fix: crashtracker runtime stack infinite loop

[gyuheon0h]

Description

There was a crash report with the runtime stack unwinding infinite looping: https://app.datadoghq.com/logs?query=-%40org_id%3A603589%20%40error.is_crash%3Atrue%20%40org_id%3A1000626888&agg_m=count&agg_m_source=base&agg_t=count&clustering_pattern_field_path=message&cols=host%2Cservice%2C%40org_id&event=AwAAAZ3U6zFHIybQJAAAABhBWjNVNnpGSEFBQVF1X283ZzRmcEh3QUEAAAAkMDE5ZGQ0ZWUtNTMzNC00Mzk4LTliNzktOGU5YTQ5NjZhZDhjAANM0A&fromUser=true&index=instrumentation-telemetry-data&link_source=monitor_notif&messageDisplay=inline&refresh_mode=sliding&storage=flex_tier&stream_sort=desc&viz=stream&from_ts=1747059580431&to_ts=1747145980431&live=true

Here is what the raw stack looks like

    [
           {
              "column": 4294967295,
              "file": "some-repeated-file-name.php",
              "function": "someRepeatedFunc",
              "line": 157,
              "type_name": "<corrupted scope>"
            },
            {
              "column": 4294967295,
              "file": "some-repeated-file-name.php",
              "function": "someRepeatedFunc",
              "line": 157,
              "type_name": "<corrupted scope>"
            },
            {
              "column": 4294967295,
              "file": "some-repeated-file-name.php",
              "function": "someRepeatedFunc",
              "line": 157,
              "type_name": "<corrupted scope>"
            },
            ....
            {
              "column": 4294967295,
              "file": "some-repeated-file-name.php",
              "function": "someRepeatedFunc",
              "line": 157,
              "type_name": "<corrupted scope>"
            },
            {
              "column": 4294967295,
              "file": "some-repeated-file-name.php",
              "function": "someRepeatedFunc",
              "line": 157,
              "type_name": "<corrupted scope>"
            }
          ]

Couple of things here.

1. type_name is `'
   • this means that this line:

frame.type_name = func->common.scope ? zai_is_mapped(&func->common.scope->name, sizeof(zend_string *)) ? dd_validate_zstr(func->common.scope->name) : DDOG_CHARSLICE_C("<corrupted scope>") : DDOG_CHARSLICE_C("");

triggered

2. The column number is 4294967295. This is unrealistic. The reason this is so is because its -1 in uint32. 2^32-1 = 4294967295

Then, this points to this section of code

if (!zai_is_mapped(opline, sizeof(zend_op))) {
                frame.column = -1;
                EMIT(&frame);
                continue;
            }

being the culprit. frame.column is set to -1, and the frame does not proceed, since we don't perform call = call->prev_execute_data;

Reviewer checklist

• Test coverage seems ok.
• Appropriate labels assigned.

[gyuheon0h]

• fix: crashtracker runtime stack infinite loop #3845 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[bwoebi]

This is valid, yeah.

[morrisonlevi]

In light of the other investigation... we cannot be certain call-> is valid xD

[bwoebi]

This is checked in line 57.

[bwoebi]

@gyuheon0h I was intentionally using the negative numbers as markers.

Unless there was a problem with the fact that they wrap?

[gyuheon0h]

@gyuheon0h I was intentionally using the negative numbers as markers.

Unless there was a problem with the fact that they wrap?

@bwoebi Not particularly, but theyre noisy IMO. Libdatadog also says to send 0 for unknown values, but up to you 🤷

[bwoebi]

Well, PHP already uses 0 itself when unknown. This is to distinguish.

And sure, they're noisy, so you actually see "there's corruption"- that's good thing, right?

Could you please revert that part? Thanks :-)

[datadog-datadog-prod-us1-2]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 60.68% (-0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8e49afb | Docs | Datadog PR Page | Give us feedback!}

[gyuheon0h]

Well, PHP already uses 0 itself when unknown. This is to distinguish.

And sure, they're noisy, so you actually see "there's corruption"- that's good thing, right?

Could you please revert that part? Thanks :-)

@bwoebi done, thanks :) 👍