Description
Description
- Download MediaWiki e.g. from https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.1.tar.gz
- cd mediawiki-1.42.1
- Install PHP 8.4 or git master with excimer and the extensions listed in composer.json
- Install MediaWiki e.g. with
php8.4 maintenance/run.php install --dbname=mw_installtest --dbserver=localhost --dbuser=user --dbpass=pass --pass=$(md5sum README.md) installtest Admin
Create the file phptest.php:
<?php
$excimer = new ExcimerProfiler;
$excimer->setPeriod( 0.001 );
$excimer->setEventType( EXCIMER_REAL );
$excimer->start();
require 'index.php';
Run the script repeatedly with the tracing JIT:
SCRIPT_NAME=index.php REMOTE_ADDR=1.2.3.4 /usr/lib/cgi-bin/php8.4 -T1000 -dextension=excimer.so -dopcache.jit=on phptest.php > /dev/null
It crashes with:
zend_mm_heap corrupted
Aborted (core dumped)
Building with AddressSanitizer, it always crashes in AutoLoader::find() due to an incorrect reference count on $prefix leading to it being freed while still in use.
In gdb, use set print thread-events off since Excimer is creating 1000 threads per second.
This is not an excimer bug. I'm pretty sure. Excimer is just a way to randomly set EG(vm_interrupt), which exercises some otherwise unusual exits in the JITed code of this function. It still crashes with the whole interrupt handler disabled:
diff --git a/excimer_timer.c b/excimer_timer.c
index 83bf42a..36e4289 100644
--- a/excimer_timer.c
+++ b/excimer_timer.c
@@ -239,6 +239,7 @@ static void excimer_timer_handle(union sigval sv)
static void excimer_timer_interrupt(zend_execute_data *execute_data)
{
+ return;
zend_long id;
zval *zp_count;
HashTable *event_counts;I mean, it is Excimer-related, and I as an Excimer maintainer am trying to fix it. But I'm getting deep into the JIT internals and that's probably where the bug is.
The bug is new in 8.4, I could not reproduce it in 8.3.
PHP Version
8.4.0alpha4
Operating System
Ubuntu 22.04