Fix GH-17727: JIT SEGV on OOM in dtor when creating backtrace

This became visible after GH-17056 was merged, but technically the lack of setting the opline is also present on lower branches. We set the opline to mirror the SAVE_OPLINE() from ZEND_INIT_STATIC_METHOD_CALL(). Closes GH-17732.
php · Feb 17, 2025 · a54ed9e · a54ed9e
1 parent 033a66b
commit a54ed9e
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -9327,6 +9327,7 @@ static int zend_jit_init_static_method_call(zend_jit_ctx         *jit,
 			ir_IF_FALSE_cold(if_static);
 		}
 
+		jit_SET_EX_OPLINE(jit, opline);
 		ref = ir_CALL_3(IR_ADDR, ir_CONST_FC_FUNC(zend_jit_push_this_method_call_frame),
 				scope_ref,
 				func_ref,

diff --git a/ext/opcache/tests/jit/gh17727.phpt b/ext/opcache/tests/jit/gh17727.phpt
@@ -0,0 +1,31 @@
+--TEST--
+GH-17727 (JIT SEGV on OOM in dtor when creating backtrace)
+--EXTENSIONS--
+opcache
+--SKIPIF--
+<?php
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+?>
+--INI--
+opcache.jit=1254
+fatal_error_backtraces=1
+memory_limit=2M
+--CREDITS--
+arnaud-lb
+YuanchengJiang
+--FILE--
+<?php
+$str = str_repeat('a', 1024 * 1024 * 1.25);
+class DestructableObject
+{
+    public function __destruct()
+    {
+        DestructableObject::__destruct();
+    }
+}
+$_ = new DestructableObject();
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of 2097152 bytes exhausted %s
+Stack trace:
+%A