Applying non-zero offset 36 to null pointer in zend_jit.c

[YuanchengJiang]

Description

Run the following test code(phpt):

--TEST--
Applying non-zero offset 36 to null pointer in zend_jit.c
--INI--
opcache.enable=1
opcache.enable_cli=1
opcache.jit=function
--FILE--
<?php
$root  = str_replace('.php', "", __FILE__);
$base  = basename( $root );
include "php_cli_server.inc";
?>
--EXTENSIONS--
opcache
--CONFLICTS--
server
--EXPECT--

php_cli_server.inc: https://github.com/php/php-src/blob/master/ext/opcache/tests/php_cli_server.inc

Resulted in this output:

/php-src/ext/opcache/jit/zend_jit.c:2619:60: runtime error: applying non-zero offset 36 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/opcache/jit/zend_jit.c:2619:60 in

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[ndossche]

I can't reproduce this issue either. Can you please share information about how you built this (i.e. configure options + compiler version used), and how you run this?
The failure would be when getting the OP_DATA info, which would hint at a memory corruption issue somewhere, yet Valgrind nor ASAN show anything on my system...

[YuanchengJiang]

The following script can reproduce in my environment (with UBSan and ASan):

/php-src/sapi/cli/php  -n -c '/php-src/tmp-php.ini'   -d "opcache.cache_id=worker3" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/php-src/modules/" -d "zend_extension=/php-src/modules/opcache.so" -d "session.auto_start=0" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=function" -f "/php-src/tests/merged/test.php"  2>&1

[ndossche]

Only trips Clang, GCC didn't warn here. So it's ssa_op that's NULL, and pointer arithmetic on that is indeed NULL...
The thing is that only one branch is actually possible to take, so we can just delay adding 1...