Skip to content

Fix segfault in JIT #18289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix segfault in JIT #18289

wants to merge 1 commit into from

Conversation

realFlowControl
Copy link
Contributor

This PR saves the opline, as otherwise it can be a dangling pointer

@realFlowControl realFlowControl mentioned this pull request Apr 9, 2025
Closed
@realFlowControl realFlowControl force-pushed the florian/fix-opline-in-jit branch from 9e6b036 to ce29717 Compare April 9, 2025 14:40
@realFlowControl realFlowControl force-pushed the florian/fix-opline-in-jit branch from ce29717 to abac1f6 Compare April 10, 2025 05:46
@realFlowControl realFlowControl changed the base branch from master to PHP-8.4 April 10, 2025 05:47
@realFlowControl realFlowControl marked this pull request as ready for review April 10, 2025 14:50
@dstogov
Copy link
Member

dstogov commented Apr 11, 2025

Hi, can you demonstrate the problem with a test case?

@morrisonlevi
Copy link
Contributor

No easy reproducer at this time. The issue is happening with Datadog's allocation profiler. We're working on verifying the issue manually with the customer which hit the issue.

The rough idea at this time: if this path is taken, and allocations start happening then the profiler may gather a sample. Then we read a bad opline when walking the stack and collecting file and line information.

@dstogov
Copy link
Member

dstogov commented Apr 11, 2025

@arnaud-lb doesn't this look similar to the problem you are fixing in #18297
@realFlowControl @morrisonlevi can you check the fix from that PR.

arnaud-lb
arnaud-lb approved these changes Apr 11, 2025
View reviewed changes
Copy link
Member

@arnaud-lb arnaud-lb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dstogov I think this is a different issue.

This looks similar the classic issue where emitting an error from the allocator crashes because EX(opline) is not initialized (we crash when fetching the file/line for the error message). The usual fix is to save opline in op handlers that may allocate.

In this case the op handler is zend_jit_func_counter_helper() or zend_jit_loop_counter_helper(), which call zend_jit_hot_func(), so saving opline there seems fine.

For zend_jit_trace_counter_helper() we save in zend_jit_trace_hot_root() (here).

dstogov
dstogov approved these changes Apr 14, 2025
View reviewed changes
Copy link
Member

@dstogov dstogov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. You convinced me. Approved.

@arnaud-lb arnaud-lb closed this in 061b46e Apr 15, 2025
@arnaud-lb
Copy link
Member

Thank you @realFlowControl!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnaud-lb arnaud-lb arnaud-lb approved these changes

@dstogov dstogov dstogov approved these changes

Assignees
No one assigned
Labels
Extension: opcache
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@realFlowControl @dstogov @morrisonlevi @arnaud-lb