PHP crash with JIT enabled

[terax6669]

Description

I'm using google/protobuf v3.24.4.
The following code:

<?php
$codedInputStream->readVarint32($value);

Resulted in: PHP process crash with exit code 5

Changing $var &= 0xFFFFFFFF; to $var = $var & 0xFFFFFFFF; as well as removing all the PHP_INT_SIZE conditions resolves the issue.
The error doesn't always occur in the same place (it's somewhat random +- a few lines/loops), but can be consistently reproduced. Also it seems to only occur when you do it very fast in a loop enough times. Adding a bunch of debug output slowed down my console to the point where the error did not occur anymore and the process successfully finished.

Not sure how else I could help reproduce the issue on your side, I'm not at liberty to share the data I'm processing.

PHP Version

PHP 8.2.11 (cli) (built: Sep 26 2023 15:25:31) (ZTS Visual C++ 2019 x64)
PHP 8.3.1 (cli) (built: Dec 20 2023 14:06:10) (ZTS Visual C++ 2019 x64)
PHP 8.3.1 (cli) (built: Dec 20 2023 14:06:30) (NTS Visual C++ 2019 x64)

Operating System

Windows 11

[dstogov]

Sorry, I'm not able to analyse the problem without a reproduction case.

[terax6669]

@dstogov
I've been able to create a self-contained reproduction case.

php_jit_crash.zip

Some additional context:

terax@PHOENIX:/mnt/c/tools/php82-ts$ php -version
PHP 8.2.11 (cli) (built: Sep 26 2023 15:25:31) (ZTS Visual C++ 2019 x64)
Copyright (c) The PHP Group
Zend Engine v4.2.11, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.11, Copyright (c), by Zend Technologies


terax@PHOENIX:/mnt/c/tools/php82-ts$ php -i | grep opcache
opcache.blacklist_filename => no value => no value
opcache.cache_id => no value => no value
opcache.consistency_checks => 0 => 0
opcache.dups_fix => Off => Off
opcache.enable => On => On
opcache.enable_cli => On => On
opcache.enable_file_override => Off => Off
opcache.error_log => no value => no value
opcache.file_cache => no value => no value
opcache.file_cache_consistency_checks => On => On
opcache.file_cache_fallback => On => On
opcache.file_cache_only => Off => Off
opcache.file_update_protection => 2 => 2
opcache.force_restart_timeout => 180 => 180
opcache.interned_strings_buffer => 8 => 8
opcache.jit => tracing => tracing
opcache.jit_bisect_limit => 0 => 0
opcache.jit_blacklist_root_trace => 16 => 16
opcache.jit_blacklist_side_trace => 8 => 8
opcache.jit_buffer_size => 256M => 256M
opcache.jit_debug => 0 => 0
opcache.jit_hot_func => 127 => 127
opcache.jit_hot_loop => 64 => 64
opcache.jit_hot_return => 8 => 8
opcache.jit_hot_side_exit => 8 => 8
opcache.jit_max_exit_counters => 8192 => 8192
opcache.jit_max_loop_unrolls => 8 => 8
opcache.jit_max_polymorphic_calls => 2 => 2
opcache.jit_max_recursive_calls => 2 => 2
opcache.jit_max_recursive_returns => 2 => 2
opcache.jit_max_root_traces => 1024 => 1024
opcache.jit_max_side_traces => 128 => 128
opcache.jit_prof_threshold => 0.005 => 0.005
opcache.log_verbosity_level => 1 => 1
opcache.max_accelerated_files => 10000 => 10000
opcache.max_file_size => 0 => 0
opcache.max_wasted_percentage => 5 => 5
opcache.memory_consumption => 128 => 128
opcache.mmap_base => no value => no value
opcache.opt_debug_level => 0 => 0
opcache.optimization_level => 0x7FFEBFFF => 0x7FFEBFFF
opcache.preferred_memory_model => no value => no value
opcache.preload => no value => no value
opcache.protect_memory => Off => Off
opcache.record_warnings => Off => Off
opcache.restrict_api => no value => no value
opcache.revalidate_freq => 2 => 2
opcache.revalidate_path => Off => Off
opcache.save_comments => On => On
opcache.use_cwd => On => On
opcache.validate_permission => Off => Off
opcache.validate_timestamps => On => On

[dstogov]

Sorry for the long delay.
I can't test this because I recently upgraded to Fedora 39 with broken docker.
I'll return to this as soon as they repair the docker.

[dstogov]

I finally got the docker working, but I can't reproduce the crash with the provided script. Not with PHP master nor with PHP-8.2 HEAD (8.2.15-dev NTS DEBUG build). May be the bug has been already fixed.

@terax6669 Could you please check if you still can reproduce the problem with PHP-8.2 branch.

[dstogov]

@danog could you please also try to reproduce this problem

[danog]

@dstogov Tried and could not reproduce on 8.2, master and 8.2.11, both with the usual jit_bugs config and the config specified here.

Maybe it's caused by some windows-specific JIT code? I did test on linux after all...

[dstogov]

@danog thanks for the confirmation.
I didn't notice this was Windows related...
@terax6669 do you run just php test.php?

[terax6669]

Yes it's on Windows, I don't have a real linux environment. I can try running it under WSL if you'd like me to verify that it also happens there.

I downloaded these:

• https://windows.php.net/downloads/releases/php-8.3.1-Win32-vs16-x64.zip
• https://windows.php.net/downloads/releases/php-8.3.1-nts-Win32-vs16-x64.zip

and ran ..\php-8.3.1-Win32-vs16-x64\php.exe -c ..\php-8.3.1-nts-Win32-vs16-x64\php.ini-production -d ex tension_dir=ext -d zend_extension=opcache -d opcache.enable_cli=1 -d opcache.jit_buffer_size=256M test.php
crash is pretty much instantaneous.

[dstogov]

The reduced test case (crashes only on Windows 64).

<?php
function foo(&$var) {
    $var &= 0xFFFFFFFF;
    return intval($var);
}
$v = 0x7FFFFFFF1;
for ($i = 0; $i < 100; $i++) {
    foo($v);
}