Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:126696
Feedback-ID: ifab94697:Fastmail
Precedence: bulk
MIME-Version: 1.0
Date: Mon, 10 Mar 2025 17:46:40 +0100
To: internals@lists.php.net
Message-ID: <2d7ad0d5-8455-442e-a1d4-07580f1a6d7d@app.fastmail.com>
In-Reply-To: 
 <CAPyj-LCDJxcO3M=++Eue_dgbQYO0bN+2LmgKCigHK2xhR6e0Aw@mail.gmail.com>
References: <9548e5df-1cd3-4097-8961-7a087b21839f@app.fastmail.com>
 <CAPyj-LCDJxcO3M=++Eue_dgbQYO0bN+2LmgKCigHK2xhR6e0Aw@mail.gmail.com>
Subject: Re: [PHP-DEV] OPcache should zero out cache slots?
Content-Type: multipart/alternative;
 boundary=11392d1268854a119a51c82ea14c530b
From: rob@bottled.codes ("Rob Landers")

--11392d1268854a119a51c82ea14c530b
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 10, 2025, at 15:43, Ilija Tovilo wrote:
> Hi Rob
>=20
> On Mon, Mar 10, 2025 at 9:23=E2=80=AFAM Rob Landers <rob@bottled.codes=
> wrote:
> >
> > I=E2=80=99ve been trying to chase down a very subtle bug in 8.4 that=
 only happens when OPcache is enabled (I'm trying to create a reproducer=
 to file an actual bug). From what I can tell, OPcache doesn=E2=80=99t z=
ero out cache slots, so occasionally, a cache slot will contain garbage =
that happens to pass asserts/checks that causes the program to behave in=
correctly. Without OPcache, cache slots are always NULL if not set.
> >
> > It's quite rare to end up in that situation, though, but I was wonde=
ring if anyone has any opinions on this?
>=20
> I don't believe this is accurate. If we're talking about the cache
> used within the VM, "cache slots" are a contiguous list of arbitrary
> void pointers. The compiler tracks how many cache slots each function
> needs, but the actual array of pointers is allocated at runtime, in
> init_func_run_time_cache_i(), when the function is executed for the
> first time on each request. init_func_run_time_cache_i() zeros the
> cache with memset. If it wouldn't, we'd run into issues quickly,
> because a non-0 cache is generally interpreted as a primed cache.
>=20
> Potentially, you might also be referring to the pointer map, which is
> a related concept. But this map is also zero'ed for each request (in
> zend_activate()).
>=20
> If you think you might be dealing with uninitialized memory in your
> case, MemorySanitizer or Valgrind may help.
>=20
> Does that help?
>=20
> Ilija
>=20

Thanks Ilija,

You are correct! This issue appears to be an "off-by-one" type error, so=
 the data in the cache slot is just something unexpected, which looks li=
ke garbage. I think I finally found the issue, maybe... in zend_compile_=
static_call where the logic to determine the number of cache slots is di=
fferent from the logic to set the cache slots. At least, that is where I=
 am at right now. But that you for your help!

=E2=80=94 Rob
--11392d1268854a119a51c82ea14c530b
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}</style></head><body><div>On Mon, Mar 10,=
 2025, at 15:43, Ilija Tovilo wrote:<br></div><blockquote type=3D"cite" =
id=3D"qt" style=3D""><div>Hi Rob<br></div><div><br></div><div>On Mon, Ma=
r 10, 2025 at 9:23=E2=80=AFAM Rob Landers &lt;<a href=3D"mailto:rob@bott=
led.codes">rob@bottled.codes</a>&gt; wrote:<br></div><div>&gt;<br></div>=
<div>&gt; I=E2=80=99ve been trying to chase down a very subtle bug in 8.=
4 that only happens when OPcache is enabled (I'm trying to create a repr=
oducer to file an actual bug). From what I can tell, OPcache doesn=E2=80=
=99t zero out cache slots, so occasionally, a cache slot will contain ga=
rbage that happens to pass asserts/checks that causes the program to beh=
ave incorrectly. Without OPcache, cache slots are always NULL if not set=
.<br></div><div>&gt;<br></div><div>&gt; It's quite rare to end up in tha=
t situation, though, but I was wondering if anyone has any opinions on t=
his?<br></div><div><br></div><div>I don't believe this is accurate. If w=
e're talking about the cache<br></div><div>used within the VM, "cache sl=
ots" are a contiguous list of arbitrary<br></div><div>void pointers. The=
 compiler tracks how many cache slots each function<br></div><div>needs,=
 but the actual array of pointers is allocated at runtime, in<br></div><=
div>init_func_run_time_cache_i(), when the function is executed for the<=
br></div><div>first time on each request. init_func_run_time_cache_i() z=
eros the<br></div><div>cache with memset. If it wouldn't, we'd run into =
issues quickly,<br></div><div>because a non-0 cache is generally interpr=
eted as a primed cache.<br></div><div><br></div><div>Potentially, you mi=
ght also be referring to the pointer map, which is<br></div><div>a relat=
ed concept. But this map is also zero'ed for each request (in<br></div><=
div>zend_activate()).<br></div><div><br></div><div>If you think you migh=
t be dealing with uninitialized memory in your<br></div><div>case, Memor=
ySanitizer or Valgrind may help.<br></div><div><br></div><div>Does that =
help?<br></div><div><br></div><div>Ilija<br></div><div><br></div></block=
quote><div><br></div><div>Thanks&nbsp;Ilija,<br></div><div><br></div><di=
v>You are correct! This issue appears to be an "off-by-one" type error, =
so the data in the cache slot is just something unexpected, which looks =
like garbage. I think I finally found the issue, maybe... in&nbsp;zend_c=
ompile_static_call where the logic to determine the number of cache slot=
s is different from the logic to set the cache slots. At least, that is =
where I am at right now. But that you for your help!<br></div><div><br><=
/div><div id=3D"sig121229152">=E2=80=94 Rob<br></div></body></html>
--11392d1268854a119a51c82ea14c530b--