Skip to content

Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT #20890

New issue
New issue
Open
#20897
Open
Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT#20890
#20897
Assignees
ndossche
Labels
BugCategory: JITExtension: opcacheStatus: Verified
@Moonster8282

Description

@Moonster8282
Moonster8282
opened on Jan 10, 2026

Description

The following code:

<?php
class HookJIT {
    private int $readCount = 0;

    public int $computed {
        get {
            $this->readCount++;
            return $this->readCount * 2;
        }
    }
}

function hook_hot_path($obj, $iterations) {
    $sum = 0;
    for ($i = 0; $i < $iterations; $i++) {
        $sum += $obj->computed;
    }
    return $sum;
}

echo "Testing property hook in hot path...\n";
$obj = new HookJIT();
$result = hook_hot_path($obj, 100000);
echo "Result: $result\n";

Stack Trace

==411==ERROR: AddressSanitizer: SEGV on unknown address 0x00017fff7ffb
The signal is caused by a READ memory access.
#0 0x55740017a63f in zval_undefined_cv /root/php-src/Zend/zend_execute.c:279
#1 0x55740017aaa7 in _get_zval_ptr_cv_BP_VAR_RW /root/php-src/Zend/zend_execute.c:381
#2 0x5574002d4e6f in ZEND_ASSIGN_OP_SPEC_CV_TMPVAR_HANDLER /root/php-src/Zend/zend_vm_execute.h:47849
#3 0x49da7b90 (/dev/zero (deleted)+0x8000b90)  <-- JIT generated code

Dockerfile

# php85:latest c6028c7a4b87cca123fce7276fa9672251790d50180faf4c7f7bb53b12011078
FROM php:8.5.1-cli
CMD ["/bin/bash"]

Resulted in this output:

# php -d opcache.enable_cli=1 -d opcache.jit=1251 test.php
Testing property hook in hot path...
Segmentation fault (core dumped)

But I expected this output instead:

# php -d opcache.enable_cli=1 -d opcache.jit=1251 test.php
Testing property hook in hot path...
Result: 10000100000

Root Cause

The JIT compiler incorrectly handles property hook access in hot paths when using optimization level 1251. The crash occurs in `zval_undefined_cv()` function, indicating the JIT compiled code is accessing an undefined/invalid CV (compiled variable).

PHP Version

PHP 8.5.1 (cli) (built: Jan  9 2026 22:31:28) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.5.1, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.1, Copyright (c), by Zend Technologies

Operating System

Linux c6028c7a4b87 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64 GNU/Linux

Metadata

Metadata

Assignees

Labels

BugCategory: JITExtension: opcacheStatus: Verified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions