JIT Assertion `info & (1 << type)' failed

[danog]

Description

https://github.com/danog/jit_bugs, reproducer 7.

Result:

php: ext/opcache/jit/zend_jit_trace.c:350: uint32_t zend_jit_trace_type_to_info_ex(uint8_t, uint32_t): Assertion `info & (1 << type)' failed.

Followed by an impossible RuntimeException PHP Error: Array to string conversion in /app/src/Psalm/Type/Atomic/TGenericObject.php, exactly from #12255.

ping @dstogov

PHP Version

3fb685b

Operating System

No response

[dstogov]

This scenario is not reproducible with PHP master branch.

[danog]

@dstogov Just ran this with b7c34b7 and can reproduce the issue, running on a 12-core x86_64 machine, will try to tweak the psalm settings a bit to simplify reproduction...

[danog]

@dstogov Cleaned up the reproducer a bit, could you try?

[dstogov]

@dstogov Cleaned up the reproducer a bit, could you try?

I'll try this tomorrow (actually today morining).
USE_ZEND_ALLOC=1 is already set in Dockerfile, so this shouldn't change anything.

Could you please also add the following patch to allow debugging in container.

diff --git a/Dockerfile b/Dockerfile
index f682628..a10d887 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,8 @@ RUN true \
         pkg-config autoconf bison re2c \
         libxml2-dev libsqlite3-dev \
 		systemtap-sdt-dev libssl-dev \
-		libpcre2-dev libargon2-dev libedit-dev libsodium-dev llvm-16 libonig-dev
+		libpcre2-dev libargon2-dev libedit-dev libsodium-dev llvm-16 libonig-dev \
+		gdb libcapstone-dev
 
 RUN git clone https://github.com/php/php-src -b master --depth 1 && cd php-src \
     \
@@ -46,6 +47,7 @@ RUN git clone https://github.com/php/php-src -b master --depth 1 && cd php-src \
 		--with-password-argon2=/usr --with-external-pcre --with-mhash=/usr --with-libxml \
 		--enable-session --with-sodium --with-zlib=/usr --with-zlib-dir=/usr \
 		--enable-pcntl --with-libedit=shared,/usr \
+		--with-capstone \
     \
     && export CFLAGS='-g -fsanitize=address -shared-libasan -fno-sanitize-recover -DZEND_TRACK_ARENA_ALLOC' \
     && export CPPFLAGS='-g -fsanitize=address -shared-libasan -fno-sanitize-recover -DZEND_TRACK_ARENA_ALLOC' \
@@ -64,6 +66,6 @@ RUN git config --global --add safe.directory /app
 
 ENV USE_ZEND_ALLOC=0
 ENV PSALM_ALLOW_XDEBUG=1
-ENV ASAN_OPTIONS="detect_leaks=0:exitcode=139"
+ENV ASAN_OPTIONS="detect_leaks=0:exitcode=139:abort_on_error=true"
 
 WORKDIR /app

[danog]

Could you please also add the following patch to allow debugging in container.

Done!

USE_ZEND_ALLOC=1 is already set in Dockerfile, so this shouldn't change anything.

Actually it's set to 0 in the Dockerfile, the new setting should speed up stuff a bit :)

[dstogov]

USE_ZEND_ALLOC=1 is already set in Dockerfile, so this shouldn't change anything.

Actually it's set to 0 in the Dockerfile, the new setting should speed up stuff a bit :)

Right. My mistake.

Now I see the assertions.
May be I missed them before, because they don't interrupt the execution.
They occur in children processes that is even more complex to debug.
Is there a way to test everything in a single process?

[danog]

Is there a way to test everything in a single process?

@dstogov --threads=1 can help with that!

[dstogov]

The reduced test case

<?php
function bar(array &$a): ?bool {
    $ret = null;
    foreach ($a as $key => $val) {
        if ($val === 2) {
            unset($a[$key]);
        }
    }
    return $ret;
}

function foo($a, bool $b): bool {
    if ($b) return true;
    $n2 = count($a);
    do { 
        $n = $n2;
        $res = bar($a);
        $n2 = count($a);
    } while ($res === null && $n !== $n2);

    if ($res === null && $n === 0) {
        return false;
    }
    return true;
}

$a = [1,'a'=>5];
bar($a);
foo([1,'a'=>5], true);
foo([1,'a'=>5], false);
foo([2,'a'=>5], false);
?>

[dstogov]

This should be partially fixed by 93d5c0e
The commit fixes the reduced test case above.
Now running psalm with --threads=100, I see only a single assertion (previously I saw few ones).

There are no assertions when running psalm with --threads=1 and without wrap.php
I have no ideas how to catch this last assertion.

[danog]

Hmm, will see if I can reduce this this weekend...

[dstogov]

The assertion disappears if -f flag is removed in the command line (before /app/wrap.php)