT enters a call frame#142
iliaal wants to merge 1 commit into
masterfrom
fix/gh-18847-jit-opline-backtrace

Conversation

@iliaal

@iliaal iliaal commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Under the tracing JIT, entering a callee frame doesn't materialize EX(opline) in memory (it stays virtual in the IP register), so a fatal error at the frame's first opcode, e.g. an OOM while it pushes its own call frame, makes zend_fetch_debug_backtrace() dereference a NULL opline. That store already existed on the observer path but was gated behind ZEND_OBSERVER_ENABLED; this drops the gate.

Note for review: this adds one EX(opline) store per JIT call-frame entry (the same store observer builds already emit); flagging in case you'd prefer to narrow it.

Fixes php#18847

The tracing JIT enters a callee frame without writing EX(opline) to
memory; it keeps the opline in the IP register and writes it back
lazily. When a fatal error is raised before that first store, such as
an out-of-memory while the callee's first opcode pushes its own call
frame, zend_fetch_debug_backtrace() dereferences the NULL EX(opline).
Materialize it at entry, as the observer path already did behind
ZEND_OBSERVER_ENABLED.

Fixes phpGH-18847
@iliaal iliaal force-pushed the fix/gh-18847-jit-opline-backtrace branch from f4aeece to 7b4798f Compare July 1, 2026 19:55
@iliaal

iliaal commented Jul 1, 2026

Copy link
Copy Markdown
Owner Author

Promoted upstream: php#22542.

@iliaal iliaal closed this Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SEGV Zend/zend_builtin_functions.c

1 participant