SEGV zend_inference_propagate_range

[YuanchengJiang]

Description

The following code:

<?php
class MyClass
{
public function __destruct()
{
echo 'Shutdown: ' . foo() . PHP_EOL;
}
}
function bar($arg) {
return $arg;
}
function foo() {
bar(41);
return bar(42);
}
$mc = new MyClass();
require 'server.inc';
$responses = array(
);
['pid' => $pid, 'uri' => $uri] = http_server($responses, $output);
$f = file_get_contents($uri);
var_dump(http_get_last_response_headers());
http_server_kill($pid);

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3977233==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000004389d9f bp 0x7ffd32f5b0b0 sp 0x7ffd32f5a040 T0)
==3977233==The signal is caused by a READ memory access.
==3977233==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x4389d9f in zend_inference_propagate_range /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/Optimizer/zend_inference.c:1559:34
    #1 0x7e2f3b46fb5d in zend_jit_trace_propagate_range /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:982:6
    #2 0x7e2f3b46d284 in zend_jit_trace_copy_ssa_var_range /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:1024:4
    #3 0x7e2f3b2d0ea5 in zend_jit_trace_build_tssa /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:2282:6
    #4 0x7e2f3b123ecc in zend_jit_trace /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:4115:8
    #5 0x7e2f3b06db16 in zend_jit_compile_root_trace /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:7498:14
    #6 0x7e2f3b05fa67 in zend_jit_trace_hot_root /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:8171:10
    #7 0x7e2f3b024a1f in zend_jit_trace_counter_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:371:7
    #8 0x7e2f3b024060 in zend_jit_func_trace_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:394:2
    #9 0x4a00e97 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #10 0x4993698 in zend_call_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1008:3
    #11 0x4999d4e in zend_call_known_function /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:1102:23
    #12 0x5646134 in zend_call_known_instance_method /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:860:2
    #13 0x5640f8b in zend_call_known_instance_method_with_0_params /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_API.h:866:2
    #14 0x564028f in zend_objects_destroy_object /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_objects.c:194:3
    #15 0x5633560 in zend_objects_store_call_destructors /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_objects_API.c:57:7
    #16 0x496ef79 in shutdown_destructors /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:266:3
    #17 0x5793b6b in zend_call_destructors /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1335:3
    #18 0x3f81048 in php_request_shutdown /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:1921:3
    #19 0x57bfb45 in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1151:3
    #20 0x57b4b4f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #21 0x7e2f42530d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x7e2f42530e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/Optimizer/zend_inference.c:1559:34 in zend_inference_propagate_range
==3977233==ABORTING

To reproduce:

./php-src/sapi/cli/php  -d "opcache.jit_hot_func=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "zend_test.observer.enabled=1" -d "zend_test.observer.show_output=1" -d "zend_test.observer.observe_all=1" -d "zend_test.observer.show_return_value=1" -d "allow_url_fopen=1" -d "session.cookie_secure=0" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=1254" ./test.php

Commit:

cd586623b65c86b423883eda20411634e49084ba

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

this bug is unstable to reproduce. the script and config are thus also not that minimal.

PHP Version

cd58662

Operating System

No response

[nielsdos]

I can reproduce this but it's still flaky.
Here's a slightly more reliable (and simpler) reproducer that no longer uses external files nor I/O.
It seems related to killing the process while it's already shutting down.

<?php
class MyClass
{
    public function __destruct()
    {
        foo(3);
    }
}
function foo($x) {
    return $x + 42;
}
$mc = new MyClass();
eval('');
function do_fork() {
    $pid = pcntl_fork();
    if ($pid) {
        return $pid;
    }

    exit(0);
}
$pid = do_fork();
usleep(100); // XXX: might need tweak for your system
posix_kill($pid, SIGTERM);

[iluuu1994]

/cc @dstogov, in case you have not seen this one yet.

[dstogov]

I can't reproduce this and can't be sure about the real issue.
I guess the forked process might try to access SHM after detaching it in parent (or something similar).
@nielsdos can you try to investigate this deeper?