php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80480 Segmentation fault with JIT enabled
Submitted: 2020-12-03 14:33 UTC Modified: 2020-12-04 16:16 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: felix dot brucker at pickware dot de Assigned: dmitry (profile)
Status: Closed Package: JIT
PHP Version: 8.0.0 OS: Mac OS 11.0.1
Private report: No CVE-ID: None
 [2020-12-03 14:33 UTC] felix dot brucker at pickware dot de
Description:
------------
The test script produces a segmentation fault with PHP 8.0.0 and opcache enabled on Mac OS (tested with 11.0.1). On Ubuntu 20.04 with PHP 8.0.0 and opcache enabled the script does not produce a segmentation fault.

The segmentation fault happens on both CLI and when using php with apache2.

Initially i used the PHP 8 install via https://github.com/shivammathur/homebrew-php and to try to get the backtrace i built PHP locally via
```
PATH="/usr/local/opt/bison/bin:/usr/local/opt/re2c/bin:$PATH" ./configure --enable-debug --with-os-sdkpath=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk --enable-bcmath --enable-calendar --enable-dba --enable-dtrace --enable-exif --enable-ftp --enable-gd --enable-mbregex --enable-mbstring --enable-mysqlnd --enable-pcntl --enable-phpdbg --enable-phpdbg-readline --enable-phpdbg-webhelper --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-sysvsem --enable-sysvshm --with-bz2=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr --with-curl --with-external-gd --with-external-pcre --with-ffi --with-gettext=/usr/local/opt/gettext --with-gmp=/usr/local/opt/gmp --with-iconv=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr --with-layout=GNU --with-libxml --with-libedit --with-mhash=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr --with-pic --with-sodium --with-xsl --with-zip --with-zlib --with-pspell=/usr/local/opt/aspell --sysconfdir=/usr/local/etc/php/8.0 --with-config-file-path=/usr/local/etc/php/8.0 --with-config-file-scan-dir=/usr/local/etc/php/8.0/conf.d --enable-opcache
PATH="/usr/local/opt/bison/bin:/usr/local/opt/re2c/bin:$PATH" make -j 8
```

The resulting binary reports:
```
./sapi/cli/php -v
PHP 8.0.0-dev (cli) (built: Dec  3 2020 14:40:00) ( NTS DEBUG )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.0-dev, Copyright (c), by Zend Technologies

./sapi/cli/php -m
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dba
dom
exif
FFI
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
json
libxml
mbstring
mysqlnd
pcntl
pcre
PDO
pdo_sqlite
Phar
phpdbg_webhelper
posix
pspell
readline
Reflection
session
shmop
SimpleXML
soap
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache
```

Using gdb to run the php test script results in no error being thrown, it just hangs:
```
sudo gdb ./sapi/cli/php
Password:
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin20.1.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./sapi/cli/php...
(gdb) run test_script.php
Starting program: /Users/felixbrucker/php-src/sapi/cli/php test_script.php
[New Thread 0x2403 of process 86826]
```

At this point i can only kill the process via `kill`.

So far i also tried to reduce the optimizations of opcache to zero like so: `opcache.optimization_level=0`, but the segmentation fault persists.

Test script:
---------------
https://gist.github.com/felixbrucker/f8f4623f69b16fc873dbf654db699208

```
php test_script.php
```


Expected result:
----------------
No segmentation fault

Actual result:
--------------
```
./sapi/cli/php test_script.php
[1]    87335 segmentation fault  ./sapi/cli/php test_script.php
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-04 10:19 UTC] felix dot brucker at pickware dot de
Using a core dump and lldb i was able to generate a backtrace and output for the first frames:

```
(lldb) bt
* thread #1, stop reason = signal SIGSTOP
  * frame #0: 0x000000011c3594c5
    frame #1: 0x0000000105a8f4c9 php`zend_execute(op_array=0x0000000106e5f500, return_value=0x0000000000000000) at zend_vm_execute.h:58856:2
    frame #2: 0x0000000105a5968d php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) at zend.c:1680:4
    frame #3: 0x00000001059a18a2 php`php_execute_script(primary_file=0x00007ffeea7c9088) at main.c:2488:13
    frame #4: 0x0000000105b8bbfa php`do_cli(argc=2, argv=0x00007ffeea7c9728) at php_cli.c:949:5
    frame #5: 0x0000000105b8ad3c php`main(argc=2, argv=0x00007ffeea7c9728) at php_cli.c:1336:18
    frame #6: 0x00007fff20344631 libdyld.dylib`start + 1
    frame #7: 0x00007fff20344631 libdyld.dylib`start + 1
(lldb) frame select 0
frame #0: 0x000000011c3594c5
->  0x11c3594c5: vaddsd (%rax), %xmm0, %xmm0
    0x11c3594c9: vmovsd %xmm0, (%rax)
    0x11c3594ce: jmp    0x11c34e5ef
    0x11c3594d3: movq   %rax, %rdi
(lldb) frame select 1
frame #1: 0x0000000105a8f4c9 php`zend_execute(op_array=0x0000000106e5f500, return_value=0x0000000000000000) at zend_vm_execute.h:58856:2
   58853		EX(prev_execute_data) = EG(current_execute_data);
   58854		i_init_code_execute_data(execute_data, op_array, return_value);
   58855		ZEND_OBSERVER_FCALL_BEGIN(execute_data);
-> 58856		zend_execute_ex(execute_data);
   58857		/* Observer end handlers are called from ZEND_RETURN */
   58858		zend_vm_stack_free_call_frame(execute_data);
   58859	}
(lldb) frame select 2
frame #2: 0x0000000105a5968d php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) at zend.c:1680:4
   1677			}
   1678			zend_destroy_file_handle(file_handle);
   1679			if (op_array) {
-> 1680				zend_execute(op_array, retval);
   1681				zend_exception_restore();
   1682				if (UNEXPECTED(EG(exception))) {
   1683					if (Z_TYPE(EG(user_exception_handler)) != IS_UNDEF) {
(lldb)
```
 [2020-12-04 16:16 UTC] nikic@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2020-12-04 16:16 UTC] nikic@php.net
Confirming segfault when enabling JIT with low hot thresholds.
 [2020-12-04 16:16 UTC] nikic@php.net
-Summary: Segmentation fault with opcache enabled +Summary: Segmentation fault with JIT enabled -Package: opcache +Package: JIT
 [2020-12-07 10:29 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=79716025742ca2cbd3b46373ee1cd288a20c7af1
Log: Fixed bug #80480 (Segmentation fault with JIT enabled)
 [2020-12-07 10:29 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2021-07-14 23:22 UTC] jeffrey dot levene at web dot com
I have an <800 line test program that causes a segmentation violation with a "php -l" using 8.0.

Please email me for the test case.  jeffrey dot levene at web dot com.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC