Use must be in next opline assertion with patched infection & JIT

[danog]

Description

https://github.com/danog/jit_bugs, updated reproducer 4

Result:

About to run the standalone test
php: /php-src/Zend/Optimizer/zend_inference.c:3345: zend_result _zend_update_type_info(const zend_op_array *, zend_ssa *, const zend_script *, zend_bitset, const zend_op *, zend_ssa_op *, const zend_op **, zend_long, _Bool): Assertion `j == (opline - op_array->opcodes) + 1 && "Use must be in next opline"' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7fcd0b539898 bp 0x7fcd0b72be90 sp 0x7ffc436cda00 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x7fcd0b539898 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x28898) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #1 0x7fcd0b53971a  (/lib/x86_64-linux-gnu/libc.so.6+0x2871a) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #2 0x7fcd0b54ae95 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x39e95) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #3 0x55ef7767f37c in _zend_update_type_info /php-src/Zend/Optimizer/zend_inference.c:3345:8
    #4 0x55ef776b08d8 in zend_infer_types_ex /php-src/Zend/Optimizer/zend_inference.c:3843:8
    #5 0x55ef7769ce2c in zend_infer_types /php-src/Zend/Optimizer/zend_inference.c:4308:6
    #6 0x55ef7768e46e in zend_ssa_inference /php-src/Zend/Optimizer/zend_inference.c:4497:6
    #7 0x55ef775effdc in zend_dfa_analyze_op_array /php-src/Zend/Optimizer/dfa_pass.c:98:6
    #8 0x55ef7757b203 in zend_optimize_script /php-src/Zend/Optimizer/zend_optimizer.c:1515:9
    #9 0x7fcd0689ca65 in cache_script_in_shared_memory /php-src/ext/opcache/ZendAccelerator.c:1562:2
    #10 0x7fcd0689ae6e in persistent_compile_file /php-src/ext/opcache/ZendAccelerator.c:2156:24
    #11 0x55ef770367ab in compile_filename /php-src/Zend/zend_language_scanner.l:704:11
    #12 0x55ef77469965 in zend_include_or_eval /php-src/Zend/zend_execute.c:4926:19
    #13 0x55ef7732fa0f in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER /php-src/Zend/zend_vm_execute.h:39824:17
    #14 0x7fccc6859be4  (/dev/zero (deleted)+0x100006be4)

Ping @dstogov

PHP Version

PHP-8.3 or 3fb685b

Operating System

No response

[dstogov]

There is something wrong with this test case. It fails runuing php $refactor

PHP Fatal error:  Uncaught Error: Failed opening required '/home/.../jit_bugs/vendor/autoload.php' (include_path='.:/usr/share/pear:/usr/share/php') in /home/.../jit_bugs/refactor.php:16
Stack trace:
#0 {main}
  thrown in /home/.../jit_bugs/refactor.php on line 16

this may be fixed by

diff --git a/bugs/4_infection.sh b/bugs/4_infection.sh
index fa186e0..58ab62b 100755
--- a/bugs/4_infection.sh
+++ b/bugs/4_infection.sh
@@ -13,7 +13,8 @@ cd infection
 
 composer i --ignore-platform-reqs
 
-php $refactor
+cp $refactor .
+php refactor.php
 
 cp $standalone .
 cp $wrap .

[dstogov]

The reduced test case

<?php
function &foo(&$element, $property, $fallback = null) {
    foreach (array(0) as $_) {
        if (is_array($element) && (isset($element[$property]) || array_key_exists($property, $element))) {
            return $element[$property];
        } elseif (is_object($element) && property_exists($element, $property)) {
            return $element->{$property};
        }
        return $fallback;
    }
}

Affected PHP-8.1 and above

[danog]

There is something wrong with this test case.

Fixed!