/src/php-src/sapi/fuzzer/fuzzer-tracing-jit.c

Source
/*
   +----------------------------------------------------------------------+
   | Copyright © The PHP Group and Contributors.                          |
   +----------------------------------------------------------------------+
   | This source file is subject to the Modified BSD License that is      |
   | bundled with this package in the file LICENSE, and is available      |
   | through the World Wide Web at <https://www.php.net/license/>.        |
   |                                                                      |
   | SPDX-License-Identifier: BSD-3-Clause                                |
   +----------------------------------------------------------------------+
   | Authors: Nikita Popov <nikic@php.net>                                |
   +----------------------------------------------------------------------+
 */

#include "fuzzer-execute-common.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (Size > MAX_SIZE) {
    /* Large inputs have a large impact on fuzzer performance,
     * but are unlikely to be necessary to reach new codepaths. */
    return 0;
  }

  zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);

  /* First run without JIT to determine whether we bail out. We should not run JITed code if
   * we bail out here, as the JIT code may loop infinitely. */
  steps_left = MAX_STEPS;
  bailed_out = false;
  zend_alter_ini_entry_chars(
    jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
  fuzzer_do_request_from_buffer(
    FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);

  if (!bailed_out) {
    steps_left = MAX_STEPS;
    zend_alter_ini_entry_chars(jit_option,
      "tracing", sizeof("tracing")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
    zend_execute_ex = orig_execute_ex;
    /* Trace & compile */
    fuzzer_do_request_from_buffer(
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, NULL);
    /* Execute trace */
    fuzzer_do_request_from_buffer(
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
    zend_execute_ex = fuzzer_execute_ex;
  }

  zend_string_release(jit_option);

  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  char ini_buf[512];
  snprintf(ini_buf, sizeof(ini_buf),
    "opcache.validate_timestamps=0\n"
    "opcache.file_update_protection=0\n"
    "opcache.memory_consumption=1024\n"
    "opcache.jit_buffer_size=128M\n"
    "opcache.jit_hot_func=1\n"
    "opcache.jit_hot_loop=1\n"
    "opcache.jit_hot_return=1\n"
    "opcache.jit_hot_side_exit=1\n"
    "opcache.jit_max_root_traces=100000\n"
    "opcache.jit_max_side_traces=100000\n"
    "opcache.jit_max_exit_counters=100000\n"
    "opcache.protect_memory=1\n");

  create_file();
  fuzzer_init_php_for_execute(ini_buf);
  return 0;
}

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright © The PHP Group and Contributors. \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to the Modified BSD License that is \|
6		\| bundled with this package in the file LICENSE, and is available \|
7		\| through the World Wide Web at <https://www.php.net/license/>. \|
8		\| \|
9		\| SPDX-License-Identifier: BSD-3-Clause \|
10		+----------------------------------------------------------------------+
11		\| Authors: Nikita Popov <nikic@php.net> \|
12		+----------------------------------------------------------------------+
13		*/
14
15		#include "fuzzer-execute-common.h"
16
17	34.0k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
18	34.0k	if (Size > MAX_SIZE) {
19		/* Large inputs have a large impact on fuzzer performance,
20		* but are unlikely to be necessary to reach new codepaths. */
21	3	return 0;
22	3	}
23
24	34.0k	zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);
25
26		/* First run without JIT to determine whether we bail out. We should not run JITed code if
27		* we bail out here, as the JIT code may loop infinitely. */
28	34.0k	steps_left = MAX_STEPS;
29	34.0k	bailed_out = false;
30	34.0k	zend_alter_ini_entry_chars(
31	34.0k	jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
32	34.0k	fuzzer_do_request_from_buffer(
33	34.0k	FILE_NAME, (const char ) Data, Size, / execute */ 1, opcache_invalidate);
34
35	34.0k	if (!bailed_out) {
36	22.8k	steps_left = MAX_STEPS;
37	22.8k	zend_alter_ini_entry_chars(jit_option,
38	22.8k	"tracing", sizeof("tracing")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
39	22.8k	zend_execute_ex = orig_execute_ex;
40		/* Trace & compile */
41	22.8k	fuzzer_do_request_from_buffer(
42	22.8k	FILE_NAME, (const char ) Data, Size, / execute */ 1, NULL);
43		/* Execute trace */
44	22.8k	fuzzer_do_request_from_buffer(
45	22.8k	FILE_NAME, (const char ) Data, Size, / execute */ 1, opcache_invalidate);
46	22.8k	zend_execute_ex = fuzzer_execute_ex;
47	22.8k	}
48
49	34.0k	zend_string_release(jit_option);
50
51	34.0k	return 0;
52	34.0k	}
53
54	16	int LLVMFuzzerInitialize(int argc, char **argv) {
55	16	char ini_buf[512];
56	16	snprintf(ini_buf, sizeof(ini_buf),
57	16	"opcache.validate_timestamps=0\n"
58	16	"opcache.file_update_protection=0\n"
59	16	"opcache.memory_consumption=1024\n"
60	16	"opcache.jit_buffer_size=128M\n"
61	16	"opcache.jit_hot_func=1\n"
62	16	"opcache.jit_hot_loop=1\n"
63	16	"opcache.jit_hot_return=1\n"
64	16	"opcache.jit_hot_side_exit=1\n"
65	16	"opcache.jit_max_root_traces=100000\n"
66	16	"opcache.jit_max_side_traces=100000\n"
67	16	"opcache.jit_max_exit_counters=100000\n"
68	16	"opcache.protect_memory=1\n");
69
70	16	create_file();
71	16	fuzzer_init_php_for_execute(ini_buf);
72	16	return 0;
73	16	}

Coverage Report

Created: 2026-06-02 06:40