Implement opcache checksum skip list

Author: iluuu1994

ext/opcache/ZendAccelerator.c

@@ -2120,7 +2120,7 @@ zend_op_array *persistent_compile_file(zend_file_handle *file_handle, int type)
 		unsigned int checksum = zend_accel_script_checksum(persistent_script);
 		if (checksum != persistent_script->dynamic_members.checksum ) {
 			/* The checksum is wrong */
-			zend_accel_error(ACCEL_LOG_INFO, "Checksum failed for '%s':  expected=0x%08x, found=0x%08x",
+			zend_accel_error(ACCEL_LOG_WARNING, "Checksum failed for '%s':  expected=0x%08x, found=0x%08x",
 							 ZSTR_VAL(persistent_script->script.filename), persistent_script->dynamic_members.checksum, checksum);
 			zend_shared_alloc_lock();
 			if (!persistent_script->corrupted) {
@@ -4763,6 +4763,10 @@ static int accel_finish_startup(void)
 			ZCG(cwd_key_len) = 0;
 			ZCG(cwd_check) = 1;
 
+			ZCG(checksum_skip_list) = NULL;
+			ZCG(checksum_skip_list_count) = 0;
+			ZCG(checksum_skip_list_capacity) = 0;
+
 			if (accel_preload(ZCG(accel_directives).preload, in_child) != SUCCESS) {
 				ret = FAILURE;
 			}

ext/opcache/ZendAccelerator.h

@@ -122,6 +122,8 @@ typedef struct _zend_persistent_script {
 
 	void          *mem;                    /* shared memory area used by script structures */
 	size_t         size;                   /* size of used shared memory */
+	/* list of offsets relative to (mem + ZEND_ALIGNED_SIZE(sizeof(zend_persistent_script))) to be skipped in the checksum calculation */
+	uint32_t      *checksum_skip_list;
 
 	/* All entries that shouldn't be counted in the ADLER32
 	 * checksum must be declared in this struct
@@ -225,6 +227,10 @@ typedef struct _zend_accel_globals {
 	/* preallocated buffer for keys */
 	zend_string             key;
 	char                    _key[MAXPATHLEN * 8];
+
+	uint32_t               *checksum_skip_list;
+	uint32_t                checksum_skip_list_count;
+	uint32_t                checksum_skip_list_capacity;
 } zend_accel_globals;
 
 typedef struct _zend_string_table {

ext/opcache/jit/zend_jit.c

@@ -36,7 +36,6 @@
 #include "Optimizer/zend_func_info.h"
 #include "Optimizer/zend_ssa.h"
 #include "Optimizer/zend_inference.h"
-#include "Optimizer/zend_call_graph.h"
 #include "Optimizer/zend_dump.h"
 
 #if ZEND_JIT_TARGET_X86
@@ -1267,7 +1266,7 @@ static int zend_may_overflow(const zend_op *opline, const zend_ssa_op *ssa_op, c
 	}
 }
 
-static int zend_jit_build_cfg(const zend_op_array *op_array, zend_cfg *cfg)
+ZEND_EXT_API int zend_jit_build_cfg(const zend_op_array *op_array, zend_cfg *cfg)
 {
 	uint32_t flags;
 

ext/opcache/jit/zend_jit.h

@@ -19,6 +19,8 @@
 #ifndef HAVE_JIT_H
 #define HAVE_JIT_H
 
+#include "Optimizer/zend_call_graph.h"
+
 #if defined(__x86_64__) || defined(i386) || defined(ZEND_WIN32)
 # define ZEND_JIT_TARGET_X86   1
 # define ZEND_JIT_TARGET_ARM64 0
@@ -154,6 +156,7 @@ ZEND_EXT_API void zend_jit_activate(void);
 ZEND_EXT_API void zend_jit_deactivate(void);
 ZEND_EXT_API void zend_jit_status(zval *ret);
 ZEND_EXT_API void zend_jit_restart(void);
+ZEND_EXT_API int zend_jit_build_cfg(const zend_op_array *op_array, zend_cfg *cfg);
 
 typedef struct _zend_lifetime_interval zend_lifetime_interval;
 typedef struct _zend_life_range zend_life_range;

ext/opcache/jit/zend_jit_trace.c

@@ -16,6 +16,8 @@
    +----------------------------------------------------------------------+
 */
 
+#include "zend_persist.h"
+
 static zend_op_array dummy_op_array;
 static zend_jit_trace_info *zend_jit_traces = NULL;
 static const void **zend_jit_exit_groups = NULL;
@@ -8262,6 +8264,7 @@ static int zend_jit_setup_hot_trace_counters(zend_op_array *op_array)
 				if (cfg.blocks[i].flags & ZEND_BB_LOOP_HEADER) {
 					/* loop header */
 					opline = op_array->opcodes + cfg.blocks[i].start;
+					checksum_skip_list_add(&opline->handler);
 					if (!(ZEND_OP_TRACE_INFO(opline, jit_extension->offset)->trace_flags & ZEND_JIT_TRACE_UNSUPPORTED)) {
 						opline->handler = (const void*)zend_jit_loop_trace_counter_handler;
 						if (!ZEND_OP_TRACE_INFO(opline, jit_extension->offset)->counter) {
@@ -8286,6 +8289,7 @@ static int zend_jit_setup_hot_trace_counters(zend_op_array *op_array)
 			}
 		}
 
+		checksum_skip_list_add(&opline->handler);
 		if (!ZEND_OP_TRACE_INFO(opline, jit_extension->offset)->trace_flags) {
 			/* function entry */
 			opline->handler = (const void*)zend_jit_func_trace_counter_handler;

ext/opcache/tests/gh8065.inc

@@ -0,0 +1,3 @@
+<?php
+
+class Bar extends Foo {}

ext/opcache/tests/gh8065.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Bug GH-8065: Opcache zend_class_entry.inheritance_cache breaks persistent script checksum
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.consistency_checks=1
+opcache.log_verbosity_level=2
+opcache.protect_memory=1
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+
+class Foo {}
+
+require_once __DIR__ . '/gh8065.inc';
+
+echo "Done\n";
+
+?>
+--EXPECT--
+Done

ext/opcache/zend_accelerator_util_funcs.c

@@ -299,18 +299,33 @@ zend_op_array* zend_accel_load_script(zend_persistent_script *persistent_script,
 #define ADLER32_DO4(buf, i)     ADLER32_DO2(buf, i); ADLER32_DO2(buf, i + 2);
 #define ADLER32_DO8(buf, i)     ADLER32_DO4(buf, i); ADLER32_DO4(buf, i + 4);
 #define ADLER32_DO16(buf)       ADLER32_DO8(buf, 0); ADLER32_DO8(buf, 8);
-
-unsigned int zend_adler32(unsigned int checksum, unsigned char *buf, uint32_t len)
+#define ADLER32_CHECK_SKIPPED(by) \
+	do {															\
+		offset = buf - start;										\
+		while (*skip_list != 0 && *skip_list < offset) {			\
+			skip_list++;											\
+		}															\
+		skipped = *skip_list != 0 && *skip_list < (offset + (by));	\
+	} while (0)
+
+unsigned int zend_adler32(unsigned int checksum, unsigned char *buf, uint32_t len, uint32_t *skip_list)
 {
+	unsigned char *start = buf;
 	unsigned int s1 = checksum & 0xffff;
 	unsigned int s2 = (checksum >> 16) & 0xffff;
 	unsigned char *end;
+	bool skipped;
+	uint32_t offset;
 
 	while (len >= ADLER32_NMAX) {
 		len -= ADLER32_NMAX;
 		end = buf + ADLER32_NMAX;
+		skipped = false;
 		do {
-			ADLER32_DO16(buf);
+			ADLER32_CHECK_SKIPPED(16);
+			if (!skipped) {
+				ADLER32_DO16(buf);
+			}
 			buf += 16;
 		} while (buf != end);
 		s1 %= ADLER32_BASE;
@@ -321,16 +336,27 @@ unsigned int zend_adler32(unsigned int checksum, unsigned char *buf, uint32_t le
 		if (len >= 16) {
 			end = buf + (len & 0xfff0);
 			len &= 0xf;
+			skipped = false;
 			do {
-				ADLER32_DO16(buf);
+				ADLER32_CHECK_SKIPPED(16);
+				if (!skipped) {
+					ADLER32_DO16(buf);
+				}
 				buf += 16;
 			} while (buf != end);
 		}
 		if (len) {
 			end = buf + len;
+			skipped = false;
 			do {
-				ADLER32_DO1(buf);
-				buf++;
+				ADLER32_CHECK_SKIPPED(1);
+				if (!skipped) {
+					ADLER32_DO1(buf);
+					buf++;
+				} else {
+					// skip_list contains a list of pointers so we skip the entire pointer size
+					buf += sizeof(void*);
+				}
 			} while (buf != end);
 		}
 		s1 %= ADLER32_BASE;
@@ -346,19 +372,20 @@ unsigned int zend_accel_script_checksum(zend_persistent_script *persistent_scrip
 	size_t size = persistent_script->size;
 	size_t persistent_script_check_block_size = ((char *)&(persistent_script->dynamic_members)) - (char *)persistent_script;
 	unsigned int checksum = ADLER32_INIT;
+	uint32_t zero = 0;
 
 	if (mem < (unsigned char*)persistent_script) {
-		checksum = zend_adler32(checksum, mem, (unsigned char*)persistent_script - mem);
+		checksum = zend_adler32(checksum, mem, (unsigned char*)persistent_script - mem, &zero);
 		size -= (unsigned char*)persistent_script - mem;
 		mem  += (unsigned char*)persistent_script - mem;
 	}
 
-	zend_adler32(checksum, mem, persistent_script_check_block_size);
-	mem  += sizeof(*persistent_script);
-	size -= sizeof(*persistent_script);
+	checksum = zend_adler32(checksum, mem, persistent_script_check_block_size, &zero);
+	mem  += ZEND_ALIGNED_SIZE(sizeof(*persistent_script));
+	size -= ZEND_ALIGNED_SIZE(sizeof(*persistent_script));
 
 	if (size > 0) {
-		checksum = zend_adler32(checksum, mem, size);
+		checksum = zend_adler32(checksum, mem, size, persistent_script->checksum_skip_list);
 	}
 	return checksum;
 }

ext/opcache/zend_accelerator_util_funcs.h

@@ -35,7 +35,7 @@ zend_op_array* zend_accel_load_script(zend_persistent_script *persistent_script,
 
 #define ADLER32_INIT 1     /* initial Adler-32 value */
 
-unsigned int zend_adler32(unsigned int checksum, unsigned char *buf, uint32_t len);
+unsigned int zend_adler32(unsigned int checksum, unsigned char *buf, uint32_t len, uint32_t *skip_list);
 
 unsigned int zend_accel_script_checksum(zend_persistent_script *persistent_script);
 

ext/opcache/zend_file_cache.c

@@ -1030,8 +1030,11 @@ int zend_file_cache_script_store(zend_persistent_script *script, int in_shm)
 	}
 	zend_shared_alloc_destroy_xlat_table();
 
-	info.checksum = zend_adler32(ADLER32_INIT, buf, script->size);
-	info.checksum = zend_adler32(info.checksum, (unsigned char*)ZSTR_VAL((zend_string*)ZCG(mem)), info.str_size);
+	zend_string *const s = (zend_string*)ZCG(mem);
+
+	uint32_t zero = 0;
+	info.checksum = zend_adler32(ADLER32_INIT, buf, script->size, &zero);
+	info.checksum = zend_adler32(info.checksum, (unsigned char*)ZSTR_VAL(s), info.str_size, &zero);
 
 #if __has_feature(memory_sanitizer)
 	/* The buffer may contain uninitialized regions. However, the uninitialized parts will not be
@@ -1775,8 +1778,9 @@ zend_persistent_script *zend_file_cache_script_load(zend_file_handle *file_handl
 	close(fd);
 
 	/* verify checksum */
+	uint32_t zero = 0;
 	if (ZCG(accel_directives).file_cache_consistency_checks &&
-	    (actual_checksum = zend_adler32(ADLER32_INIT, mem, info.mem_size + info.str_size)) != info.checksum) {
+	    (actual_checksum = zend_adler32(ADLER32_INIT, mem, info.mem_size + info.str_size, &zero)) != info.checksum) {
 		zend_accel_error(ACCEL_LOG_WARNING, "corrupted file '%s' excepted checksum: 0x%08x actual checksum: 0x%08x\n", filename, info.checksum, actual_checksum);
 		zend_file_cache_unlink(filename);
 		zend_arena_release(&CG(arena), checkpoint);

ext/opcache/zend_persist.c

@@ -87,6 +87,60 @@ static void zend_persist_op_array(zval *zv);
 static const uint32_t uninitialized_bucket[-HT_MIN_MASK] =
 	{HT_INVALID_IDX, HT_INVALID_IDX};
 
+static void checksum_skip_list_init(void)
+{
+	ZEND_ASSERT(ZCG(checksum_skip_list) == NULL);
+	ZCG(checksum_skip_list_count) = 0;
+	ZCG(checksum_skip_list_capacity) = 8;
+	ZCG(checksum_skip_list) = safe_emalloc(ZCG(checksum_skip_list_capacity), sizeof(uint32_t), 0);
+}
+
+static void checksum_skip_list_extend(uint32_t size)
+{
+	ZEND_ASSERT(ZCG(checksum_skip_list) != NULL);
+	ZCG(checksum_skip_list) = safe_erealloc(ZCG(checksum_skip_list), ZCG(checksum_skip_list_capacity), sizeof(uint32_t), 0);
+}
+
+void checksum_skip_list_add(void *p)
+{
+	ZEND_ASSERT(ZCG(checksum_skip_list) != NULL);
+	void *base_btr = ((char*)ZCG(current_persistent_script)->mem) + ZEND_ALIGNED_SIZE(sizeof(zend_persistent_script));
+	ZEND_ASSERT(p >= base_btr);
+	if ((ZCG(checksum_skip_list_count) + 1) >= ZCG(checksum_skip_list_capacity)) {
+		ZCG(checksum_skip_list_capacity) *= 2;
+		checksum_skip_list_extend(ZCG(checksum_skip_list_capacity));
+	}
+	ZCG(checksum_skip_list)[ZCG(checksum_skip_list_count)++] = p - base_btr;
+}
+
+static int checksum_skip_list_compare(const uint32_t *l, const uint32_t *r)
+{
+	if (*l < *r) {
+		return -1;
+	} else if (*l == *r) {
+		return 0;
+	} else {
+		return 1;
+	}
+}
+
+static void checksum_skip_list_swap(uint32_t *l, uint32_t *r)
+{
+	uint32_t tmp = *r;
+	*r = *l;
+	*l = tmp;
+}
+
+static uint32_t *checksum_skip_list_persist(void)
+{
+	zend_sort((void *) ZCG(checksum_skip_list), ZCG(checksum_skip_list_count), sizeof(*ZCG(checksum_skip_list)), (compare_func_t) checksum_skip_list_compare, (swap_func_t) checksum_skip_list_swap);
+	uint32_t *result = zend_shared_memdup(ZCG(checksum_skip_list), (ZCG(checksum_skip_list_count) + 1) * sizeof(uint32_t));
+	result[ZCG(checksum_skip_list_count)] = 0;
+	efree(ZCG(checksum_skip_list));
+	ZCG(checksum_skip_list) = NULL;
+	return result;
+}
+
 static void zend_hash_persist(HashTable *ht)
 {
 	uint32_t idx, nIndex;
@@ -866,6 +920,9 @@ zend_class_entry *zend_persist_class_entry(zend_class_entry *orig_ce)
 			ce->ce_flags |= ZEND_ACC_FILE_CACHED;
 		}
 		ce->inheritance_cache = NULL;
+		if (ZCG(checksum_skip_list) != NULL) {
+			checksum_skip_list_add(&ce->inheritance_cache);
+		}
 
 		if (!(ce->ce_flags & ZEND_ACC_CACHED)) {
 			if (ZSTR_HAS_CE_CACHE(ce->name)) {
@@ -1290,6 +1347,8 @@ zend_persistent_script *zend_accel_script_persist(zend_persistent_script *script
 	script->corrupted = 0;
 	ZCG(current_persistent_script) = script;
 
+	checksum_skip_list_init();
+
 	if (!for_shm) {
 		/* script is not going to be saved in SHM */
 		script->corrupted = 1;
@@ -1346,7 +1405,9 @@ zend_persistent_script *zend_accel_script_persist(zend_persistent_script *script
 	}
 #endif
 
-	script->corrupted = 0;
+	script->checksum_skip_list = checksum_skip_list_persist();
+
+	script->corrupted = false;
 	ZCG(current_persistent_script) = NULL;
 
 	return script;

ext/opcache/zend_persist.h

@@ -30,5 +30,6 @@ zend_class_entry *zend_persist_class_entry(zend_class_entry *ce);
 void zend_update_parent_ce(zend_class_entry *ce);
 void zend_persist_warnings_calc(uint32_t num_warnings, zend_error_info **warnings);
 zend_error_info **zend_persist_warnings(uint32_t num_warnings, zend_error_info **warnings);
+void checksum_skip_list_add(void *p);
 
 #endif /* ZEND_PERSIST_H */