Tracing JIT assertion crash when using phpstan

[danog]

Description

See phpstan job in https://github.com/danog/php-src/actions/runs/6262586495/job/17005155671:

ext/opcache/jit/zend_jit_trace.c:382: zend_jit_trace_type_to_info_ex:  
     Assertion `info & (1 << type)' failed. 

The actual job definition can be seen in the PR @ #12250

PHP Version

master

Operating System

ubuntu

[dstogov]

I see the failure in logs, but I can't reproduce it locally

[iluuu1994]

(I first posted this in the wrong thread, sorry)

@dstogov I can reproduce it.

gdb php-dev --args php-dev -d opcache.enable_cli=1 -d opcache.jit=tracing -d opcache.jit_buffer_size=1G -d opcache.jit_max_root_traces=1000000 -d opcache.jit_max_side_traces=1000000 -d opcache.jit_max_exit_counters=1000000 -d opcache.jit_hot_loop=1 -d opcache.jit_hot_func=1 -d opcache.jit_hot_return=1 -d opcache.jit_hot_side_exit=1 bin/phpstan

php-dev: ext/opcache/jit/zend_jit_trace.c:382: zend_jit_trace_type_to_info_ex: Assertion `info & (1 << type)' failed.

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff6d8f8f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff6d3eafe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff6d2787f in __GI_abort () at abort.c:79
#4  0x00007ffff6d2779b in __assert_fail_base (fmt=0x7ffff6ea3a98 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x7fffe629bde0 "info & (1 << type)", file=file@entry=0x7fffe629ba60 "ext/opcache/jit/zend_jit_trace.c",
    line=line@entry=382, function=function@entry=0x7fffe62a11c0 <__PRETTY_FUNCTION__.14> "zend_jit_trace_type_to_info_ex") at assert.c:92
#5  0x00007ffff6d37187 in __assert_fail (assertion=0x7fffe629bde0 "info & (1 << type)", file=0x7fffe629ba60 "ext/opcache/jit/zend_jit_trace.c",
    line=382, function=0x7fffe62a11c0 <__PRETTY_FUNCTION__.14> "zend_jit_trace_type_to_info_ex") at assert.c:101
#6  0x00007fffe61e71a5 in zend_jit_trace_type_to_info_ex (type=4 '\004', info=0) at ext/opcache/jit/zend_jit_trace.c:382
#7  0x00007fffe61e7584 in zend_jit_trace_add_op_guard (tssa=0x7fffdfed9700, ssa_var=2, op_type=4 '\004') at ext/opcache/jit/zend_jit_trace.c:421
#8  0x00007fffe61f5b3f in zend_jit_trace_build_tssa (trace_buffer=0x7ffff4fd0020, parent_trace=8383, exit_num=2, script=0x0,
    op_arrays=0x7ffff4a0ad70, num_op_arrays_ptr=0x7ffff4a0aca0) at ext/opcache/jit/zend_jit_trace.c:1827
#9  0x00007fffe6211b8c in zend_jit_trace (trace_buffer=0x7ffff4fd0020, parent_trace=8383, exit_num=2) at ext/opcache/jit/zend_jit_trace.c:4028
#10 0x00007fffe6260ff1 in zend_jit_compile_side_trace (trace_buffer=0x7ffff4fd0020, parent_num=8383, exit_num=2, polymorphism=0)
    at ext/opcache/jit/zend_jit_trace.c:7863
#11 0x00007fffe6262d3f in zend_jit_trace_hot_side (execute_data=0x7ffff3a09c30, parent_num=8383, exit_num=2)
    at ext/opcache/jit/zend_jit_trace.c:8055
#12 0x00007fffe6265849 in zend_jit_trace_exit (exit_num=2, regs=0x7fffffff9cf0) at ext/opcache/jit/zend_jit_trace.c:8298
#13 0x000000000aa004ba in ?? ()
#14 0x00007ffff3a09cb0 in ?? ()
#15 0x0000000000000000 in ?? ()

(gdb) frame 8
(gdb) print_zstr op_array->function_name
string(6) "equals"
(gdb) print_zstr op_array->scope->name
string(41) "PHPStan\Type\Constant\ConstantIntegerType"

It seems like info in zend_jit_trace_type_to_info_ex is unexpectedly 0. PHPStan\Type\Constant\ConstantIntegerType::equals comes from a trait JustNullableTypeTrait used in the parent class PHPStan\Type\IntegerType. I wasn't able to come up with a minimal reproducer yet.

[dstogov]

I still can't reproduce this.
@iluuu1994 cab you run this with -d opcache.jit_debug=0x1ff005 (better to redrect stderr to a file) and then show the output related to the last trace. If it's a side trace, it's also interesting where this trace came from. Also in gdb go upward to zend_jit_trace_build_tssa() and identify opline and operand number.

[dstogov]

I finally reproduced this. Debugging...