Fix GH-21006: JIT SEGV with FETCH_OBJ_FUNC_ARG and property hooks

iliaal · iliaal · commit 5963656f7e03 · 2026-03-06T19:50:47.000-05:00
When the JIT falls back to the VM handler for FETCH_OBJ_FUNC_ARG (or
FETCH_OBJ_R), the handler may find the SIMPLE_GET flag set in the
runtime cache for a hooked property. This causes it to push a call
frame for the hook function, changing execute_data. When the trace
resumes after the handler returns, it continues with the wrong
execute_data, leading to a segfault on the next opcode that accesses
EX(call).

Fix by emitting IR code in zend_jit_trace_handler() to clear the
SIMPLE_GET flag in the runtime cache before calling the VM handler,
so it falls through to read_property instead.
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -17091,6 +17091,21 @@ static int zend_jit_trace_handler(zend_jit_ctx *jit, const zend_op_array *op_arr
 	ir_ref ref;
 
 	zend_jit_set_ip(jit, opline);
+	/* FETCH_OBJ_FUNC_ARG/FETCH_OBJ_R may dispatch to a VM handler that
+	 * pushes a call frame for SIMPLE_GET property hooks, which would
+	 * corrupt the trace's call stack. Clear the SIMPLE_GET flag so the
+	 * handler falls through to read_property instead. */
+	if ((opline->opcode == ZEND_FETCH_OBJ_FUNC_ARG || opline->opcode == ZEND_FETCH_OBJ_R)
+	 && opline->op2_type == IS_CONST) {
+		ir_ref run_time_cache = ir_LOAD_A(jit_EX(run_time_cache));
+		ir_ref cache_slot_ref = ir_ADD_OFFSET(run_time_cache,
+			(opline->extended_value & ~ZEND_FETCH_OBJ_FLAGS) + sizeof(void*));
+		ir_ref prop_offset_ref = ir_LOAD_A(cache_slot_ref);
+		ir_ref if_simple_get = ir_IF(ir_AND_A(prop_offset_ref, ir_CONST_ADDR(ZEND_PROPERTY_HOOK_SIMPLE_GET_BIT)));
+		ir_IF_TRUE(if_simple_get);
+		ir_STORE(cache_slot_ref, ir_AND_A(prop_offset_ref, ir_CONST_ADDR(~(uintptr_t)ZEND_PROPERTY_HOOK_SIMPLE_GET_BIT)));
+		ir_MERGE_WITH_EMPTY_FALSE(if_simple_get);
+	}
 	if (GCC_GLOBAL_REGS) {
 		ir_CALL(IR_VOID, ir_CONST_FUNC(handler));
 	} else {
diff --git a/ext/opcache/tests/jit/gh21006.phpt b/ext/opcache/tests/jit/gh21006.phpt
@@ -0,0 +1,38 @@
+--TEST--
+GH-21006: JIT SEGV with FETCH_OBJ_FUNC_ARG and property hooks
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=tracing
+opcache.jit_hot_loop=61
+opcache.jit_hot_func=127
+opcache.jit_hot_return=8
+opcache.jit_hot_side_exit=8
+--FILE--
+<?php
+namespace Test;
+
+class C
+{
+    public $prop {
+        get => 'sha256';
+    }
+
+    public function sign()
+    {
+        return hash_hmac(
+            algo: $this->prop,
+            data: '',
+            key: '',
+        );
+    }
+}
+
+$obj = new C();
+for ($i = 0; $i < 100; $i++) {
+    $obj->sign();
+}
+echo "OK\n";
+?>
+--EXPECT--
+OK
