Add runtime type inference verification

Author: iluuu1994

.github/workflows/push.yml

@@ -65,9 +65,9 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - debug: false
-            zts: false
-            asan: false
+          # - debug: false
+          #   zts: false
+          #   asan: false
           - debug: true
             zts: true
             asan: true
@@ -114,7 +114,7 @@ jobs:
           configurationParameters: >-
             --${{ matrix.debug && 'enable' || 'disable' }}-debug
             --${{ matrix.zts && 'enable' || 'disable' }}-zts
-            ${{ matrix.asan && 'CFLAGS="-fsanitize=undefined,address -DZEND_TRACK_ARENA_ALLOC" LDFLAGS="-fsanitize=undefined,address" CC=clang-16 CXX=clang++-16 --disable-opcache-jit' || '' }}
+            ${{ matrix.asan && 'CFLAGS="-fsanitize=undefined,address -DZEND_TRACK_ARENA_ALLOC -DZEND_VERIFY_TYPE_INFERENCE" LDFLAGS="-fsanitize=undefined,address" CC=clang-16 CXX=clang++-16 --disable-opcache-jit' || '' }}
           skipSlow: ${{ matrix.asan }}
       - name: make
         run: make -j$(/usr/bin/nproc) >/dev/null
@@ -136,11 +136,12 @@ jobs:
           runTestsParameters: >-
             -d zend_extension=opcache.so
             -d opcache.enable_cli=1
-            ${{ matrix.asan && '--asan -x' || '' }}
+            ${{ matrix.asan && '--asan -x --verify-type-inference' || '' }}
       - name: Verify generated files are up to date
         if: ${{ !matrix.asan }}
         uses: ./.github/actions/verify-generated-files
   MACOS_DEBUG_NTS:
+    if: false
     runs-on: macos-12
     steps:
       - name: git checkout
@@ -173,6 +174,7 @@ jobs:
       - name: Verify generated files are up to date
         uses: ./.github/actions/verify-generated-files
   WINDOWS:
+    if: false
     name: WINDOWS_X64_ZTS
     runs-on: windows-2019
     env:
@@ -199,7 +201,8 @@ jobs:
         run: .github/scripts/windows/test.bat
   BENCHMARKING:
     name: BENCHMARKING
-    if: github.repository_owner == 'php' || github.event_name == 'pull_request'
+    if: false
+    # if: github.repository_owner == 'php' || github.event_name == 'pull_request'
     runs-on: ubuntu-22.04
     steps:
       - name: git checkout

Zend/Optimizer/zend_inference.c

@@ -1974,7 +1974,8 @@ static uint32_t get_ssa_alias_types(zend_ssa_alias_kind alias) {
 				if (__type & (MAY_BE_REF|MAY_BE_RCN)) {					\
 					__type |= MAY_BE_RC1 | MAY_BE_RCN;					\
 				}														\
-				if ((__type & MAY_BE_RC1) && (__type & MAY_BE_STRING)) {\
+				/* FIXME: Not sure if this is the correct fix */		\
+				if ((__type & MAY_BE_RC1) && (__type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_RESOURCE))) { \
 					/* TODO: support for array keys and ($str . "")*/   \
 					__type |= MAY_BE_RCN;                               \
 				}                                                       \

Zend/Optimizer/zend_optimizer.c

@@ -1470,6 +1470,47 @@ static void zend_optimizer_call_registered_passes(zend_script *script, void *ctx
 	}
 }
 
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+static void propagate_ssa_inferred_types_to_oplines(zend_op_array *op_array, void *context)
+{
+	zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
+	if (func_info == NULL) {
+		return;
+	}
+
+	zend_ssa *ssa = &func_info->ssa;
+
+	for (uint32_t i = 0; i < ssa->vars_count; i++) {
+		zend_ssa_var *var = &ssa->vars[i];
+		zend_ssa_var_info *var_info = &ssa->var_info[i];
+		if (var->definition > 0) {
+			zend_op *opline = &op_array->opcodes[var->definition];
+			opline->result_inferred_type = var_info->type;
+		}
+
+		int use;
+		FOREACH_USE(var, use) {
+			zend_op *opline = &op_array->opcodes[use];
+			zend_ssa_op *ssa_op = &ssa->ops[use];
+			if (ssa_op->op1_use == i) {
+				if (!opline->swapped_operands) {
+					opline->op1_inferred_type = var_info->type;
+				} else {
+					opline->op2_inferred_type = var_info->type;
+				}
+			}
+			if (ssa_op->op2_use == i) {
+				if (!opline->swapped_operands) {
+					opline->op2_inferred_type = var_info->type;
+				} else {
+					opline->op1_inferred_type = var_info->type;
+				}
+			}
+		} FOREACH_USE_END();
+	}
+}
+#endif
+
 ZEND_API void zend_optimize_script(zend_script *script, zend_long optimization_level, zend_long debug_level)
 {
 	zend_op_array *op_array;
@@ -1591,6 +1632,10 @@ ZEND_API void zend_optimize_script(zend_script *script, zend_long optimization_l
 			}
 		}
 
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+		zend_foreach_op_array(script, propagate_ssa_inferred_types_to_oplines, NULL);
+#endif
+
 		for (i = 0; i < call_graph.op_arrays_count; i++) {
 			ZEND_SET_FUNC_INFO(call_graph.op_arrays[i], NULL);
 		}

Zend/zend_compile.c

@@ -124,6 +124,12 @@ static void init_op(zend_op *op)
 	MAKE_NOP(op);
 	op->extended_value = 0;
 	op->lineno = CG(zend_lineno);
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+	op->result_inferred_type = 0;
+	op->op1_inferred_type = 0;
+	op->op2_inferred_type = 0;
+	op->swapped_operands = false;
+#endif
 }
 
 static zend_always_inline uint32_t get_next_op_number(void)

Zend/zend_compile.h

@@ -143,6 +143,12 @@ struct _zend_op {
 	uint8_t op1_type;     /* IS_UNUSED, IS_CONST, IS_TMP_VAR, IS_VAR, IS_CV */
 	uint8_t op2_type;     /* IS_UNUSED, IS_CONST, IS_TMP_VAR, IS_VAR, IS_CV */
 	uint8_t result_type;  /* IS_UNUSED, IS_CONST, IS_TMP_VAR, IS_VAR, IS_CV */
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+	uint32_t op1_inferred_type;
+	uint32_t op2_inferred_type;
+	uint32_t result_inferred_type;
+	bool swapped_operands;
+#endif
 };
 
 

Zend/zend_execute.c

@@ -4639,6 +4639,10 @@ static void zend_swap_operands(zend_op *op) /* {{{ */
 	op->op1_type = op->op2_type;
 	op->op2      = tmp;
 	op->op2_type = tmp_type;
+
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+	op->swapped_operands = !op->swapped_operands;
+#endif
 }
 /* }}} */
 #endif
@@ -5303,14 +5307,158 @@ static zend_always_inline zend_execute_data *_zend_vm_stack_push_call_frame(uint
 # include "zend_vm_trace_map.h"
 #endif
 
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+static bool zend_verify_type_inference(uint32_t type_mask, zval *value)
+{
+	if (type_mask == 0) {
+		return true;
+	}
+
+	// IS_PTR is used internally, skip for now
+	if (Z_TYPE_P(value) == IS_PTR) {
+		return true;
+	}
+
+	if (Z_TYPE_P(value) == IS_INDIRECT) {
+		if (!(type_mask & MAY_BE_INDIRECT)) {
+			return false;
+		}
+		value = Z_INDIRECT_P(value);
+	}
+
+	if (Z_REFCOUNTED_P(value)) {
+		if (Z_REFCOUNT_P(value) == 1 && !(type_mask & MAY_BE_RC1)) {
+			return false;
+		}
+		if (Z_REFCOUNT_P(value) > 1 && !(type_mask & MAY_BE_RCN)) {
+			return false;
+		}
+	}
+
+	if (Z_TYPE_P(value) == IS_REFERENCE) {
+		if (!(type_mask & MAY_BE_REF)) {
+			return false;
+		}
+		value = Z_REFVAL_P(value);
+	}
+
+	uint32_t type = 1u << Z_TYPE_P(value);
+	if (!(type_mask & type)) {
+		return false;
+	}
+
+	if (Z_TYPE_P(value) == IS_ARRAY) {
+		HashTable *ht = Z_ARRVAL_P(value);
+		uint32_t num_checked = 0;
+		zend_string *str;
+		zval *val;
+		ZEND_HASH_FOREACH_STR_KEY_VAL(ht, str, val) {
+			if (str) {
+				if (!(type_mask & MAY_BE_ARRAY_KEY_STRING)) {
+					return false;
+				}
+			} else {
+				if (!(type_mask & MAY_BE_ARRAY_KEY_LONG)) {
+					return false;
+				}
+			}
+
+			uint32_t array_type = 1u << (Z_TYPE_P(val) + MAY_BE_ARRAY_SHIFT);
+			if (!(type_mask & array_type)) {
+				return false;
+			}
+
+			/* Don't check all elements of large arrays. */
+			if (++num_checked > 16) {
+				break;
+			}
+		} ZEND_HASH_FOREACH_END();
+	}
+
+	return true;
+}
+
+static void zend_verify_result_type_inference(zend_execute_data *execute_data, const zend_op *opline)
+{
+	if (!RETURN_VALUE_USED(opline)
+	 || EG(exception)
+	 || opline->opcode == ZEND_ROPE_INIT
+	 || opline->opcode == ZEND_ROPE_ADD) {
+		return;
+	}
+
+	zval *value = EX_VAR(opline->result.var);
+
+	// Some jump opcode handlers don't set result when it's never read
+	if (Z_TYPE_P(value) == IS_UNDEF
+	 && (opline->opcode == ZEND_JMP_SET
+	  || opline->opcode == ZEND_JMP_NULL
+	  || opline->opcode == ZEND_COALESCE
+	  || opline->opcode == ZEND_ASSERT_CHECK)) {
+		return;
+	}
+
+	if (RETURN_VALUE_USED(opline) && !zend_verify_type_inference(opline->result_inferred_type, value)) {
+		fprintf(stderr, "Return type inference verification failed\n");
+		fflush(stderr);
+	}
+}
+static void zend_verify_op1_type_inference(zend_execute_data *execute_data, const zend_op *opline)
+{
+	if (opline->op1_type == IS_UNUSED) {
+		return;
+	}
+
+	if (opline->opcode == ZEND_ROPE_ADD || opline->opcode == ZEND_ROPE_END) {
+		return;
+	}
+
+	zval *value = opline->op1_type == IS_CONST 
+		? RT_CONSTANT(opline, opline->op1)
+		: EX_VAR(opline->op1.var);
+
+	if (!zend_verify_type_inference(opline->op1_inferred_type, value)) {
+		fprintf(stderr, "OP1 type inference verification failed\n");
+		fflush(stderr);
+	}
+}
+static void zend_verify_op2_type_inference(zend_execute_data *execute_data, const zend_op *opline)
+{
+	if (opline->op2_type == IS_UNUSED) {
+		return;
+	}
+
+	zval *value = opline->op2_type == IS_CONST 
+		? RT_CONSTANT(opline, opline->op2)
+		: EX_VAR(opline->op2.var);
+
+	if (!zend_verify_type_inference(opline->op2_inferred_type, value)) {
+		fprintf(stderr, "OP2 type inference verification failed\n");
+		fflush(stderr);
+	}
+}
+static void zend_verify_operand_type_inference(zend_execute_data *execute_data, const zend_op *opline)
+{
+	zend_verify_op1_type_inference(execute_data, opline);
+	zend_verify_op2_type_inference(execute_data, opline);
+}
+# define ZEND_VERIFY_RESULT_TYPE_INFERENCE() zend_verify_result_type_inference(execute_data, OPLINE);
+# define ZEND_VERIFY_OPERAND_TYPE_INFERENCE() zend_verify_operand_type_inference(execute_data, OPLINE);
+#else
+# define ZEND_VERIFY_RESULT_TYPE_INFERENCE()
+# define ZEND_VERIFY_OPERAND_TYPE_INFERENCE()
+#endif
+
 #define ZEND_VM_NEXT_OPCODE_EX(check_exception, skip) \
+	ZEND_VERIFY_RESULT_TYPE_INFERENCE() \
 	CHECK_SYMBOL_TABLES() \
 	if (check_exception) { \
 		OPLINE = EX(opline) + (skip); \
 	} else { \
 		ZEND_ASSERT(!EG(exception)); \
 		OPLINE = opline + (skip); \
 	} \
+	ZEND_VERIFY_OPERAND_TYPE_INFERENCE() \
 	ZEND_VM_CONTINUE()
 
 #define ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION() \

Zend/zend_opcode.c

@@ -1178,6 +1178,10 @@ ZEND_API void pass_two(zend_op_array *op_array)
 			opline->result.var = EX_NUM_TO_VAR(op_array->last_var + opline->result.var);
 		}
 		ZEND_VM_SET_OPCODE_HANDLER(opline);
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+		// Type inference hasn't happened yet and so can determine operand order correctly
+		opline->swapped_operands = false;
+#endif
 		opline++;
 	}