Skip to content

Fix segfault in JIT#18289

Closed
realFlowControl wants to merge 1 commit intophp:PHP-8.4from
realFlowControl:florian/fix-opline-in-jit
Closed

Fix segfault in JIT#18289
realFlowControl wants to merge 1 commit intophp:PHP-8.4from
realFlowControl:florian/fix-opline-in-jit

Conversation

@realFlowControl
Copy link
Contributor

@realFlowControl realFlowControl commented Apr 9, 2025

This PR saves the opline, as otherwise it can be a dangling pointer

@realFlowControl realFlowControl mentioned this pull request Apr 9, 2025
Closed
@realFlowControl realFlowControl force-pushed the florian/fix-opline-in-jit branch from 9e6b036 to ce29717 Compare April 9, 2025 14:40
@realFlowControl realFlowControl force-pushed the florian/fix-opline-in-jit branch from ce29717 to abac1f6 Compare April 10, 2025 05:46
@realFlowControl realFlowControl changed the base branch from master to PHP-8.4 April 10, 2025 05:47
@realFlowControl realFlowControl marked this pull request as ready for review April 10, 2025 14:50
@dstogov
Copy link
Member

dstogov commented Apr 11, 2025

Hi, can you demonstrate the problem with a test case?

@morrisonlevi
Copy link
Contributor

morrisonlevi commented Apr 11, 2025

No easy reproducer at this time. The issue is happening with Datadog's allocation profiler. We're working on verifying the issue manually with the customer which hit the issue.

The rough idea at this time: if this path is taken, and allocations start happening then the profiler may gather a sample. Then we read a bad opline when walking the stack and collecting file and line information.

@dstogov
Copy link
Member

dstogov commented Apr 11, 2025

@arnaud-lb doesn't this look similar to the problem you are fixing in #18297
@realFlowControl @morrisonlevi can you check the fix from that PR.

arnaud-lb
arnaud-lb approved these changes Apr 11, 2025
View reviewed changes
Copy link
Member

@arnaud-lb arnaud-lb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dstogov I think this is a different issue.

This looks similar the classic issue where emitting an error from the allocator crashes because EX(opline) is not initialized (we crash when fetching the file/line for the error message). The usual fix is to save opline in op handlers that may allocate.

In this case the op handler is zend_jit_func_counter_helper() or zend_jit_loop_counter_helper(), which call zend_jit_hot_func(), so saving opline there seems fine.

For zend_jit_trace_counter_helper() we save in zend_jit_trace_hot_root() (here).

dstogov
dstogov approved these changes Apr 14, 2025
View reviewed changes
Copy link
Member

@dstogov dstogov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. You convinced me. Approved.

@arnaud-lb arnaud-lb closed this in 061b46e Apr 15, 2025
@arnaud-lb
Copy link
Member

arnaud-lb commented Apr 15, 2025

Thank you @realFlowControl!

This was referenced May 28, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnaud-lb arnaud-lb arnaud-lb approved these changes

@dstogov dstogov dstogov approved these changes

Assignees

No one assigned

Labels

Extension: opcache

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@realFlowControl @dstogov @morrisonlevi @arnaud-lb