JIT: Check exception on exit

Author: arnaud-lb

ext/opcache/jit/zend_jit_internal.h

@@ -313,17 +313,18 @@ typedef enum _zend_jit_trace_stop {
 
 #define ZEND_JIT_TRACE_SUPPORTED    0
 
-#define ZEND_JIT_EXIT_JITED         (1<<0)
-#define ZEND_JIT_EXIT_BLACKLISTED   (1<<1)
-#define ZEND_JIT_EXIT_TO_VM         (1<<2) /* exit to VM without attempt to create a side trace */
-#define ZEND_JIT_EXIT_RESTORE_CALL  (1<<3) /* deoptimizer should restore EX(call) chain */
-#define ZEND_JIT_EXIT_POLYMORPHISM  (1<<4) /* exit because of polymorphic call */
-#define ZEND_JIT_EXIT_FREE_OP1      (1<<5)
-#define ZEND_JIT_EXIT_FREE_OP2      (1<<6)
-#define ZEND_JIT_EXIT_PACKED_GUARD  (1<<7)
-#define ZEND_JIT_EXIT_CLOSURE_CALL  (1<<8) /* exit because of polymorphic INIT_DYNAMIC_CALL call */
-#define ZEND_JIT_EXIT_METHOD_CALL   (1<<9) /* exit because of polymorphic INIT_METHOD_CALL call */
-#define ZEND_JIT_EXIT_INVALIDATE    (1<<10) /* invalidate current trace */
+#define ZEND_JIT_EXIT_JITED             (1<<0)
+#define ZEND_JIT_EXIT_BLACKLISTED       (1<<1)
+#define ZEND_JIT_EXIT_TO_VM             (1<<2) /* exit to VM without attempt to create a side trace */
+#define ZEND_JIT_EXIT_RESTORE_CALL      (1<<3) /* deoptimizer should restore EX(call) chain */
+#define ZEND_JIT_EXIT_POLYMORPHISM      (1<<4) /* exit because of polymorphic call */
+#define ZEND_JIT_EXIT_FREE_OP1          (1<<5)
+#define ZEND_JIT_EXIT_FREE_OP2          (1<<6)
+#define ZEND_JIT_EXIT_PACKED_GUARD      (1<<7)
+#define ZEND_JIT_EXIT_CLOSURE_CALL      (1<<8) /* exit because of polymorphic INIT_DYNAMIC_CALL call */
+#define ZEND_JIT_EXIT_METHOD_CALL       (1<<9) /* exit because of polymorphic INIT_METHOD_CALL call */
+#define ZEND_JIT_EXIT_INVALIDATE        (1<<10) /* invalidate current trace */
+#define ZEND_JIT_EXIT_CHECK_EXCEPTION   (1<<11)
 
 #define ZEND_JIT_EXIT_FIXED         (1U<<31) /* the exit_info can't be changed by zend_jit_snapshot_handler() */
 

ext/opcache/jit/zend_jit_ir.c

@@ -14696,7 +14696,7 @@ static int zend_jit_fetch_obj(zend_jit_ctx         *jit,
 		ZEND_ASSERT(end_inputs == IR_UNUSED);
 		if ((res_info & MAY_BE_GUARD) && JIT_G(current_frame)) {
 			uint8_t type = concrete_type(res_info);
-			uint32_t flags = 0;
+			uint32_t flags = ZEND_JIT_EXIT_CHECK_EXCEPTION;
 
 			if ((opline->op1_type & (IS_VAR|IS_TMP_VAR))
 			 && !delayed_fetch_this

ext/opcache/jit/zend_jit_trace.c

@@ -3498,7 +3498,7 @@ static int zend_jit_trace_exit_needs_deoptimization(uint32_t trace_num, uint32_t
 	uint32_t stack_size;
 	zend_jit_trace_stack *stack;
 
-	if (opline || (flags & (ZEND_JIT_EXIT_RESTORE_CALL|ZEND_JIT_EXIT_FREE_OP1|ZEND_JIT_EXIT_FREE_OP2))) {
+	if (opline || (flags & (ZEND_JIT_EXIT_RESTORE_CALL|ZEND_JIT_EXIT_FREE_OP1|ZEND_JIT_EXIT_FREE_OP2|ZEND_JIT_EXIT_CHECK_EXCEPTION))) {
 		return 1;
 	}
 
@@ -3658,7 +3658,7 @@ static int zend_jit_trace_deoptimization(
 		}
 	}
 
-	if (flags & (ZEND_JIT_EXIT_FREE_OP1|ZEND_JIT_EXIT_FREE_OP2)) {
+	if (flags & (ZEND_JIT_EXIT_FREE_OP1|ZEND_JIT_EXIT_FREE_OP2|ZEND_JIT_EXIT_CHECK_EXCEPTION)) {
 		zend_jit_check_exception(jit);
 	}
 
@@ -8719,9 +8719,14 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 			EX(opline) = opline-1;
 			zval_ptr_dtor_nogc(EX_VAR((opline-1)->op1.var));
 		}
-		if (t->exit_info[exit_num].flags & (ZEND_JIT_EXIT_FREE_OP1|ZEND_JIT_EXIT_FREE_OP2)) {
+		if (t->exit_info[exit_num].flags & (ZEND_JIT_EXIT_FREE_OP1|ZEND_JIT_EXIT_FREE_OP2|ZEND_JIT_EXIT_CHECK_EXCEPTION)) {
 			if (EG(exception)) {
-				return 1;
+				/* EX(opline) was overridden in zend_jit_trace_exit_stub(),
+				 * and may be wrong when IP is reused. */
+				if (GCC_GLOBAL_REGS) {
+					EX(opline) = EG(exception_op);
+				}
+				return 0;
 			}
 		}
 		if (t->exit_info[exit_num].flags & ZEND_JIT_EXIT_METHOD_CALL) {

ext/opcache/tests/jit/gh18262-001.phpt

@@ -0,0 +1,37 @@
+--TEST--
+GH-18262 001 (Assertion failure Zend/zend_vm_execute.h JIT)
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class B {
+    public int $fusion;
+}
+class C extends B {
+}
+class D extends C {
+    public function __destruct() {
+    }
+}
+$tests = [
+    [C::class, new C()],
+    [C::class, new B()],
+    [D::class, new B()],
+];
+foreach ($tests as [$class, $instance]) {
+    $obj = (new ReflectionClass($class))->newLazyProxy(function ($obj) use ($instance) {
+        $instance->b = 1;
+        return $instance;
+    });
+    var_dump($obj->b);
+}
+?>
+--EXPECTF--
+int(1)
+int(1)
+
+Fatal error: Uncaught TypeError: %s in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d

ext/opcache/tests/jit/gh18262-002.phpt

@@ -0,0 +1,34 @@
+--TEST--
+GH-18262 002 (Assertion failure Zend/zend_vm_execute.h JIT)
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class B {
+    public function __construct($init) {
+        if ($init) {
+            $this->b = $init;
+        }
+    }
+}
+
+$tests = [
+    new B(1),
+    new B(0),
+];
+
+set_error_handler(function ($_, $errstr) {
+    throw new \Exception($errstr);
+});
+
+foreach ($tests as $obj) {
+    var_dump($obj->b);
+}
+?>
+--EXPECTF--
+int(1)
+
+Fatal error: Uncaught Exception: Undefined property: B::$b in %s:%d
+Stack trace:
+#0 %s(%d): {closure:%s:%d}(2, 'Undefined prope...', '/home/arnaud/de...', 21)
+#1 {main}
+  thrown in %s on line %d

ext/opcache/tests/jit/gh18262-003.phpt

@@ -0,0 +1,35 @@
+--TEST--
+GH-18262 003 (Assertion failure Zend/zend_vm_execute.h JIT)
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class B {
+    public function __construct($init) {
+        if ($init) {
+            $this->b = $init;
+        }
+    }
+}
+
+$tests = [
+    new B(1),
+    new B('str'), // slow deoptimization, create linked side trace
+    new B(0),     // jump to side trace with fast deoptimization
+];
+
+set_error_handler(function ($_, $errstr) {
+    throw new \Exception($errstr);
+});
+
+foreach ($tests as $obj) {
+    try {
+        var_dump($obj->b);
+    } catch (Exception $e) {
+        printf("%s: %s\n", $e::class, $e->getMessage());
+    }
+}
+?>
+--EXPECT--
+int(1)
+string(3) "str"
+Exception: Undefined property: B::$b

ext/opcache/tests/jit/gh18262-004.phpt

@@ -0,0 +1,36 @@
+--TEST--
+GH-18262 004 (Assertion failure Zend/zend_vm_execute.h JIT)
+--FILE--
+<?php
+class B {
+    public function __construct(
+        public $throw,
+    ) { }
+    public function __get($name) {
+        return $this->throw === '1' ? 'str' : 1;
+    }
+    public function __destruct() {
+        if ($this->throw === '1') {
+            throw new Exception(__METHOD__);
+        }
+    }
+}
+
+$tests = [
+    '0',
+    '1',
+];
+
+foreach ($tests as $test) {
+    // Second iteration exits, and free op1 throws
+    var_dump((new B($test))->b);
+}
+?>
+--EXPECTF--
+int(1)
+
+Fatal error: Uncaught Exception: B::__destruct in %s:%d
+Stack trace:
+#0 %s(%d): B->__destruct()
+#1 {main}
+  thrown in %s on line %d