From 2fc9f07f63f98c3c599ffc16e6245e2550d9a8ec Mon Sep 17 00:00:00 2001 From: Alexandre Daubois Date: Fri, 9 Jan 2026 11:33:02 +0100 Subject: [PATCH 1/2] Core: fix missing deprecation when accessing null array key with JIT --- Zend/Optimizer/sccp.c | 12 ++++++++++++ ext/opcache/tests/jit/fetch_dim_r_001.phpt | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Zend/Optimizer/sccp.c b/Zend/Optimizer/sccp.c index 7e2fc2db1b256..643e79d68ba35 100644 --- a/Zend/Optimizer/sccp.c +++ b/Zend/Optimizer/sccp.c @@ -1535,6 +1535,12 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o SKIP_IF_TOP(op1); SKIP_IF_TOP(op2); + if (op2 && Z_TYPE_P(op2) == IS_NULL) { + /* Emits deprecation at run-time. */ + SET_RESULT_BOT(result); + break; + } + if (ct_eval_fetch_dim(&zv, op1, op2, (opline->opcode != ZEND_FETCH_LIST_R)) == SUCCESS) { SET_RESULT(result, &zv); zval_ptr_dtor_nogc(&zv); @@ -1546,6 +1552,12 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o SKIP_IF_TOP(op1); SKIP_IF_TOP(op2); + if (op2 && Z_TYPE_P(op2) == IS_NULL) { + /* Emits deprecation at run-time. */ + SET_RESULT_BOT(result); + break; + } + if (ct_eval_isset_dim(&zv, opline->extended_value, op1, op2) == SUCCESS) { SET_RESULT(result, &zv); zval_ptr_dtor_nogc(&zv); diff --git a/ext/opcache/tests/jit/fetch_dim_r_001.phpt b/ext/opcache/tests/jit/fetch_dim_r_001.phpt index 3ff56263db683..819ec7edca655 100644 --- a/ext/opcache/tests/jit/fetch_dim_r_001.phpt +++ b/ext/opcache/tests/jit/fetch_dim_r_001.phpt @@ -30,7 +30,7 @@ function foo() { } foo(); ?> ---EXPECT-- +--EXPECTF-- int(1) int(3) int(2) @@ -38,6 +38,8 @@ int(1) int(3) int(1) int(2) + +Deprecated: Using null as an array offset is deprecated, use an empty string instead in %s on line %d int(4) int(5) int(5) From 681ef2808097ee15a5d4d034f89ca2676824b417 Mon Sep 17 00:00:00 2001 From: Alexandre Daubois Date: Mon, 12 Jan 2026 10:22:52 +0100 Subject: [PATCH 2/2] address Ilija and Dmitry comments --- NEWS | 2 ++ Zend/Optimizer/sccp.c | 18 ++++-------------- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/NEWS b/NEWS index 43216c000120f..9e02bc1c864cf 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,8 @@ PHP NEWS function triggered by bailout in php_output_lock_error()). (timwolla) . Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). (ilutov) . Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). (ilutov) + . Fix deprecation now showing when accessing null key of an array with JIT. + (alexandre-daubois) - MbString: . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is diff --git a/Zend/Optimizer/sccp.c b/Zend/Optimizer/sccp.c index 643e79d68ba35..8287df040c890 100644 --- a/Zend/Optimizer/sccp.c +++ b/Zend/Optimizer/sccp.c @@ -363,8 +363,7 @@ static inline zend_result zval_to_string_offset(zend_long *result, zval *op) { static inline zend_result fetch_array_elem(zval **result, zval *op1, zval *op2) { switch (Z_TYPE_P(op2)) { case IS_NULL: - *result = zend_hash_find(Z_ARR_P(op1), ZSTR_EMPTY_ALLOC()); - return SUCCESS; + return FAILURE; case IS_FALSE: *result = zend_hash_index_find(Z_ARR_P(op1), 0); return SUCCESS; @@ -428,6 +427,9 @@ static inline zend_result ct_eval_isset_isempty(zval *result, uint32_t extended_ } static inline zend_result ct_eval_isset_dim(zval *result, uint32_t extended_value, zval *op1, zval *op2) { + if (Z_TYPE_P(op2) == IS_NULL) { + return FAILURE; + } if (Z_TYPE_P(op1) == IS_ARRAY || IS_PARTIAL_ARRAY(op1)) { zval *value; if (fetch_array_elem(&value, op1, op2) == FAILURE) { @@ -1535,12 +1537,6 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o SKIP_IF_TOP(op1); SKIP_IF_TOP(op2); - if (op2 && Z_TYPE_P(op2) == IS_NULL) { - /* Emits deprecation at run-time. */ - SET_RESULT_BOT(result); - break; - } - if (ct_eval_fetch_dim(&zv, op1, op2, (opline->opcode != ZEND_FETCH_LIST_R)) == SUCCESS) { SET_RESULT(result, &zv); zval_ptr_dtor_nogc(&zv); @@ -1552,12 +1548,6 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o SKIP_IF_TOP(op1); SKIP_IF_TOP(op2); - if (op2 && Z_TYPE_P(op2) == IS_NULL) { - /* Emits deprecation at run-time. */ - SET_RESULT_BOT(result); - break; - } - if (ct_eval_isset_dim(&zv, opline->extended_value, op1, op2) == SUCCESS) { SET_RESULT(result, &zv); zval_ptr_dtor_nogc(&zv);