ext/opcache/jit/zend_jit_trace: add missing lock for EXIT_INVALIDATE

MaxKellermann · MaxKellermann · commit feffccef2d65 · 2022-12-20T16:14:50.000+01:00
Commit 6c25413 added the flag ZEND_JIT_EXIT_INVALIDATE which resets the trace handlers in zend_jit_trace_exit(), but forgot to lock the shared memory section. This could cause another worker process who still saw the ZEND_JIT_TRACE_JITED flag to schedule ZEND_JIT_TRACE_STOP_LINK, but when it arrived at the ZEND_JIT_DEBUG_TRACE_STOP, the handler was already reverted by the first worker process and thus zend_jit_find_trace() fails. This in turn generated a bogus jump offset in the JITed code, crashing the PHP process.
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -8126,6 +8126,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 			t = &zend_jit_traces[num];
 		}
 
+		zend_shared_alloc_lock();
 		SHM_UNPROTECT();
 		zend_jit_unprotect();
 
@@ -8142,6 +8143,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 
 		zend_jit_protect();
 		SHM_PROTECT();
+		zend_shared_alloc_unlock();
 
 		return 0;
 	}

Original file line number	Diff line number	Diff line change
`@@ -8126,6 +8126,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf`
`8126`	`8126`	`t = &zend_jit_traces[num];`
`8127`	`8127`	`}`
`8128`	`8128`
	`8129`	`+ zend_shared_alloc_lock();`
`8129`	`8130`	`SHM_UNPROTECT();`
`8130`	`8131`	`zend_jit_unprotect();`
`8131`	`8132`
`@@ -8142,6 +8143,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf`
`8142`	`8143`
`8143`	`8144`	`zend_jit_protect();`
`8144`	`8145`	`SHM_PROTECT();`
	`8146`	`+ zend_shared_alloc_unlock();`
`8145`	`8147`
`8146`	`8148`	`return 0;`
`8147`	`8149`	`}`