Closed danog closed 11 months ago
A better reproducer: https://github.com/danog/jit_bugs (test 2).
Thanks for the https://github.com/danog/jit_bugs repo. The test 2 should be fixed now. Test 1 is actually reported at https://github.com/php/php-src/issues/11795 Should I take a look into others?
Hi @dstogov, thanks! It seems like issue 2 is still present on master (a heap overflow with ASAN, since the fix only affected the old JIT). Thanks for the info on issue 1, regarding the other issues, I think they can mostly be ignored, except for the last one (5), which is actually causing a GC infinite loop hang after several hours of execution, it's particularly nasty to reproduce, will try to whip up a better reproducer...
Additionally, there's an issue with fibers unrelated to JIT or opcache that causes memory corruption in certain cases if a fiber is resumed after an exception in the shutdown handler, I've been seeing a lot of reports including in the amphp chat, and got the issue myself several times (an impossible TypeError on corrupted return values), but haven't managed to reliably reproduce yet...
The only way of sometimes reproducing the issue is running reproducer 3 and randomly hitting ctrl-c multiple times during the handshake, but still it's super hard to reproduce reliably...
Hi @dstogov, thanks! It seems like issue 2 is still present on master (a heap overflow with ASAN, since the fix only affected the old JIT). Thanks for the info on issue 1, regarding the other issues, I think they can mostly be ignored, except for the last one (5), which is actually causing a GC infinite loop hang after several hours of execution, it's particularly nasty to reproduce, will try to whip up a better reproducer...
I think this is a different issue. New JIT avoided this error out of the box. BTW I also see a heap-buffer-overflow on test 2 with PHP-8.3. This is definitely a different problem.
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000a6904 at pc 0x7fd17fc3e492 bp 0x7ffd5cbefbb0 sp 0x7ffd5cbefba8
READ of size 4 at 0x6100000a6904 thread T0
LLVMSymbolizer: error reading file: No such file or directory
#0 0x7fd17fc3e491 in zend_jit_assign_to_typed_prop /php-src/ext/opcache/jit/zend_jit_helpers.c:2567:30
#1 0x7fd13f9a5230 (/dev/zero (deleted)+0x100696230)
#2 0x56521f81bbf7 in zend_execute /php-src/Zend/zend_vm_execute.h:61584:2
#3 0x56521f767588 in zend_execute_scripts /php-src/Zend/zend.c:1876:4
#4 0x56521f56d89f in php_execute_script /php-src/main/main.c:2492:13
#5 0x56521fcf9847 in do_cli /php-src/sapi/cli/php_cli.c:966:5
#6 0x56521fcf73da in main /php-src/sapi/cli/php_cli.c:1340:18
#7 0x7fd1845eed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
0x6100000a6904 is located 12 bytes after 184-byte region [0x6100000a6840,0x6100000a68f8)
allocated by thread T0 here:
#0 0x7fd18539ea4e in __interceptor_malloc (/usr/lib/llvm-16/lib/clang/16/lib/linux/libclang_rt.asan-x86_64.so+0xe3a4e) (BuildId: 8c0845aee3ffdc74a2f46d1eb4f0a349cdc69d67)
#1 0x56521f68d6d4 in __zend_malloc /php-src/Zend/zend_alloc.c:3130:14
#2 0x56521f68cf2f in _malloc_custom /php-src/Zend/zend_alloc.c:2493:10
#3 0x56521f68ce01 in _emalloc /php-src/Zend/zend_alloc.c:2612:10
#4 0x56521fb047c3 in zend_objects_new /php-src/Zend/zend_objects.c:189:24
#5 0x56521fb05dbd in zend_objects_clone_obj /php-src/Zend/zend_objects.c:291:15
#6 0x56521f967883 in ZEND_CLONE_SPEC_TMPVAR_HANDLER /php-src/Zend/zend_vm_execute.h:14772:2
#7 0x7fd13f9a51ee (/dev/zero (deleted)+0x1006961ee)
#8 0x56521f81bbf7 in zend_execute /php-src/Zend/zend_vm_execute.h:61584:2
#9 0x56521f767588 in zend_execute_scripts /php-src/Zend/zend.c:1876:4
#10 0x56521f56d89f in php_execute_script /php-src/main/main.c:2492:13
#11 0x56521fcf9847 in do_cli /php-src/sapi/cli/php_cli.c:966:5
#12 0x56521fcf73da in main /php-src/sapi/cli/php_cli.c:1340:18
#13 0x7fd1845eed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
The problem that this error occurs after an hour of work :(
The last heap-buffer-overflow should be fixed now in PHP-8.1 and above
Description
The following code: https://github.com/nicelocal/psalm/tree/rector_pass (a fork of Psalm, commit 9d3fee47afa90f3eb53043a26f01e587d2dd34e5)
Running using (the xdebug env is used to avoid overwriting the opcache config, xdebug is not installed nor enabled):
With this config:
Resulted in this output:
But I expected this output instead: no abortion.
ping @dstogov
PHP Version
master
Operating System
Arch linux