Tracing JIT: Fixed possible endless loop when escape from ZEND_CALL_TOP frame

dstogov · dstogov · commit 29c8c1e955fd · 2021-10-25T12:10:25.000+03:00
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -6382,10 +6382,10 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 			}
 			zend_jit_trace_link_to_root(&dasm_state, &zend_jit_traces[t->link], timeout_exit_addr);
 		} else {
-			zend_jit_trace_return(&dasm_state, 0);
+			zend_jit_trace_return(&dasm_state, 0, NULL);
 		}
 	} else if (p->stop == ZEND_JIT_TRACE_STOP_RETURN) {
-		zend_jit_trace_return(&dasm_state, 0);
+		zend_jit_trace_return(&dasm_state, 0, NULL);
 	} else {
 		// TODO: not implemented ???
 		ZEND_ASSERT(0 && p->stop);
@@ -6525,7 +6525,7 @@ static const void *zend_jit_trace_exit_to_vm(uint32_t trace_num, uint32_t exit_n
 		zend_jit_set_ip_ex(&dasm_state, opline, original_handler);
 	}
 
-	zend_jit_trace_return(&dasm_state, original_handler);
+	zend_jit_trace_return(&dasm_state, original_handler, opline);
 
 	handler = dasm_link_and_encode(&dasm_state, NULL, NULL, NULL, NULL, name, ZEND_JIT_TRACE_NUM);
 
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
@@ -3420,7 +3420,7 @@ static int zend_jit_trace_link_to_root(dasm_State **Dst, zend_jit_trace_info *t,
 	return 1;
 }
 
-static int zend_jit_trace_return(dasm_State **Dst, zend_bool original_handler)
+static int zend_jit_trace_return(dasm_State **Dst, zend_bool original_handler, const zend_op *opline)
 {
 #if 0
 	|	jmp ->trace_escape
@@ -3456,7 +3456,15 @@ static int zend_jit_trace_return(dasm_State **Dst, zend_bool original_handler)
 		|	mov FP, aword T2 // restore FP
 		|	mov RX, aword T3 // restore IP
 		|	add r4, NR_SPAD // stack alignment
-		|	mov r0, 2 // ZEND_VM_LEAVE
+		if (!original_handler || !opline ||
+		    (opline->opcode != ZEND_RETURN
+		  && opline->opcode != ZEND_RETURN_BY_REF
+		  && opline->opcode != ZEND_GENERATOR_RETURN
+		  && opline->opcode != ZEND_GENERATOR_CREATE
+		  && opline->opcode != ZEND_YIELD
+		  && opline->opcode != ZEND_YIELD_FROM)) {
+			|	mov r0, 2 // ZEND_VM_LEAVE
+		}
 		|	ret
 	}
 #endif

Original file line number	Diff line number	Diff line change
`@@ -6382,10 +6382,10 @@ static const void zend_jit_trace(zend_jit_trace_rec trace_buffer, uint32_t par`
`6382`	`6382`	`}`
`6383`	`6383`	`zend_jit_trace_link_to_root(&dasm_state, &zend_jit_traces[t->link], timeout_exit_addr);`
`6384`	`6384`	`} else {`
`6385`		`- zend_jit_trace_return(&dasm_state, 0);`
	`6385`	`+ zend_jit_trace_return(&dasm_state, 0, NULL);`
`6386`	`6386`	`}`
`6387`	`6387`	`} else if (p->stop == ZEND_JIT_TRACE_STOP_RETURN) {`
`6388`		`- zend_jit_trace_return(&dasm_state, 0);`
	`6388`	`+ zend_jit_trace_return(&dasm_state, 0, NULL);`
`6389`	`6389`	`} else {`
`6390`	`6390`	`// TODO: not implemented ???`
`6391`	`6391`	`ZEND_ASSERT(0 && p->stop);`
`@@ -6525,7 +6525,7 @@ static const void *zend_jit_trace_exit_to_vm(uint32_t trace_num, uint32_t exit_n`
`6525`	`6525`	`zend_jit_set_ip_ex(&dasm_state, opline, original_handler);`
`6526`	`6526`	`}`
`6527`	`6527`
`6528`		`- zend_jit_trace_return(&dasm_state, original_handler);`
	`6528`	`+ zend_jit_trace_return(&dasm_state, original_handler, opline);`
`6529`	`6529`
`6530`	`6530`	`handler = dasm_link_and_encode(&dasm_state, NULL, NULL, NULL, NULL, name, ZEND_JIT_TRACE_NUM);`
`6531`	`6531`