From cbb3b9371d43e2d0e89d2919df7c8cfafba67a07 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 13 Nov 2024 18:27:26 +0100
Subject: [PATCH] Fix GH-16770: Tracing JIT type mismatch when returning UNDEF

When returning an UNDEF value, it actually becomes NULL.
The following code took this into account:
https://github.com/php/php-src/blob/28344e0445bc2abae8dc5f1376aa0ff350e6d66d/ext/opcache/jit/zend_jit_trace.c#L2196-L2199

But the stack does not update the type to NULL, causing a mismatch.

Closes GH-16784.

Co-authored-by: Dmitry Stogov <dmitry@zend.com>
---
 NEWS                               |  4 +++
 ext/opcache/jit/zend_jit_trace.c   |  3 +++
 ext/opcache/tests/jit/gh16770.phpt | 39 ++++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 ext/opcache/tests/jit/gh16770.phpt

diff --git a/NEWS b/NEWS
index 2b3b9e3f9c2b7..97b4957143e4e 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,10 @@ PHP                                                                        NEWS
 - Hash:
   . Fixed GH-16711: Segfault in mhash(). (Girgias)
 
+- Opcache:
+  . Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
+    (nielsdos, Dmitry)
+
 - OpenSSL:
   . Prevent unexpected array entry conversion when reading key. (nielsdos)
   . Fix various memory leaks related to openssl exports. (nielsdos)
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index 5b1186abd199d..bb35ffa2a050c 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -5404,6 +5404,9 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 							res_type = Z_TYPE_P(RT_CONSTANT(opline, opline->op1));
 						} else if (op1_type != IS_UNKNOWN) {
 							res_type = op1_type;
+							if (res_type == IS_UNDEF) {
+								res_type = IS_NULL;
+							}
 						}
 						if (op_array->type == ZEND_EVAL_CODE
 						 // TODO: support for top-level code
diff --git a/ext/opcache/tests/jit/gh16770.phpt b/ext/opcache/tests/jit/gh16770.phpt
new file mode 100644
index 0000000000000..71d796ade8ed9
--- /dev/null
+++ b/ext/opcache/tests/jit/gh16770.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GH-16770 (Tracing JIT type mismatch when returning UNDEF)
+--INI--
+opcache.jit=1254
+opcache.jit_hot_loop=1
+opcache.jit_buffer_size=32M
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+function ret_undef($k) {
+    return $undefined;
+}
+for ($i = 0; $i < 10; $i++) {
+    $output = ret_undef($i);
+}
+var_dump($output);
+?>
+--EXPECTF--
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+
+Warning: Undefined variable $undefined in %s on line %d
+NULL