Reset stackmap reg

arnaud-lb · arnaud-lb · commit 9f33bff09067 · 2026-03-31T17:30:27.000+02:00
Add a missing `t->stack_map[...].reg = ZREG_NONE` in `zend_jit_snapshot_handler`. This is needed when reg is `ZREG_NONE`, otherwise side traces will have wrong assumptions. Fixes GH-21158 Closes GH-21531
diff --git a/NEWS b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
 - Iconv:
   . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
 
+- Opcache:
+  . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
+    zend_jit_use_reg). (Arnaud)
+
 - SPL:
   . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
     free). (Girgias)
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -835,6 +835,7 @@ void *zend_jit_snapshot_handler(ir_ctx *ctx, ir_ref snapshot_ref, ir_insn *snaps
 							addr = (void*)zend_jit_trace_get_exit_addr(exit_point);
 							exit_flags &= ~ZEND_JIT_EXIT_FIXED;
 						}
+						t->stack_map[t->exit_info[exit_point].stack_offset + var].reg = ZREG_NONE;
 						t->stack_map[t->exit_info[exit_point].stack_offset + var].flags = ZREG_TYPE_ONLY;
 					}
 				} else if (!(exit_flags & ZEND_JIT_EXIT_FIXED)) {
diff --git a/ext/opcache/tests/jit/gh21158.phpt b/ext/opcache/tests/jit/gh21158.phpt
@@ -0,0 +1,49 @@
+--TEST--
+GH-21158: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg
+--CREDITS--
+YuanchengJiang
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+--FILE--
+<?php
+define('ROW', 10);
+define('COL', 10);
+function count_live_neighbors($board, $row, $col) {
+    $live_neighbors = 0;
+    if ($col + 1 < COL && $board[$row][$col + 1] == 1) $live_neighbors++;
+    if ($row - 1 >= 0 && $col - 1 >= 0 && $board[$row - 1][$col - 1] == 1) $live_neighbors++;
+    if ($row >= 1 && $col + 1 < COL && $board[$row - 1][$col + 1] == 1) $live_neighbors++;
+    return $live_neighbors;
+}
+$board = [
+    [1,1,0,0,1,1,1,1,1,0],
+    [0,1,0,1,1,0,0,1,0,0],
+    [0,1,0,0,1,0,0,0,1,0],
+    [0,0,1,1,1,1,1,0,0,0],
+    [1,1,1,1,1,1,0,1,1,0],
+    [0,1,0,0,1,1,1,0,1,0],
+    [0,1,1,0,1,1,1,1,0,0],
+    [1,1,0,0,0,0,1,1,1,0],
+    [1,0,0,1,1,0,1,1,0,1],
+    [0,0,1,1,1,0,1,1,0,1],
+];
+for ($i = 0; $i < ROW; $i++) {
+    for ($j = 0; $j < COL; $j++) {
+        echo count_live_neighbors($board, $i, $j), ",";
+    }
+    echo "\n";
+}
+?>
+--EXPECT--
+1,0,0,1,1,1,1,1,0,0,
+2,1,2,2,1,2,3,2,1,1,
+2,0,2,2,1,1,1,1,1,0,
+1,1,2,2,1,2,0,1,0,1,
+1,2,2,3,3,2,2,2,0,0,
+2,2,2,3,3,2,2,2,1,1,
+2,1,1,2,2,3,2,2,0,1,
+2,1,1,2,1,3,3,2,1,0,
+1,1,2,1,0,2,2,2,2,1,
+0,2,2,2,1,3,2,1,3,0,

Original file line number	Diff line number	Diff line change
`@@ -835,6 +835,7 @@ void zend_jit_snapshot_handler(ir_ctx ctx, ir_ref snapshot_ref, ir_insn *snaps`
`835`	`835`	`addr = (void*)zend_jit_trace_get_exit_addr(exit_point);`
`836`	`836`	`exit_flags &= ~ZEND_JIT_EXIT_FIXED;`
`837`	`837`	`}`
	`838`	`+ t->stack_map[t->exit_info[exit_point].stack_offset + var].reg = ZREG_NONE;`
`838`	`839`	`t->stack_map[t->exit_info[exit_point].stack_offset + var].flags = ZREG_TYPE_ONLY;`
`839`	`840`	`}`
`840`	`841`	`} else if (!(exit_flags & ZEND_JIT_EXIT_FIXED)) {`