PHP :: Bug #80426 :: Crash when using JIT and an extension replacing zend_execute

Bug #80426

Crash when using JIT and an extension replacing zend_execute_ex with custom

Submitted:

2020-11-26 20:33 UTC

Modified:

2020-11-30 11:51 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

patrickallaert@php.net

Assigned:

nikic (profile)

Status:

Closed

Package:

JIT

PHP Version:

8.0.0

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	patrickallaert@php.net
New email:
PHP Version:		OS:

New Comment:

[2020-11-26 20:33 UTC] patrickallaert@php.net

Description:
------------
Using a minimal extension [1] that replaces zend_execute_ex with a decorator function and running in cli with JIT enabled a simple PHP script [2] makes it crash.

[1] https://github.com/patrickallaert/extcrash
[2] https://github.com/patrickallaert/extcrash/blob/master/test.php

Test script:
---------------
See https://github.com/patrickallaert/extcrash.

Compile it and run the test.php script with:

php -d zend_extension=opcache -dopcache.enable_cli=1 -dopcache.jit_buffer_size=100M -dextension=extcrash test.php

Expected result:
----------------
No crash

Actual result:
--------------
Crashes with the following info:

gdb /usr/local/php-8.0-debug/bin/php
(gdb) run -d zend_extension=opcache -dopcache.enable_cli=1 -dopcache.jit_buffer_size=100M -dextension=extcrash test.php
Starting program: /usr/local/php-8.0-debug/bin/php -d zend_extension=opcache -dopcache.enable_cli=1 -dopcache.jit_buffer_size=100M -dextension=extcrash test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
php: ext/opcache/jit/zend_jit_trace.c:7314: zend_jit_trace_exit: Assertion `((execute_data)->opline) >= ((execute_data)->func)->op_array.opcodes && ((execute_data)->opline) < ((execute_data)->func)->op_array.opcodes + ((execute_data)->func)->op_array.last' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff757fa41 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff757fa41 in raise () from /lib64/libc.so.6
#1  0x00007ffff7569536 in abort () from /lib64/libc.so.6
#2  0x00007ffff756941f in __assert_fail_base.cold () from /lib64/libc.so.6
#3  0x00007ffff7578332 in __assert_fail () from /lib64/libc.so.6
#4  0x00007ffff4fa30c6 in zend_jit_trace_exit (exit_num=3, regs=0x7fffffff9990) at ext/opcache/jit/zend_jit_trace.c:7314
#5  0x000000004800049a in ?? ()
#6  0x00000000408d26a0 in ?? ()
#7  0x0000555556d7a6c8 in executor_globals ()
#8  0x00007ffff50022c8 in ?? ()
#9  0x0000555555c9e769 in _destroy_zend_class_traits_info (ce=0x408d26a0) at /home/patrick.allaert/Projets/php-src/Zend/zend_opcode.c:256
#10 0xff00ffffffffffff in ?? ()
#11 0xffffffff000000ff in ?? ()
#12 0x0000000000000000 in ?? ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-11-27 11:50 UTC] nikic@php.net

Test: https://github.com/php/php-src/pull/6461

[2020-11-27 13:16 UTC] patrickallaert@php.net

If the assertion is removed from php's source, it segfault with:

Program received signal SIGSEGV, Segmentation fault.
zval_undefined_cv (var=80) at /home/patrick.allaert/Projets/php-src/Zend/zend_execute.c:270
270                     zend_string *cv = CV_DEF_OF(EX_VAR_TO_NUM(var));
(gdb) bt
#0  zval_undefined_cv (var=80) at /home/patrick.allaert/Projets/php-src/Zend/zend_execute.c:270
#1  0x0000555555cf0d59 in _zval_undefined_op1 () at /home/patrick.allaert/Projets/php-src/Zend/zend_execute.c:278
#2  0x0000555555d4f2b1 in zend_pre_inc_helper_SPEC_CV () at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:37224
#3  0x0000555555d4f414 in ZEND_PRE_INC_SPEC_CV_RETVAL_UNUSED_HANDLER () at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:37261
#4  0x0000555555d721f0 in execute_ex (ex=0x7ffff4e13020) at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:57706
#5  0x00007ffff512c114 in custom_zend_execute (execute_data=0x7ffff4e13020) at /home/patrick.allaert/Projets/extcrash/extcrash.c:11
#6  0x0000555555d734fe in zend_execute (op_array=0x7ffff4e5c280, return_value=0x0) at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:58856
#7  0x0000555555cc756a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/patrick.allaert/Projets/php-src/Zend/zend.c:1680
#8  0x0000555555c2a5d0 in php_execute_script (primary_file=0x7fffffffc280) at /home/patrick.allaert/Projets/php-src/main/main.c:2488
#9  0x0000555555db3252 in do_cli (argc=7, argv=0x555556d94dd0) at /home/patrick.allaert/Projets/php-src/sapi/cli/php_cli.c:949
#10 0x0000555555db4297 in main (argc=7, argv=0x555556d94dd0) at /home/patrick.allaert/Projets/php-src/sapi/cli/php_cli.c:1336

[2020-11-30 11:42 UTC] patrickallaert@php.net

Should be fixed by commit https://github.com/php/php-src/commit/d5a82e2c4eebe8337ff7790db46d812af2fbcec9 and, correct me if I am wrong, as part of PHP 8.0.1.

[2020-11-30 11:51 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2020-11-30 11:51 UTC] nikic@php.net

That's right!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Dec 27 18:01:30 2024 UTC