Problem
Concurrency bugs in ext/async (races, deadlocks, lost wakeups, refcount
corruption) are non-deterministic and not reachable by unit tests or
byte-level fuzzing. Existing TODOs already point to such bugs:
thread_channel/019,024 race, gc_addref assert at shutdown under ASAN.
Proposed approach (incremental)
- Property-based testing (PHP level) — random sequences of
spawn/send/recv/cancel/close/await, check invariants (refcount==0 after
scope, recv completes after close, etc). Cheap, CI-friendly.
- Structure-aware libFuzzer target —
sapi/fuzzer/fuzzer-async.c with
protobuf grammar for async ops, mutated by libprotobuf-mutator, run under
ASAN+UBSAN. Catches UAF / double-free / refcount errors in C.
- Schedule fuzzing — scheduler decision points read "next coroutine"
from fuzzer input → deterministic interleavings. References: Loom,
Shuttle, CHESS, syzkaller.
- TSAN CI build —
--enable-thread-sanitizer running existing tests.
Out of scope
Byte-level fuzzing of PHP source (already covered by fuzzer-parser /
fuzzer-execute).
Problem
Concurrency bugs in ext/async (races, deadlocks, lost wakeups, refcount
corruption) are non-deterministic and not reachable by unit tests or
byte-level fuzzing. Existing TODOs already point to such bugs:
thread_channel/019,024race,gc_addrefassert at shutdown under ASAN.Proposed approach (incremental)
spawn/send/recv/cancel/close/await, check invariants (refcount==0 afterscope, recv completes after close, etc). Cheap, CI-friendly.
sapi/fuzzer/fuzzer-async.cwithprotobuf grammar for async ops, mutated by libprotobuf-mutator, run under
ASAN+UBSAN. Catches UAF / double-free / refcount errors in C.
from fuzzer input → deterministic interleavings. References: Loom,
Shuttle, CHESS, syzkaller.
--enable-thread-sanitizerrunning existing tests.Out of scope
Byte-level fuzzing of PHP source (already covered by
fuzzer-parser/fuzzer-execute).