Coverage Report

Created: 2026-06-02 06:39

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/php-src/sapi/fuzzer/fuzzer-execute-common.h
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright © The PHP Group and Contributors.                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to the Modified BSD License that is      |
6
   | bundled with this package in the file LICENSE, and is available      |
7
   | through the World Wide Web at <https://www.php.net/license/>.        |
8
   |                                                                      |
9
   | SPDX-License-Identifier: BSD-3-Clause                                |
10
   +----------------------------------------------------------------------+
11
   | Authors: Nikita Popov <nikic@php.net>                                |
12
   +----------------------------------------------------------------------+
13
 */
14
15
#include <main/php.h>
16
17
#if defined(__FreeBSD__)
18
# include <sys/sysctl.h>
19
#endif
20
21
#include "fuzzer.h"
22
#include "fuzzer-sapi.h"
23
#include "zend_exceptions.h"
24
#include "zend_vm.h"
25
26
44.4k
#define FILE_NAME "/tmp/fuzzer.php"
27
63.6k
#define MAX_STEPS 1000
28
306k
#define MAX_SIZE (8 * 1024)
29
3.74M
#define ZEND_VM_ENTER_BIT 1ULL
30
31
static uint32_t steps_left;
32
static bool bailed_out = false;
33
34
4.97k
static zend_always_inline void fuzzer_bailout(void) {
35
4.97k
  bailed_out = true;
36
4.97k
  zend_bailout();
37
4.97k
}
38
39
4.13M
static zend_always_inline void fuzzer_step(void) {
40
4.13M
  if (--steps_left == 0) {
41
    /* Reset steps before bailing out, so code running after bailout (e.g. in
42
     * destructors) will get another MAX_STEPS, rather than UINT32_MAX steps. */
43
1.20k
    steps_left = MAX_STEPS;
44
1.20k
    fuzzer_bailout();
45
1.20k
  }
46
4.13M
}
47
48
static void (*orig_execute_ex)(zend_execute_data *execute_data);
49
50
93.5k
static void fuzzer_execute_ex(zend_execute_data *execute_data) {
51
52
93.5k
#ifdef ZEND_CHECK_STACK_LIMIT
53
93.5k
  if (UNEXPECTED(zend_call_stack_overflowed(EG(stack_limit)))) {
54
0
    zend_call_stack_size_error();
55
    /* No opline was executed before exception */
56
0
    EG(opline_before_exception) = NULL;
57
    /* Fall through to handle exception below. */
58
0
  }
59
93.5k
#endif /* ZEND_CHECK_STACK_LIMIT */
60
61
93.5k
  const zend_op *opline = EX(opline);
62
63
3.76M
  while (1) {
64
3.71M
    fuzzer_step();
65
3.71M
    opline = ((zend_vm_opcode_handler_func_t) zend_get_opcode_handler_func(opline))(execute_data, opline);
66
3.71M
    if ((uintptr_t) opline & ZEND_VM_ENTER_BIT) {
67
36.8k
      opline = (const zend_op *) ((uintptr_t) opline & ~ZEND_VM_ENTER_BIT);
68
36.8k
      if (opline) {
69
0
        execute_data = EG(current_execute_data);
70
36.8k
      } else {
71
36.8k
        return;
72
36.8k
      }
73
36.8k
    }
74
3.71M
  }
75
93.5k
}
76
77
static zend_op_array *(*orig_compile_string)(
78
    zend_string *source_string, const char *filename, zend_compile_position position);
79
80
static zend_op_array *fuzzer_compile_string(
81
2.72k
    zend_string *str, const char *filename, zend_compile_position position) {
82
2.72k
  if (ZSTR_LEN(str) > MAX_SIZE) {
83
    /* Avoid compiling huge inputs via eval(). */
84
2
    fuzzer_bailout();
85
2
  }
86
87
2.72k
  return orig_compile_string(str, filename, position);
88
2.72k
}
89
90
static void (*orig_execute_internal)(zend_execute_data *execute_data, zval *return_value);
91
92
420k
static void fuzzer_execute_internal(zend_execute_data *execute_data, zval *return_value) {
93
420k
  fuzzer_step();
94
95
420k
  uint32_t num_args = ZEND_CALL_NUM_ARGS(execute_data);
96
964k
  for (uint32_t i = 0; i < num_args; i++) {
97
    /* Some internal functions like preg_replace() may be slow on large inputs.
98
     * Limit the maximum size of string inputs. */
99
544k
    zval *arg = ZEND_CALL_VAR_NUM(execute_data, i);
100
544k
    if (Z_TYPE_P(arg) == IS_STRING && Z_STRLEN_P(arg) > MAX_SIZE) {
101
3.76k
      fuzzer_bailout();
102
3.76k
    }
103
544k
  }
104
105
420k
  orig_execute_internal(execute_data, return_value);
106
420k
}
107
108
2
static void fuzzer_init_php_for_execute(const char *extra_ini) {
109
  /* Compilation will often trigger fatal errors.
110
   * Use tracked allocation mode to avoid leaks in that case. */
111
2
  putenv("USE_TRACKED_ALLOC=1");
112
113
  /* Just like other SAPIs, ignore SIGPIPEs. */
114
2
  signal(SIGPIPE, SIG_IGN);
115
116
2
  fuzzer_init_php(extra_ini);
117
118
2
  orig_execute_ex = zend_execute_ex;
119
2
  zend_execute_ex = fuzzer_execute_ex;
120
2
  orig_execute_internal = zend_execute_internal ? zend_execute_internal : execute_internal;
121
2
  zend_execute_internal = fuzzer_execute_internal;
122
2
  orig_compile_string = zend_compile_string;
123
2
  zend_compile_string = fuzzer_compile_string;
124
2
}
125
126
2
ZEND_ATTRIBUTE_UNUSED static void create_file(void) {
127
  /* For opcache_invalidate() to work, the dummy file name used for fuzzing needs to
128
   * actually exist. */
129
2
  FILE *f = fopen(FILE_NAME, "w");
130
2
  fclose(f);
131
2
}
132
133
31.2k
ZEND_ATTRIBUTE_UNUSED static void opcache_invalidate(void) {
134
31.2k
  steps_left = MAX_STEPS;
135
31.2k
  zend_object *exception = EG(exception);
136
31.2k
  EG(exception) = NULL;
137
31.2k
  zval retval, args[2];
138
31.2k
  zend_function *fn = zend_hash_str_find_ptr(CG(function_table), ZEND_STRL("opcache_invalidate"));
139
31.2k
  ZEND_ASSERT(fn != NULL);
140
141
31.2k
  ZVAL_STRING(&args[0], FILE_NAME);
142
31.2k
  ZVAL_TRUE(&args[1]);
143
31.2k
  zend_call_known_function(fn, NULL, NULL, &retval, 2, args, NULL);
144
31.2k
  ZEND_ASSERT(Z_TYPE(retval) == IS_TRUE);
145
31.2k
  zval_ptr_dtor(&args[0]);
146
31.2k
  zval_ptr_dtor(&retval);
147
31.2k
  EG(exception) = exception;
148
31.2k
}