Fix GH-14361: Deep recursion in zend_cfg.c causes segfault instead of error

nielsdos · nielsdos · commit 6e473e7dd849 · 2024-06-02T13:45:09.000+02:00
Building the CFG for JIT or optimizations can run into deep recursion, and depending on the stack limit cause a segfault. This patch uses the stack limit check to fail out of those cases. This prevents a segfault. We use this check elsewhere in the compiler as well. However, in this case we just make optimizations or JIT fail without aborting the application such that code can still execute. The attached test case will succeed both without and with this patch, it is mainly intended to test if propagating failure doesn't cause crashes. To reproduce the issue, set a low stack limit using `ulimit -s` and run the original test case from #14361
diff --git a/Zend/Optimizer/block_pass.c b/Zend/Optimizer/block_pass.c
@@ -1686,9 +1686,9 @@ void zend_optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
 
     /* Build CFG */
 	checkpoint = zend_arena_checkpoint(ctx->arena);
-	zend_build_cfg(&ctx->arena, op_array, 0, &cfg);
 
-	if (cfg.blocks_count * (op_array->last_var + op_array->T) > 64 * 1024 * 1024) {
+	if (zend_build_cfg(&ctx->arena, op_array, 0, &cfg) != SUCCESS
+		|| cfg.blocks_count * (op_array->last_var + op_array->T) > 64 * 1024 * 1024) {
 		zend_arena_release(&ctx->arena, checkpoint);
 		return;
 	}
@@ -1751,7 +1751,9 @@ void zend_optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
 		}
 
 		/* Eliminate unreachable basic blocks */
-		zend_cfg_remark_reachable_blocks(op_array, &cfg);
+		if (zend_cfg_remark_reachable_blocks(op_array, &cfg) != SUCCESS) {
+			break;
+		}
 
 		/* Merge Blocks */
 		zend_merge_blocks(op_array, &cfg, &opt_count);
diff --git a/Zend/Optimizer/dfa_pass.c b/Zend/Optimizer/dfa_pass.c
@@ -50,7 +50,9 @@ zend_result zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ct
     /* Build SSA */
 	memset(ssa, 0, sizeof(zend_ssa));
 
-	zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg);
+	if (zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg) != SUCCESS) {
+		return FAILURE;
+	}
 
 	if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
 		/* TODO: we can't analyze functions with indirect variable access ??? */
diff --git a/Zend/Optimizer/zend_cfg.c b/Zend/Optimizer/zend_cfg.c
@@ -24,17 +24,23 @@
 #include "zend_optimizer_internal.h"
 #include "zend_sort.h"
 
-static void zend_mark_reachable(zend_op *opcodes, zend_cfg *cfg, zend_basic_block *b) /* {{{ */
+static zend_result zend_mark_reachable(zend_op *opcodes, zend_cfg *cfg, zend_basic_block *b) /* {{{ */
 {
 	zend_basic_block *blocks = cfg->blocks;
 
+#ifdef ZEND_CHECK_STACK_LIMIT
+	if (UNEXPECTED(zend_call_stack_overflowed(EG(stack_limit)))) {
+		return FAILURE;
+	}
+#endif
+
 	while (1) {
 		int i;
 
 		b->flags |= ZEND_BB_REACHABLE;
 		if (b->successors_count == 0) {
 			b->flags |= ZEND_BB_EXIT;
-			return;
+			return SUCCESS;
 		}
 
 		for (i = 0; i < b->successors_count; i++) {
@@ -89,28 +95,32 @@ static void zend_mark_reachable(zend_op *opcodes, zend_cfg *cfg, zend_basic_bloc
 			if (i == b->successors_count - 1) {
 				/* Tail call optimization */
 				if (succ->flags & ZEND_BB_REACHABLE) {
-					return;
+					return SUCCESS;
 				}
 
 				b = succ;
 				break;
 			} else {
 				/* Recursively check reachability */
 				if (!(succ->flags & ZEND_BB_REACHABLE)) {
-					zend_mark_reachable(opcodes, cfg, succ);
+					if (zend_mark_reachable(opcodes, cfg, succ) != SUCCESS) {
+						return FAILURE;
+					}
 				}
 			}
 		}
 	}
 }
 /* }}} */
 
-static void zend_mark_reachable_blocks(const zend_op_array *op_array, zend_cfg *cfg, int start) /* {{{ */
+static zend_result zend_mark_reachable_blocks(const zend_op_array *op_array, zend_cfg *cfg, int start) /* {{{ */
 {
 	zend_basic_block *blocks = cfg->blocks;
 
 	blocks[start].flags = ZEND_BB_START;
-	zend_mark_reachable(op_array->opcodes, cfg, blocks + start);
+	if (zend_mark_reachable(op_array->opcodes, cfg, blocks + start) != SUCCESS) {
+		return FAILURE;
+	}
 
 	if (op_array->last_try_catch) {
 		zend_basic_block *b;
@@ -146,7 +156,9 @@ static void zend_mark_reachable_blocks(const zend_op_array *op_array, zend_cfg *
 								if (b->flags & ZEND_BB_REACHABLE) {
 									op_array->try_catch_array[j].try_op = op_array->try_catch_array[j].catch_op;
 									changed = 1;
-									zend_mark_reachable(op_array->opcodes, cfg, blocks + block_map[op_array->try_catch_array[j].try_op]);
+									if (zend_mark_reachable(op_array->opcodes, cfg, blocks + block_map[op_array->try_catch_array[j].try_op]) != SUCCESS) {
+										return FAILURE;
+									}
 									break;
 								}
 								b++;
@@ -163,23 +175,29 @@ static void zend_mark_reachable_blocks(const zend_op_array *op_array, zend_cfg *
 						b->flags |= ZEND_BB_CATCH;
 						if (!(b->flags & ZEND_BB_REACHABLE)) {
 							changed = 1;
-							zend_mark_reachable(op_array->opcodes, cfg, b);
+							if (zend_mark_reachable(op_array->opcodes, cfg, b) != SUCCESS) {
+								return FAILURE;
+							}
 						}
 					}
 					if (op_array->try_catch_array[j].finally_op) {
 						b = blocks + block_map[op_array->try_catch_array[j].finally_op];
 						b->flags |= ZEND_BB_FINALLY;
 						if (!(b->flags & ZEND_BB_REACHABLE)) {
 							changed = 1;
-							zend_mark_reachable(op_array->opcodes, cfg, b);
+							if (zend_mark_reachable(op_array->opcodes, cfg, b) != SUCCESS) {
+								return FAILURE;
+							}
 						}
 					}
 					if (op_array->try_catch_array[j].finally_end) {
 						b = blocks + block_map[op_array->try_catch_array[j].finally_end];
 						b->flags |= ZEND_BB_FINALLY_END;
 						if (!(b->flags & ZEND_BB_REACHABLE)) {
 							changed = 1;
-							zend_mark_reachable(op_array->opcodes, cfg, b);
+							if (zend_mark_reachable(op_array->opcodes, cfg, b) != SUCCESS) {
+								return FAILURE;
+							}
 						}
 					}
 				} else {
@@ -223,10 +241,12 @@ static void zend_mark_reachable_blocks(const zend_op_array *op_array, zend_cfg *
 			}
 		}
 	}
+
+	return SUCCESS;
 }
 /* }}} */
 
-void zend_cfg_remark_reachable_blocks(const zend_op_array *op_array, zend_cfg *cfg) /* {{{ */
+zend_result zend_cfg_remark_reachable_blocks(const zend_op_array *op_array, zend_cfg *cfg) /* {{{ */
 {
 	zend_basic_block *blocks = cfg->blocks;
 	int i;
@@ -245,7 +265,7 @@ void zend_cfg_remark_reachable_blocks(const zend_op_array *op_array, zend_cfg *c
 		blocks[i].flags = 0;
 	}
 
-	zend_mark_reachable_blocks(op_array, cfg, start);
+	return zend_mark_reachable_blocks(op_array, cfg, start);
 }
 /* }}} */
 
@@ -267,7 +287,7 @@ static void initialize_block(zend_basic_block *block) {
 		block_map[i]++; \
 	} while (0)
 
-ZEND_API void zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t build_flags, zend_cfg *cfg) /* {{{ */
+ZEND_API zend_result zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t build_flags, zend_cfg *cfg) /* {{{ */
 {
 	uint32_t flags = 0;
 	uint32_t i;
@@ -587,7 +607,7 @@ ZEND_API void zend_build_cfg(zend_arena **arena, const zend_op_array *op_array,
 
 	/* Build CFG, Step 4, Mark Reachable Basic Blocks */
 	cfg->flags |= flags;
-	zend_mark_reachable_blocks(op_array, cfg, 0);
+	return zend_mark_reachable_blocks(op_array, cfg, 0);
 }
 /* }}} */
 
diff --git a/Zend/Optimizer/zend_cfg.h b/Zend/Optimizer/zend_cfg.h
@@ -115,8 +115,8 @@ typedef struct _zend_cfg {
 
 BEGIN_EXTERN_C()
 
-ZEND_API void zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t build_flags, zend_cfg *cfg);
-void zend_cfg_remark_reachable_blocks(const zend_op_array *op_array, zend_cfg *cfg);
+ZEND_API zend_result zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t build_flags, zend_cfg *cfg);
+zend_result zend_cfg_remark_reachable_blocks(const zend_op_array *op_array, zend_cfg *cfg);
 ZEND_API void zend_cfg_build_predecessors(zend_arena **arena, zend_cfg *cfg);
 ZEND_API void zend_cfg_compute_dominators_tree(const zend_op_array *op_array, zend_cfg *cfg);
 ZEND_API void zend_cfg_identify_loops(const zend_op_array *op_array, zend_cfg *cfg);
diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c
@@ -921,12 +921,10 @@ static int zend_jit_build_cfg(const zend_op_array *op_array, zend_cfg *cfg)
 
 	flags = ZEND_CFG_STACKLESS | ZEND_CFG_NO_ENTRY_PREDECESSORS | ZEND_SSA_RC_INFERENCE_FLAG | ZEND_SSA_USE_CV_RESULTS | ZEND_CFG_RECV_ENTRY;
 
-	zend_build_cfg(&CG(arena), op_array, flags, cfg);
-
 	/* Don't JIT huge functions. Apart from likely being detrimental due to the amount of
 	 * generated code, some of our analysis is recursive and will stack overflow with many
 	 * blocks. */
-	if (cfg->blocks_count > 100000) {
+	if (zend_build_cfg(&CG(arena), op_array, flags, cfg) != SUCCESS || cfg->blocks_count > 100000) {
 		return FAILURE;
 	}
 
diff --git a/ext/opcache/tests/jit/gh14361.phpt b/ext/opcache/tests/jit/gh14361.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-14361 (Deep recursion in zend_cfg.c causes segfault instead of error)
+--SKIPIF--
+<?php
+if (!function_exists('zend_test_zend_call_stack_get')) die("skip zend_test_zend_call_stack_get() is not available");
+?>
+--EXTENSIONS--
+zend_test
+opcache
+--INI--
+zend.max_allowed_stack_size=128K
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=tracing
+opcache.jit_buffer_size=64M
+opcache.optimization_level=0x000000a0
+--FILE--
+<?php
+$tmp = fopen(__DIR__."/gh14361_tmp.php", "w");
+fwrite($tmp, '<?php ');
+for ($i = 0; $i < 70000; $i++) {
+    fwrite($tmp, 'if (@((0) == (0)) !== (true)) { $f++; }');
+}
+fclose($tmp);
+
+include __DIR__."/gh14361_tmp.php";
+echo "Done\n";
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__."/gh14361_tmp.php");
+?>
+--EXPECT--
+Done
+

Original file line number	Diff line number	Diff line change
`@@ -24,17 +24,23 @@`
`24`	`24`	`#include "zend_optimizer_internal.h"`
`25`	`25`	`#include "zend_sort.h"`
`26`	`26`
`27`		`-static void zend_mark_reachable(zend_op opcodes, zend_cfg cfg, zend_basic_block b) / {{{ */`
	`27`	`+static zend_result zend_mark_reachable(zend_op opcodes, zend_cfg cfg, zend_basic_block b) / {{{ */`
`28`	`28`	`{`
`29`	`29`	`zend_basic_block *blocks = cfg->blocks;`
`30`	`30`
	`31`	`+#ifdef ZEND_CHECK_STACK_LIMIT`
	`32`	`+ if (UNEXPECTED(zend_call_stack_overflowed(EG(stack_limit)))) {`
	`33`	`+ return FAILURE;`
	`34`	`+ }`
	`35`	`+#endif`
	`36`	`+`
`31`	`37`	`while (1) {`
`32`	`38`	`int i;`
`33`	`39`
`34`	`40`	`b->flags \|= ZEND_BB_REACHABLE;`
`35`	`41`	`if (b->successors_count == 0) {`
`36`	`42`	`b->flags \|= ZEND_BB_EXIT;`
`37`		`- return;`
	`43`	`+ return SUCCESS;`
`38`	`44`	`}`
`39`	`45`
`40`	`46`	`for (i = 0; i < b->successors_count; i++) {`
`@@ -89,28 +95,32 @@ static void zend_mark_reachable(zend_op opcodes, zend_cfg cfg, zend_basic_bloc`
`89`	`95`	`if (i == b->successors_count - 1) {`
`90`	`96`	`/* Tail call optimization */`
`91`	`97`	`if (succ->flags & ZEND_BB_REACHABLE) {`
`92`		`- return;`
	`98`	`+ return SUCCESS;`
`93`	`99`	`}`
`94`	`100`
`95`	`101`	`b = succ;`
`96`	`102`	`break;`
`97`	`103`	`} else {`
`98`	`104`	`/* Recursively check reachability */`
`99`	`105`	`if (!(succ->flags & ZEND_BB_REACHABLE)) {`
`100`		`- zend_mark_reachable(opcodes, cfg, succ);`
	`106`	`+ if (zend_mark_reachable(opcodes, cfg, succ) != SUCCESS) {`
	`107`	`+ return FAILURE;`
	`108`	`+ }`
`101`	`109`	`}`
`102`	`110`	`}`
`103`	`111`	`}`
`104`	`112`	`}`
`105`	`113`	`}`
`106`	`114`	`/* }}} */`
`107`	`115`
`108`		`-static void zend_mark_reachable_blocks(const zend_op_array op_array, zend_cfg cfg, int start) /* {{{ */`
	`116`	`+static zend_result zend_mark_reachable_blocks(const zend_op_array op_array, zend_cfg cfg, int start) /* {{{ */`
`109`	`117`	`{`
`110`	`118`	`zend_basic_block *blocks = cfg->blocks;`
`111`	`119`
`112`	`120`	`blocks[start].flags = ZEND_BB_START;`
`113`		`- zend_mark_reachable(op_array->opcodes, cfg, blocks + start);`
	`121`	`+ if (zend_mark_reachable(op_array->opcodes, cfg, blocks + start) != SUCCESS) {`
	`122`	`+ return FAILURE;`
	`123`	`+ }`
`114`	`124`
`115`	`125`	`if (op_array->last_try_catch) {`
`116`	`126`	`zend_basic_block *b;`
`@@ -146,7 +156,9 @@ static void zend_mark_reachable_blocks(const zend_op_array op_array, zend_cfg `
`146`	`156`	`if (b->flags & ZEND_BB_REACHABLE) {`
`147`	`157`	`op_array->try_catch_array[j].try_op = op_array->try_catch_array[j].catch_op;`
`148`	`158`	`changed = 1;`
`149`		`- zend_mark_reachable(op_array->opcodes, cfg, blocks + block_map[op_array->try_catch_array[j].try_op]);`
	`159`	`+ if (zend_mark_reachable(op_array->opcodes, cfg, blocks + block_map[op_array->try_catch_array[j].try_op]) != SUCCESS) {`
	`160`	`+ return FAILURE;`
	`161`	`+ }`
`150`	`162`	`break;`
`151`	`163`	`}`
`152`	`164`	`b++;`
`@@ -163,23 +175,29 @@ static void zend_mark_reachable_blocks(const zend_op_array op_array, zend_cfg `
`163`	`175`	`b->flags \|= ZEND_BB_CATCH;`
`164`	`176`	`if (!(b->flags & ZEND_BB_REACHABLE)) {`
`165`	`177`	`changed = 1;`
`166`		`- zend_mark_reachable(op_array->opcodes, cfg, b);`
	`178`	`+ if (zend_mark_reachable(op_array->opcodes, cfg, b) != SUCCESS) {`
	`179`	`+ return FAILURE;`
	`180`	`+ }`
`167`	`181`	`}`
`168`	`182`	`}`
`169`	`183`	`if (op_array->try_catch_array[j].finally_op) {`
`170`	`184`	`b = blocks + block_map[op_array->try_catch_array[j].finally_op];`
`171`	`185`	`b->flags \|= ZEND_BB_FINALLY;`
`172`	`186`	`if (!(b->flags & ZEND_BB_REACHABLE)) {`
`173`	`187`	`changed = 1;`
`174`		`- zend_mark_reachable(op_array->opcodes, cfg, b);`
	`188`	`+ if (zend_mark_reachable(op_array->opcodes, cfg, b) != SUCCESS) {`
	`189`	`+ return FAILURE;`
	`190`	`+ }`
`175`	`191`	`}`
`176`	`192`	`}`
`177`	`193`	`if (op_array->try_catch_array[j].finally_end) {`
`178`	`194`	`b = blocks + block_map[op_array->try_catch_array[j].finally_end];`
`179`	`195`	`b->flags \|= ZEND_BB_FINALLY_END;`
`180`	`196`	`if (!(b->flags & ZEND_BB_REACHABLE)) {`
`181`	`197`	`changed = 1;`
`182`		`- zend_mark_reachable(op_array->opcodes, cfg, b);`
	`198`	`+ if (zend_mark_reachable(op_array->opcodes, cfg, b) != SUCCESS) {`
	`199`	`+ return FAILURE;`
	`200`	`+ }`
`183`	`201`	`}`
`184`	`202`	`}`
`185`	`203`	`} else {`
`@@ -223,10 +241,12 @@ static void zend_mark_reachable_blocks(const zend_op_array op_array, zend_cfg `
`223`	`241`	`}`
`224`	`242`	`}`
`225`	`243`	`}`
	`244`	`+`
	`245`	`+ return SUCCESS;`
`226`	`246`	`}`
`227`	`247`	`/* }}} */`
`228`	`248`
`229`		`-void zend_cfg_remark_reachable_blocks(const zend_op_array op_array, zend_cfg cfg) /* {{{ */`
	`249`	`+zend_result zend_cfg_remark_reachable_blocks(const zend_op_array op_array, zend_cfg cfg) /* {{{ */`
`230`	`250`	`{`
`231`	`251`	`zend_basic_block *blocks = cfg->blocks;`
`232`	`252`	`int i;`
`@@ -245,7 +265,7 @@ void zend_cfg_remark_reachable_blocks(const zend_op_array op_array, zend_cfg c`
`245`	`265`	`blocks[i].flags = 0;`
`246`	`266`	`}`
`247`	`267`
`248`		`- zend_mark_reachable_blocks(op_array, cfg, start);`
	`268`	`+ return zend_mark_reachable_blocks(op_array, cfg, start);`
`249`	`269`	`}`
`250`	`270`	`/* }}} */`
`251`	`271`
`@@ -267,7 +287,7 @@ static void initialize_block(zend_basic_block *block) {`
`267`	`287`	`block_map[i]++; \`
`268`	`288`	`} while (0)`
`269`	`289`
`270`		`-ZEND_API void zend_build_cfg(zend_arena *arena, const zend_op_array op_array, uint32_t build_flags, zend_cfg cfg) / {{{ */`
	`290`	`+ZEND_API zend_result zend_build_cfg(zend_arena *arena, const zend_op_array op_array, uint32_t build_flags, zend_cfg cfg) / {{{ */`
`271`	`291`	`{`
`272`	`292`	`uint32_t flags = 0;`
`273`	`293`	`uint32_t i;`
`@@ -587,7 +607,7 @@ ZEND_API void zend_build_cfg(zend_arena *arena, const zend_op_array op_array,`
`587`	`607`
`588`	`608`	`/* Build CFG, Step 4, Mark Reachable Basic Blocks */`
`589`	`609`	`cfg->flags \|= flags;`
`590`		`- zend_mark_reachable_blocks(op_array, cfg, 0);`
	`610`	`+ return zend_mark_reachable_blocks(op_array, cfg, 0);`
`591`	`611`	`}`
`592`	`612`	`/* }}} */`
`593`	`613`