Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV zend_jit_trace_copy_ssa_var_range #18134

Open
YuanchengJiang opened this issue Mar 24, 2025 · 5 comments
Open

SEGV zend_jit_trace_copy_ssa_var_range #18134

YuanchengJiang opened this issue Mar 24, 2025 · 5 comments
Labels
Bug Category: JIT Extension: opcache Status: Needs Triage

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$cls = new DateTime();
foo();
function foo() {
global $LAST;
}
$fusion = str_repeat('a', 1024 * 1024 * 1.25);
class DestructableObject
{
}
$_ = new DestructableObject();
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }
try {$cls->getMicrosecond();} catch (Exception $e) { echo($e); }

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==56999==ERROR: AddressSanitizer: SEGV on unknown address 0x77bab5571ca8 (pc 0x77c35b88db6e bp 0x7fff8033a630 sp 0x7fff80339ce0 T0)
==56999==The signal is caused by a READ memory access.
    #0 0x77c35b88db6e in zend_jit_trace_copy_ssa_var_range /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:1004:36
    #1 0x77c35b6f317b in zend_jit_trace_build_tssa /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:2276:6
    #2 0x77c35b54678c in zend_jit_trace /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:4115:8
    #3 0x77c35b4903d6 in zend_jit_compile_root_trace /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:7498:14
    #4 0x77c35b482327 in zend_jit_trace_hot_root /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:8171:10
    #5 0x77c35b4472df in zend_jit_trace_counter_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:371:7
    #6 0x77c35b446920 in zend_jit_func_trace_helper /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_vm_helpers.c:394:2
    #7 0x4a00967 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #8 0x4a02bec in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #9 0x57a3a79 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #10 0x3f9945a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2584:13
    #11 0x3f9a598 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2624:9
    #12 0x57b898a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #13 0x57b2d6f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1355:18
    #14 0x77c3628a1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x77c3628a1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #16 0x606174 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606174)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/opcache/jit/zend_jit_trace.c:1004:36 in zend_jit_trace_copy_ssa_var_range
==56999==ABORTING

To reproduce:

./php-src/sapi/cli/php --repeat 2  -d "opcache.cache_id=worker29" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=30719" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=2M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "opcache.record_warnings=1" -d "opcache.jit=1254" -d "fatal_error_backtraces=1" -d "max_execution_time=60" -d "opcache.enable=1" -d "opcache.enable_cli=1" ./test.php

Commit:

a28fb52719020ed737a869b5355892318cc13d29

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

a28fb52

Operating System

No response
@iluuu1994
Copy link
Member

I'm having trouble reproducing this. I've tried passing all the given flags, with/without zts, and with/without zend_test, with gcc and clang.

@nielsdos
Copy link
Member

Stack trace overlaps with #17990, might be related. Did not try reproducing this one (yet).

@YuanchengJiang
Copy link
Author

(for triggering more JIT bugs) i am trying the --repeat 2 flag in the fuzzer, sometimes it makes the poc unstable

@iluuu1994
Copy link
Member

--repeat 2 is a good idea, but I did see and pass that flag when trying to reproduce.

@YuanchengJiang
Copy link
Author

yep understand. i am having the same problem locally. fuzzer can find various sanitizer alerts but I can only reproduce few 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: JIT Extension: opcache Status: Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@iluuu1994 @devnexen @nielsdos @YuanchengJiang