php · morrisonlevi · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
diff --git a/NEWS b/NEWS
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
     LXB_API as __declspec(dllimport) when linked statically into PHP.
     (Luther Monson)
 
+- Opcache:
+  . Fixed bug GH-22265 (Another tailcall vm_interrupt bug). (Levi Morrison)
+
 - Phar:
   . Fixed a bypass of the magic ".phar" directory protection in
     Phar::addEmptyDir() for paths starting with "/.phar", while allowing

@@ -4304,6 +4304,7 @@ ZEND_API ZEND_COLD void ZEND_FASTCALL zend_fcall_interrupt(zend_execute_data *ca
 
 #define ZEND_VM_LOOP_INTERRUPT_CHECK() do { \
 		if (UNEXPECTED(zend_atomic_bool_load_ex(&EG(vm_interrupt)))) { \
+			SAVE_OPLINE(); \
 			ZEND_VM_LOOP_INTERRUPT(); \
 		} \
 	} while (0)

diff --git a/ext/zend_test/tests/observer_vm_interrupt_tailcall_return.phpt b/ext/zend_test/tests/observer_vm_interrupt_tailcall_return.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Observer: VM interrupt during tailcall return to caller
+--DESCRIPTION--
+This exercises a VM interrupt raised immediately before a user function returns
+to a caller that invoked it through DO_FCALL. On the tailcall VM, the caller's
+saved opline must point to the opcode after DO_FCALL before a pending interrupt
+is handled.
+--EXTENSIONS--
+zend_test
+--INI--
+opcache.jit=0
+zend_test.observer.set_vm_interrupt_on_begin=1
+--FILE--
+<?php
+function interrupt_before_return(VmInterruptComparable $left, VmInterruptComparable $right): void
+{
+    $left < $right;
+}
+
+function call_interrupt_before_return(): void
+{
+    interrupt_before_return(new VmInterruptComparable(2), new VmInterruptComparable(1));
+}
+
+call_interrupt_before_return();
+echo "ok\n";
+?>
+--EXPECT--
+ok