Possible JIT regression on PHP +8.4

[1ma]

Description

I noticed that when I run a simple php -v under Valgrind with the JIT enabled it emits warnings about conditional jumps on uninitialized values coming from the IR subsystem of the JIT.

This execution never returns an error (JIT disabled) for any version of PHP from 8.1 to 8.5 inclusive:

$ export USE_ZEND_ALLOC=0
$ export ZEND_DONT_UNLOAD_MODULES=1
$ valgrind --tool=memcheck \
    --track-origins=yes --num-callers=50 --undef-value-errors=yes \
    --error-exitcode=1 \
    php -n \
    -d zend_extension=opcache \
    -d opcache.enable_cli=1 \
    -d opcache.jit=disable \
    -d opcache.jit_buffer_size=256M \
    -v

Whereas this one (JIT enabled in tracing mode) emits the following warnings on PHP 8.4 and 8.5:

$ export USE_ZEND_ALLOC=0
$ export ZEND_DONT_UNLOAD_MODULES=1
$ valgrind --tool=memcheck \
    --track-origins=yes --num-callers=50 --undef-value-errors=yes \
    --error-exitcode=1 \
    php -n \
    -d zend_extension=opcache \
    -d opcache.enable_cli=1 \
    -d opcache.jit=tracing \
    -d opcache.jit_buffer_size=256M \
    -v

...
==2994== 
==2994== Conditional jump or move depends on uninitialised value(s)
==2994==    at 0x7E21DA6: ir_sparse_set_in (ir_private.h:526)
==2994==    by 0x7E21DA6: _check_successors (ir_gcm.c:190)
==2994==    by 0x7E21DA6: ir_split_partially_dead_node (ir_gcm.c:276)
==2994==    by 0x7E21DA6: ir_gcm_schedule_late (ir_gcm.c:538)
==2994==    by 0x7E22BE5: ir_gcm (ir_gcm.c:715)
==2994==    by 0x7E4D520: zend_jit_ir_compile (zend_jit_ir.c:2852)
==2994==    by 0x7E51024: zend_jit_setup_stubs (zend_jit_ir.c:2931)
==2994==    by 0x7EAC5F4: zend_jit_setup (zend_jit_ir.c:3574)
==2994==    by 0x7EAC5F4: zend_jit_startup (zend_jit.c:3697)
==2994==    by 0x7DDC0BA: accel_post_startup (ZendAccelerator.c:3306)
==2994==    by 0x53AAC6: zend_post_startup (zend.c:1105)
==2994==    by 0x3CBF5D: php_module_startup (main.c:2326)
==2994==    by 0x240859: main (php_cli.c:1277)
==2994==  Uninitialised value was created by a heap allocation
==2994==    at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994==    by 0x437E54: __zend_malloc (zend_alloc.c:3294)
==2994==    by 0x7E22B58: ir_sparse_set_init (ir_private.h:500)
==2994==    by 0x7E22B58: ir_gcm (ir_gcm.c:704)
==2994==    by 0x7E4D520: zend_jit_ir_compile (zend_jit_ir.c:2852)
==2994==    by 0x7E51024: zend_jit_setup_stubs (zend_jit_ir.c:2931)
==2994==    by 0x7EAC5F4: zend_jit_setup (zend_jit_ir.c:3574)
==2994==    by 0x7EAC5F4: zend_jit_startup (zend_jit.c:3697)
==2994==    by 0x7DDC0BA: accel_post_startup (ZendAccelerator.c:3306)
==2994==    by 0x53AAC6: zend_post_startup (zend.c:1105)
==2994==    by 0x3CBF5D: php_module_startup (main.c:2326)
==2994==    by 0x240859: main (php_cli.c:1277)
==2994== 
==2994== Use of uninitialised value of size 8
==2994==    at 0x7E21DA8: ir_sparse_set_in (ir_private.h:526)
==2994==    by 0x7E21DA8: _check_successors (ir_gcm.c:190)
==2994==    by 0x7E21DA8: ir_split_partially_dead_node (ir_gcm.c:276)
==2994==    by 0x7E21DA8: ir_gcm_schedule_late (ir_gcm.c:538)
==2994==    by 0x7E22BE5: ir_gcm (ir_gcm.c:715)
==2994==    by 0x7E4D520: zend_jit_ir_compile (zend_jit_ir.c:2852)
==2994==    by 0x7E51024: zend_jit_setup_stubs (zend_jit_ir.c:2931)
==2994==    by 0x7EAC5F4: zend_jit_setup (zend_jit_ir.c:3574)
==2994==    by 0x7EAC5F4: zend_jit_startup (zend_jit.c:3697)
==2994==    by 0x7DDC0BA: accel_post_startup (ZendAccelerator.c:3306)
==2994==    by 0x53AAC6: zend_post_startup (zend.c:1105)
==2994==    by 0x3CBF5D: php_module_startup (main.c:2326)
==2994==    by 0x240859: main (php_cli.c:1277)
==2994==  Uninitialised value was created by a heap allocation
==2994==    at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==2994==    by 0x437E54: __zend_malloc (zend_alloc.c:3294)
==2994==    by 0x7E22B58: ir_sparse_set_init (ir_private.h:500)
==2994==    by 0x7E22B58: ir_gcm (ir_gcm.c:704)
==2994==    by 0x7E4D520: zend_jit_ir_compile (zend_jit_ir.c:2852)
==2994==    by 0x7E51024: zend_jit_setup_stubs (zend_jit_ir.c:2931)
==2994==    by 0x7EAC5F4: zend_jit_setup (zend_jit_ir.c:3574)
==2994==    by 0x7EAC5F4: zend_jit_startup (zend_jit.c:3697)
==2994==    by 0x7DDC0BA: accel_post_startup (ZendAccelerator.c:3306)
==2994==    by 0x53AAC6: zend_post_startup (zend.c:1105)
==2994==    by 0x3CBF5D: php_module_startup (main.c:2326)
==2994==    by 0x240859: main (php_cli.c:1277)
==2994== 
PHP 8.4.15 (cli) (built: Dec  9 2025 12:39:03) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.4.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.15, Copyright (c), by Zend Technologies
==2994== Warning: set address range perms: large range [0x8400000, 0x20400000) (noaccess)
==2994== 
==2994== HEAP SUMMARY:
==2994==     in use at exit: 85,221 bytes in 1,446 blocks
==2994==   total heap usage: 19,546 allocs, 18,100 frees, 5,875,246 bytes allocated
==2994== 
==2994== LEAK SUMMARY:
==2994==    definitely lost: 0 bytes in 0 blocks
==2994==    indirectly lost: 0 bytes in 0 blocks
==2994==      possibly lost: 0 bytes in 0 blocks
==2994==    still reachable: 85,221 bytes in 1,446 blocks
==2994==         suppressed: 0 bytes in 0 blocks
==2994== Rerun with --leak-check=full to see details of leaked memory
==2994== 
==2994== For lists of detected and suppressed errors, rerun with: -s
==2994== ERROR SUMMARY: 153 errors from 10 contexts (suppressed: 0 from 0)

I prepared an auxiliary repository that automatically reproduces the issue with a GitHub pipeline: https://github.com/1ma/php-jit-bug/blob/master/.github/workflows/ci.yml

PHP Version

PHP 8.4.15 (cli) (built: Dec  9 2025 12:39:03) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.4.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.15, Copyright (c), by Zend Technologies


PHP 8.5.0 (cli) (built: Dec  9 2025 12:40:15) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.5.0, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0, Copyright (c), by Zend Technologies

Operating System

Ubuntu 24.04

[devnexen]

to note. those warnings should not appear with debug builds because of this line. So it is know, just in release is to avoid some JIT performance penalties. @arnaud-lb should be able to speak better about it.

[1ma]

I added a new dimension to the test matrix to try out debug and release builds (I only tried debug builds before), but both versions emit the warning. Maybe this is sort of expected, but the line you highlighted is not doing its job in practice?

[devnexen]

before responding I tried both builds manually with your valgrind command and was able to reproduce on release build

valgrind --tool=memcheck     --track-origins=yes --num-callers=50 --undef-value-errors=yes     --error-exitcode=1     sapi/cli/php -n     -d opcache.enable_cli=1     -d opcache.jit=tracing     -d opcache.jit_buffer_size=256M     -v
==222019== Memcheck, a memory error detector
==222019== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==222019== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info
==222019== Command: sapi/cli/php -n -d opcache.enable_cli=1 -d opcache.jit=tracing -d opcache.jit_buffer_size=256M -v
==222019== 
==222019== Warning: set address range perms: large range [0x7000000, 0x1f000000) (defined)
==222019== Conditional jump or move depends on uninitialised value(s)
==222019==    at 0x444398B: ir_sparse_set_in (ir_private.h:527)
==222019==    by 0x444398B: ir_split_partially_dead_node (ir_gcm.c:241)
==222019==    by 0x444398B: ir_gcm_schedule_late (ir_gcm.c:538)
==222019==    by 0x444496E: ir_gcm (ir_gcm.c:715)
==222019==    by 0x446EA75: zend_jit_ir_compile (zend_jit_ir.c:2893)
==222019==    by 0x4471EF2: zend_jit_setup_stubs (zend_jit_ir.c:2972)
==222019==    by 0x44D2644: zend_jit_setup (zend_jit_ir.c:3444)
==222019==    by 0x44D2644: zend_jit_startup (zend_jit.c:3848)
==222019==    by 0x43FF2B3: accel_post_startup (ZendAccelerator.c:3329)

but on debug

valgrind --tool=memcheck     --track-origins=yes --num-callers=50 --undef-value-errors=yes     --error-exitcode=1     sapi/cli/php -n     -d opcache.enable_cli=1     -d opcache.jit=tracing     -d opcache.jit_buffer_size=256M     -v
==330095== Memcheck, a memory error detector
==330095== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==330095== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info
==330095== Command: sapi/cli/php -n -d opcache.enable_cli=1 -d opcache.jit=tracing -d opcache.jit_buffer_size=256M -v
==330095== 
==330095== Warning: set address range perms: large range [0x7400000, 0x1f400000) (defined)
PHP 8.6.0-dev (cli) (built: Dec 12 2025 21:41:03) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
==330095== Warning: set address range perms: large range [0x7400000, 0x1f400000) (noaccess)
==330095== 
==330095== HEAP SUMMARY:
==330095==     in use at exit: 0 bytes in 0 blocks
==330095==   total heap usage: 19,474 allocs, 19,474 frees, 5,637,506 bytes allocated
==330095== 
==330095== All heap blocks were freed -- no leaks are possible
==330095== 
==330095== For lists of detected and suppressed errors, rerun with: -s
==330095== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

[devnexen]

same thing with php-8.5 branch

valgrind --tool=memcheck     --track-origins=yes --num-callers=50 --undef-value-errors=yes     --error-exitcode=1     sapi/cli/php -n     -d opcache.enable_cli=1     -d opcache.jit=tracing     -d opcache.jit_buffer_size=256M     -v
==743235== Memcheck, a memory error detector
==743235== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==743235== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info
==743235== Command: sapi/cli/php -n -d opcache.enable_cli=1 -d opcache.jit=tracing -d opcache.jit_buffer_size=256M -v
==743235== 
==743235== Warning: set address range perms: large range [0x7400000, 0x1f400000) (defined)
PHP 8.5.2-dev (cli) (built: Dec 12 2025 21:48:32) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.5.2-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.2-dev, Copyright (c), by Zend Technologies
==743235== Warning: set address range perms: large range [0x7400000, 0x1f400000) (noaccess)
==743235== 
==743235== HEAP SUMMARY:
==743235==     in use at exit: 0 bytes in 0 blocks
==743235==   total heap usage: 19,475 allocs, 19,475 frees, 5,635,794 bytes allocated
==743235== 
==743235== All heap blocks were freed -- no leaks are possible
==743235== 
==743235== For lists of detected and suppressed errors, rerun with: -s
==743235== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

for your matrix, do you clean up builds in between ?

[devnexen]

Anyhow, this is not a bug.

[1ma]

Thanks for looking into it. Yes, the runs happen in parallel in isolated runners, they don't affect each other.

Maybe this is not the best place to ask this, but in that case would you have guidance on how to suppress these warnings without turning off Valgrind nor JIT? I maintain a PHP extension that has a test suite that runs with Valgrind and the JIT enabled, and once I added PHP 8.5 to the test matrix all tests started breaking with these warnings on 8.5, so I've been trying to get to a minimum reproducing step.

Ideally I'd like to keep both the JIT and Valgrind on, just get rid of these specific warnings if they're a false positive.

[devnexen]

The only way I can see how you would be able to address it is the Valgrind suppression file ability with something ressembling this.

{
   php_jit_ir_sparse_set_in_uninit
   Memcheck:Cond
   ...
   fun:ir_sparse_set_in
   fun:_check_successors
}
{
   php_jit_ir_sparse_set_in_value8
   Memcheck:Value8
   ...
   fun:ir_sparse_set_in
   fun:_check_successors
}

I honestly did not know, I just looked that up but it makes sense IMHO.

[1ma]

That worked like a charm, thank you.