archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GH-17257: UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c

Browse source 
EX(opline) / opline can be stale if the IP is not stored, like in this
case on a trace enter. We always need to make sure that the opline is up
to date to make sure we don't use stale data.

Closes GH-17260.
This commit is contained in:
Niels Dossche 2024-12-25 00:26:14 +01:00
parent 956576b0b4
commit f4fb77ed61
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
5 changed files with 47 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -74,6 +74,8 @@ PHP NEWS
. Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and . Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and
INIT_METHOD_CALL). (Dmitry, ilutov) INIT_METHOD_CALL). (Dmitry, ilutov)
. Fixed bug GH-17246 (GC during SCCP causes segfault). (Dmitry) . Fixed bug GH-17246 (GC during SCCP causes segfault). (Dmitry)
. Fixed bug GH-17257 (UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c).
(nielsdos, Dmitry)
- PCNTL: - PCNTL:
. Fix memory leak in cleanup code of pcntl_exec() when a non stringable . Fix memory leak in cleanup code of pcntl_exec() when a non stringable

1
ext/opcache/jit/zend_jit_internal.h
View file

@ -231,6 +231,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_func_counter_helper(ZEND_OPCODE_H
ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_loop_counter_helper(ZEND_OPCODE_HANDLER_ARGS); ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_loop_counter_helper(ZEND_OPCODE_HANDLER_ARGS);
void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D); void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D);
void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D);
bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D); bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D);
void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D); void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D);
void ZEND_FASTCALL zend_jit_undefined_long_key_ex(zend_long key EXECUTE_DATA_DC); void ZEND_FASTCALL zend_jit_undefined_long_key_ex(zend_long key EXECUTE_DATA_DC);

9
ext/opcache/jit/zend_jit_ir.c
View file

@ -3050,6 +3050,7 @@ static void zend_jit_setup_disasm(void)
REGISTER_HELPER(zend_jit_undefined_long_key_ex); REGISTER_HELPER(zend_jit_undefined_long_key_ex);
REGISTER_HELPER(zend_jit_undefined_string_key); REGISTER_HELPER(zend_jit_undefined_string_key);
REGISTER_HELPER(zend_jit_copy_extra_args_helper); REGISTER_HELPER(zend_jit_copy_extra_args_helper);
REGISTER_HELPER(zend_jit_copy_extra_args_helper_no_skip_recv);
REGISTER_HELPER(zend_jit_vm_stack_free_args_helper); REGISTER_HELPER(zend_jit_vm_stack_free_args_helper);
REGISTER_HELPER(zend_free_extra_named_params); REGISTER_HELPER(zend_free_extra_named_params);
REGISTER_HELPER(zend_jit_free_call_frame); REGISTER_HELPER(zend_jit_free_call_frame);
@ -10110,6 +10111,7 @@ static int zend_jit_do_fcall(zend_jit_ctx *jit, const zend_op *opline, const zen
} }
} }
} else { } else {
ir_ref helper;
if (!trace || (trace->op == ZEND_JIT_TRACE_END if (!trace || (trace->op == ZEND_JIT_TRACE_END
&& trace->stop == ZEND_JIT_TRACE_STOP_INTERPRETER)) { && trace->stop == ZEND_JIT_TRACE_STOP_INTERPRETER)) {
ir_ref ip; ir_ref ip;
@ -10123,11 +10125,14 @@ static int zend_jit_do_fcall(zend_jit_ctx *jit, const zend_op *opline, const zen
ip = ir_LOAD_A(ir_ADD_OFFSET(func_ref, offsetof(zend_op_array, opcodes))); ip = ir_LOAD_A(ir_ADD_OFFSET(func_ref, offsetof(zend_op_array, opcodes)));
} }
jit_LOAD_IP(jit, ip); jit_LOAD_IP(jit, ip);
helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper);
} else {
helper = ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper_no_skip_recv);
} }
if (GCC_GLOBAL_REGS) { if (GCC_GLOBAL_REGS) {
ir_CALL(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper)); ir_CALL(IR_VOID, helper);
} else { } else {
ir_CALL_1(IR_VOID, ir_CONST_FC_FUNC(zend_jit_copy_extra_args_helper), jit_FP(jit)); ir_CALL_1(IR_VOID, helper, jit_FP(jit));
} }
} }
} else { } else {

14
ext/opcache/jit/zend_jit_vm_helpers.c
View file

@ -120,7 +120,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_leave_func_helper(EXECUTE_DATA_D)
} }
} }
void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D) static void ZEND_FASTCALL zend_jit_copy_extra_args_helper_ex(bool skip_recv EXECUTE_DATA_DC)
{ {
zend_op_array *op_array = &EX(func)->op_array; zend_op_array *op_array = &EX(func)->op_array;
@ -130,7 +130,7 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
zval *end, *src, *dst; zval *end, *src, *dst;
uint32_t type_flags = 0; uint32_t type_flags = 0;
if (EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) { if (skip_recv && EXPECTED((op_array->fn_flags & ZEND_ACC_HAS_TYPE_HINTS) == 0)) {
/* Skip useless ZEND_RECV and ZEND_RECV_INIT opcodes */ /* Skip useless ZEND_RECV and ZEND_RECV_INIT opcodes */
#ifdef HAVE_GCC_GLOBAL_REGS #ifdef HAVE_GCC_GLOBAL_REGS
opline += first_extra_arg; opline += first_extra_arg;
@ -166,6 +166,16 @@ void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
} }
} }
void ZEND_FASTCALL zend_jit_copy_extra_args_helper(EXECUTE_DATA_D)
{
zend_jit_copy_extra_args_helper_ex(true EXECUTE_DATA_CC);
}
void ZEND_FASTCALL zend_jit_copy_extra_args_helper_no_skip_recv(EXECUTE_DATA_D)
{
zend_jit_copy_extra_args_helper_ex(false EXECUTE_DATA_CC);
}
bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D) bool ZEND_FASTCALL zend_jit_deprecated_helper(OPLINE_D)
{ {
zend_execute_data *call = (zend_execute_data *) opline; zend_execute_data *call = (zend_execute_data *) opline;

25
ext/opcache/tests/jit/gh17257.phpt Normal file
View file

@ -0,0 +1,25 @@
--TEST--
GH-17257 (SEGV ext/opcache/jit/zend_jit_vm_helpers.c)
--EXTENSIONS--
opcache
--INI--
opcache.jit_buffer_size=32M
opcache.jit=1254
opcache.jit_hot_func=1
--FILE--
<?php
function get_const() {
}
function test() {
call_user_func('get_const', 1); // need an extra arg to trigger the issue
}
function main(){
for ($i = 0; $i < 10; $i++) {
test();
}
echo "Done\n";
}
main();
?>
--EXPECT--
Done