Delay notice emission until end of opcode

[iluuu1994]

• Use last label offset, instead of doubling them
• Avoid spec for opcodes with no CONST (or ANY) operands
• Reverse loop SPEC items, or fix order
• Duplicate if (spec & SPEC_RULE_DELAYED) { branch for OP_DATA and convert back to else if
• Rename ZEND_HANDLE_DELAYED_ERROR to ERRORS
• Fix JIT

[dstogov]

The first impression - this is a quite complex solution that is not going to be universal anyway.

For example the following code is still not fixed

<?php
$a[$y][]='';
set_error_handler(function() {
    $GLOBALS['a']='';
});
[$c]="";
$a[$c].=2;

Do you like to convert ALL non-fatal errors emitted in VM to be delayed?
Otherwise, this doesn't make a lot of sense because the remaining messages may be exploited.
Taking into account warning emitted by callbacks of internal classes, this looks impossible.

[dstogov]

I think this is improper direction.
It may some sense only if user error handlers are set. Otherwise it significantly complicates the execution flow.
It's not going to resolve all the related problem.

In my opinion, the best way to fix this is limiting the ability of changing sensitive data in user error handlers.
e.g. disabling modification of $GLOBALS, "locking" sensitive data in zend_error() before calling the user error handler, etc

[dstogov]

It may be dangerous to reuse EG(opline_before_exception) for delayed errors. I'm not sure how delayed errors and exceptions may interact. What if we had an exception before the delayed error?

[iluuu1994]

We probably don't need to change the EG(opline_before_exception) = EG(current_execute_data)->opline; if EG(current_execute_data)->opline == EG(exception_op), because all pending errors are handled before exceptions. But there might still be other issues.

[dstogov]

Here they are not handled but recorded, I can't be sure if some instruction can't throw exception and then emit delayed warning.

At least add ZEND_ASSERT(!EG(exception)) to catch the possible problem.

[dstogov]

May the first error throw an exception? Then the second. Which exception is going to be caught?

[iluuu1994]

They could be chained, similar to here: https://3v4l.org/um5TH I'm not sure how this currently behaves.

[dstogov]

I'm too :)
Probably the exception thrown from the last error handler is going to be caught first.
Or EG(exception) set by the first handler will prevent the second handler form execution.

[dstogov]

I don't like this trick. I can't imagine all the problems in case of executor re-enterancy.

You probably, may not to change EX(opline) if emit delayed errors from ZEND_FETCH_* instruction handlers, but then you'll have to check for existence of delayed errors in the following instruction.

[dstogov]

In case of exception during the execution of instruction stored in EG(delayed_error_op)[0], EG(opline_before_exception) is going to get wrong value, then opline-op_array->opcodes calculations are going to be wring.

[iluuu1994]

Hmm that's true. Exceptions during execution of a delayed opcode would need to check for opline != &EG(delayed_error_op)[0]. I suppose that's fine for exceptions, as they have some inherent overhead. But yes it complicates the matter further.

[dstogov]

SPEC(DELAYED) is going to double the number of related handlers. Right?
I see ~40MB zend_execute.o size increase.

[iluuu1994]

It shouldn't. SPEC(DELAYED) should add a single, otherwise unspecialized handler. It's possible that this behavior is still buggy, but that's the idea.

[iluuu1994]

@dstogov

this is a quite complex solution

I agree with you that this is quite complex. Unfortunately, I don't have a simpler idea at this time. Collectively, this mechanism might still be simpler than coming up with a separate solution for each delayed warning.

Do you like to convert ALL non-fatal errors emitted in VM to be delayed?

The intention was to change all warnings that are executed in the middle of op handlers or other operations, but I agree that this is both time consuming for us to identify which warnings are affected, and breaking for users.

In my opinion, the best way to fix this is limiting the ability of changing sensitive data in user error handlers.
e.g. disabling modification of $GLOBALS, "locking" sensitive data in zend_error() before calling the user error handler, etc

I'm not sure if this is exclusive to globals. E.g. you can still modify values in static properties, or bind values by-ref to the closure.

Another option might be to phase out the problematic errors, and provide some new mechanism for errors. E.g. we may log errors to some file descriptor, or even just add them to a global array. At the end of the request, the user can inspect the logged errors, log them, send them to their logging service, or whatnot. With an additional config to promote these errors to exceptions so that execution halts immediately, we could cover most use cases.

[dstogov]

I'm not sure if this is exclusive to globals. E.g. you can still modify values in static properties, or bind values by-ref to the closure.

Right. It was a direction for thoughts. I tried to implement the idea using "locking", but this solution is also not general. At least I didn't found a general solution.

Another option might be to phase out the problematic errors, and provide some new mechanism for errors. E.g. we may log errors to some file descriptor, or even just add them to a global array. At the end of the request, the user can inspect the logged errors, log them, send them to their logging service, or whatnot. With an additional config to promote these errors to exceptions so that execution halts immediately, we could cover most use cases.

This kind of solution would fix most related problems.
We may provide an ability to record information about all the warnings.
We may also need an ability to convert warnings to exceptions.

[iluuu1994]

I'm closing this PR, as the approach seems to complex.