Segmentation fault in ext/opcache/jit/ir/ir_cfg.c

[YuanchengJiang]

Description

The following code:

<?php
class Foo {
    public $array;
    public function __destruct() {
        var_dump(count($this->array[0]));
        var_dump($this->array[0]);
    }
}
$array = [[new Foo]];
$array[0][0]->array =& $array;
unset($array[0][0]);
while (1) {
    $a[] = 1;
}
?>

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==703495==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6452e0f12c (pc 0x7f6342caf61d bp 0x7ffce1b79350 sp 0x7ffce1b767e0 T0)
==703495==The signal is caused by a WRITE memory access.
    #0 0x7f6342caf61d in ir_build_cfg /php-src/ext/opcache/jit/ir/ir_cfg.c:249:62
    #1 0x7f63436e9a08 in zend_jit_ir_compile /php-src/ext/opcache/jit/zend_jit_ir.c:2771:2
    #2 0x7f63435c763d in zend_jit_finish /php-src/ext/opcache/jit/zend_jit_ir.c:16106:10
    #3 0x7f63432c30c2 in zend_jit /php-src/ext/opcache/jit/zend_jit.c:2731:12
    #4 0x7f6343227c9a in zend_real_jit_func /php-src/ext/opcache/jit/zend_jit.c:2838:6
    #5 0x7f6343259ac7 in zend_jit_op_array /php-src/ext/opcache/jit/zend_jit.c:3119:10
    #6 0x7f6342c000be in zend_accel_script_persist /php-src/ext/opcache/zend_persist.c:1406:4
    #7 0x7f6342c469d0 in cache_script_in_shared_memory /php-src/ext/opcache/ZendAccelerator.c:1633:26
    #8 0x7f6342c3bc33 in persistent_compile_file /php-src/ext/opcache/ZendAccelerator.c:2167:24
    #9 0x5607cf694e79 in zend_execute_script /php-src/Zend/zend.c:1906:28
    #10 0x5607ce268126 in php_execute_script_ex /php-src/main/main.c:2576:13
    #11 0x5607ce2689c8 in php_execute_script /php-src/main/main.c:2616:9
    #12 0x5607cf6a2e23 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #13 0x5607cf69e842 in main /php-src/sapi/cli/php_cli.c:1309:18
    #14 0x7f6348bfbd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7f6348bfbe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #16 0x5607cc403244 in _start (/php-src/sapi/cli/php+0x1c03244) (BuildId: ea1107b56bcacf26d93971c8756ecefcd9c57b47)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/ext/opcache/jit/ir/ir_cfg.c:249:62 in ir_build_cfg

To reproduce:

-d "zend_extension=/php-src/modules/opcache.so" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=0201"

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[iluuu1994]

Thanks @YuanchengJiang. I think opcache.jit=0201 is fundamental broken, so I believe these issues are all connected. There's probably not a point in reporting all of them.

[nielsdos]

Looks like the successors and successor_count fields of ir_block at some point become garbage values (3200171710 and 3200171711 respectively) causing an OOB write in the edges array. Probably related to the other issues indeed.

[dstogov]

This is a bug in the IR CFG construction function.
It occurs with function JIT, when the code ends with infinity loop and there are some ENTRY instructions.
The paths from ENTRYes to the infinity loop may be lost.

The fix is not trivial and will take a while.