Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104595
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23506 invoked from network); 6 Mar 2019 11:21:29 -0000
Received: from unknown (HELO mail-it1-f171.google.com) (209.85.166.171)
  by pb1.pair.com with SMTP; 6 Mar 2019 11:21:29 -0000
Received: by mail-it1-f171.google.com with SMTP id v2so8179740ith.3
        for <internals@lists.php.net>; Wed, 06 Mar 2019 00:09:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ZKjVFXsMowxT//U5egGy7PZqDmA4ZCva3OKu5p5oo1Y=;
        b=uArNtCpBTjugB7Qk3i+LqF4iIGkjnjK86u0xY2NphWNZIy/2lNjpbfqGnwzxehVX6Y
         VPF3ZrBOp+cwsNZXhqe8/ONU0OckvK3X9/9AR6ejQCVIMt1/P344Y5RoB5icRTPZwINp
         hE+O79hJzurQ49eR3Ky7qZSmb0HB+zI9i91F7lPQM9JWzucmpgKGnKKdMEeJl/kW+r1m
         VitvizypnQCFmsv2haXaY1p5c2HHFSx5xu11fTB/60qBTih6GKci148PfaYwTftF6WTY
         EvDFmOdmRivEtKva71SF2APYCSC7i7BRPoqNvFj3FCIFHMTmtqXWopM/I076QRsvRkvo
         HNrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZKjVFXsMowxT//U5egGy7PZqDmA4ZCva3OKu5p5oo1Y=;
        b=iElXJhgcdytR7gBOW1/IQdBjABfR2y6uW+3JPXrdF8/WMJn5O6PfxcUHW/+3Zt5v9B
         tmMUUObkHiS20zCe1nn9stHzt+KXGTI2/u9q6dxxPji4N5GmYsoBh3NETqVX4No8Z+RF
         icZnwtFMrL7yAzeKSqoY6OEni6gb8MSVoeRq52ApNjac5Dp/9RNTSGgDsUbZ8xXd3l4R
         ji0DAbPX534igm8t7ZmwZTLAwpymsHEpb+81gnuI+ePSJPEIJ0pJOLYHzJ6asJvW0M4E
         klNWXz5wWJBcOWA2BNVhWtWLVXjAECS1SO4jNEyKr7CeVrWlA9N0mrqq6O6+HituKFEz
         j8Ug==
X-Gm-Message-State: APjAAAUAFBhlOB37PYyIhMMY8X8F9iCD3ujmxRZrh4RsYHSBTVCjE5GQ
	D5n4EaasYssR/JYeohuVmEf3EWrYCgNWCBTqXko=
X-Google-Smtp-Source: APXvYqwMiCmc70SxRUVQqCoGiasjaG9qtjwtmeS90dwKKJkfh9lvYdOvzdXMGh5JLUyjCVilTi45lPdiqJuajIYQRZ0=
X-Received: by 2002:a05:6638:285:: with SMTP id c5mr3368307jaq.36.1551859788862;
 Wed, 06 Mar 2019 00:09:48 -0800 (PST)
MIME-Version: 1.0
References: <d6c7796c-7f19-e539-ec50-9efe6eb190a5@gmail.com>
In-Reply-To: <d6c7796c-7f19-e539-ec50-9efe6eb190a5@gmail.com>
Date: Wed, 6 Mar 2019 09:09:29 +0100
Message-ID: <CAF+90c-vmnQrD2q6c8N4zw3js7E8=TUSb3RRaJDdM=b+BbA2uA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, Dmitry Stogov <dmitry@php.net>
Content-Type: multipart/alternative; boundary="00000000000074d73405836883e7"
Subject: Re: [PHP-DEV] Weird bitset shift offset in zend_alloc
From: nikita.ppv@gmail.com (Nikita Popov)

--00000000000074d73405836883e7
Content-Type: text/plain; charset="UTF-8"

On Wed, Mar 6, 2019 at 1:28 AM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> I've been working on running PHP with undefined behavior sanitizer
> (http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html) and I've
> encountered a weird error while running PHP:
>
> /src/php-src/Zend/zend_alloc.c:585:9: runtime error: shift exponent 138
> is too large for 64-bit type 'zend_mm_bitset' (aka 'unsigned long')
>     #0 0x86dada in zend_mm_bitset_is_set
> /src/php-src/Zend/zend_alloc.c:585:9
>     #1 0x86dada in zend_mm_bitset_is_free_range
> /src/php-src/Zend/zend_alloc.c:665
>     #2 0x86dada in zend_mm_realloc_heap /src/php-src/Zend/zend_alloc.c:1670
>     #3 0x86dada in _erealloc2 /src/php-src/Zend/zend_alloc.c:2577
>
> Looks like the code is doing it intentionally:
>
> /* x86 instructions BT, SHL, SHR don't require masking */
> #if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) ||
> defined(ZEND_WIN32)
> # define ZEND_BIT_TEST(bits, bit) (((bits)[(bit) /
> (sizeof((bits)[0])*8)] >> (bit)) & 1)
> #else
> # define ZEND_BIT_TEST(bits, bit) (((bits)[(bit) /
> (sizeof((bits)[0])*8)] >> ((bit) & (sizeof((bits)[0])*8-1))) & 1)
> #endif
>
> But I'm not sure how it's supposed to work. Is it correct that on GCC
> (and clang, presumably, since it defines __GNUC__) accept long bitshifts
> and do the right thing with argument like 138? Is it documented
> anywhere? Or is there a bug here?
>

This is a bug, yes. Oversize shifts are UB, and the only thing preventing
this from being miscompiled is the fact that the compiler cannot figure out
that the shift is oversized.

I'm not sure why this code was introduced, as the compiler should generally
be able to eliminate this masking if it is unnecessary. See for example
these isel patterns in clang:
https://github.com/llvm-mirror/llvm/blob/46b09a3368af1be5005d31fd1d70bad08df352f9/lib/Target/X86/X86InstrCompiler.td#L1753

Nikita

--00000000000074d73405836883e7--