8.5beta1 JIT: zend_mm_heap corrupted error

[tbali0524]

Description

The following code:

// see attached file

[hard_cg_surface2.php](https://github.com/user-attachments/files/21791424/hard_cg_surface2.php)

Resulted in this output:

"zend_mm_heap corrupted" output in stderr

But I expected this output instead:

"359997" output in stdout

Note: the code works with 8.4.11 (JIT OFF and ON) and with 8.5.beta1 (JIT OFF), so only 8.5 JIT fails (including alpha1, alpha 4, beta1)
The test case is very heavy on recursion so this might be a JIT memory problem.
Interestingly with a slight modification (see source) I could get "Implicit conversion from float 2.67E-322 to int loses precision" warning which might be an arithmethic problem in JIT (as there is no float in code, only integers).
With some smaller test cases where recusrion is not this deep, the code works fine also with 8.5.beta1 (JIT ON).

php.ini settings (all other opcache setting on default):

opcache.enable = 1
opcache.enable_cli = 1
opcache.jit_buffer_size = 256M
opcache.jit = tracing

PHP Version

PHP 8.5.0-dev (cli) (built: Aug 12 2025 15:24:05) (ZTS Visual C++ 2022 x64)
Copyright (c) The PHP Group
Zend Engine v4.5.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Windows 11

[nielsdos]

Your attached code is not showing up, please fix this so we can handle this report. Thanks.

[tbali0524]

<?php

declare(strict_types=1);

// This results "zend_mm_heap corrupted" output in stderr.
(new GameMap())->run();
// However, this results "PHP Deprecated:  Implicit conversion from float 2.67E-322 to int loses precision in hard_cg_surface2.php on line 53" output in stderr.
// echo (new GameMap())->getLakeArea(43, 54), PHP_EOL;

class GameMap
{
    /** @var int */
    public $maxX = 900;
    /** @var int */
    public $maxY = 400;
    /** @var array<int, string> */
    public $grid = [];
    /** @var array<int, array<int, int>> */
    public $lakeID = [];
    /** @var array<int, int> */
    public $lakeArea = [];

    public function __construct()
    {
        $this->grid = array_fill(0, $this->maxY, str_repeat('O', $this->maxX));
        $this->grid[$this->maxY - 1][600] = '#';
        $this->grid[$this->maxY - 1][601] = '#';
        $this->grid[$this->maxY - 1][602] = '#';
    }

    public function getLakeArea(int $x, int $y): int
    {
        if (($x < 0) or ($x >= $this->maxX) or ($y < 0) or ($y >= $this->maxY)) {
            return 0;
        }
        if ($this->grid[$y][$x] != 'O') {
            return 0;
        }
        if (isset($this->lakeID[$y][$x])) {
            return $this->lakeArea[$this->lakeID[$y][$x]];
        }
        $id = count($this->lakeArea);
        $this->lakeArea[$id] = 0;
        $this->floodFill($x, $y, $id);
        return $this->lakeArea[$id];
    }

    public function floodFill(int $x, int $y, int $id): void
    {
        if (($x < 0) or ($x >= $this->maxX) or ($y < 0) or ($y >= $this->maxY)) {
            return;
        }
        if ($this->grid[$y][$x] != 'O') {
            return;
        }
        if (isset($this->lakeID[$y][$x]) and ($this->lakeID[$y][$x] == $id)) {
            return;
        }
        $this->lakeID[$y][$x] = $id;
        ++$this->lakeArea[$id];
        $this->floodFill($x - 1, $y, $id);
        $this->floodFill($x + 1, $y, $id);
        $this->floodFill($x, $y - 1, $id);
        $this->floodFill($x, $y + 1, $id);
    }

    public function run(): void
    {
        echo $this->getLakeArea(43, 54), PHP_EOL;
    }    
}

[tbali0524]

hard_cg_surface2.php

[nielsdos]

Can confirm on Windows:

Assertion failed: (((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->vm_stack_top) > (zval *) (((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->vm_stack) && (((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->vm_stack_end) > (zval *) (((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->vm_stack) && (((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->vm_stack_top) <= (((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->vm_stack_end)

Need to figure out still what the actual configuration is where this occurs. (e.g. does this occur on ZTS+Linux too?)

EDIT: no dice yet on Linux, repros on Windows+NTS too:

Assertion failed: (executor_globals.vm_stack_top) > (zval *) (executor_globals.vm_stack) && (executor_globals.vm_stack_end) > (zval *) (executor_globals.vm_stack) && (executor_globals.vm_stack_top) <= (executor_globals.vm_stack_end), file C:\php-sdk\phpdev\vs17\x64\php-src\Zend/zend_execute.h, line 406

[nielsdos]

It reproduces on Linux too under Clang, may be related to global regs and now I'm thinking about the VM changes done on 8.5-dev that affect Clang. I will investigate later today (EDIT: indeed caused by 76d7c61).

php: /run/media/niels/MoreData/php-src/Zend/zend_execute.h:406: void zend_vm_stack_free_call_frame_ex(uint32_t, zend_execute_data *): Assertion `(executor_globals.vm_stack_top) > (zval *) (executor_globals.vm_stack) && (executor_globals.vm_stack_end) > (zval *) (executor_globals.vm_stack) && (executor_globals.vm_stack_top) <= (executor_globals.vm_stack_end)' failed.
Aborted                    (core dumped) ./sapi/cli/php -d memory_limit=-1 -d opcache.jit=tracing -d opcache.jit_buffer_size=512M -d opcache.enable=1 -d opcache.enable_cli=1 jit.php