php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79864 JIT segfault in Symfony OptionsResolver
Submitted: 2020-07-15 10:24 UTC Modified: 2020-07-21 14:18 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nikic@php.net Assigned: dmitry (profile)
Status: Closed Package: opcache
PHP Version: 8.0Git-2020-07-15 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2020-07-15 10:24 UTC] nikic@php.net
Description:
------------
After https://github.com/symfony/symfony/commit/d8338dc3586ccc5086bdaf4ffae83b84fb2a655d Symfony tests segfault:

~/php/php-src/sapi/cli/php -c ~/php/php-src/php.ini -d opcache.jit_buffer_size=1G ./phpunit src/Symfony/Component/OptionsResolver

0x0000555555de7f87 in i_zend_is_true (op=0x7ffff3e15420)
    at /home/nikic/php/php-src/Zend/zend_operators.h:378
378				if (EXPECTED(Z_OBJ_HT_P(op)->cast_object == zend_std_cast_object_tostring)) {
(gdb) bt
#0  0x0000555555de7f87 in i_zend_is_true (op=0x7ffff3e15420)
    at /home/nikic/php/php-src/Zend/zend_operators.h:378
#1  0x0000555555df040c in zend_is_true (op=0x7ffff3e15420)
    at /home/nikic/php/php-src/Zend/zend_operators.c:2451
#2  0x00007fffb3ed320b in ?? ()
#3  0x00007fffffffa4e0 in ?? ()
#4  0x0000555555e9956d in execute_ex (ex=0x7ffff3e14020)
    at /home/nikic/php/php-src/Zend/zend_vm_execute.h:52398
#5  0x0000555555e9e2ee in zend_execute (op_array=0x7ffff3e5c280, return_value=0x0)
    at /home/nikic/php/php-src/Zend/zend_vm_execute.h:56402
#6  0x0000555555df804a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/nikic/php/php-src/Zend/zend.c:1667
#7  0x0000555555d5e9dd in php_execute_script (primary_file=0x7fffffffcb10)
    at /home/nikic/php/php-src/main/main.c:2537
#8  0x0000555555edd2c6 in do_cli (argc=7, argv=0x555556bbbac0)
    at /home/nikic/php/php-src/sapi/cli/php_cli.c:951
#9  0x0000555555ede3be in main (argc=7, argv=0x555556bbbac0)
    at /home/nikic/php/php-src/sapi/cli/php_cli.c:1349

The problematic function is OptionsResolver::verifyTypes().


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-21 09:27 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2020-07-21 09:27 UTC] nikic@php.net
@dmitry: If you have time, could you please take a look at this JIT crash?

This if for the current default options (no tracing) and should be reproducible with:

git clone git@github.com:symfony/symfony.git
cd symfony
composer install
.../sapi/cli/php -c .../php.ini -d opcache.jit_buffer_size=1G ./phpunit src/Symfony/Component/OptionsResolver
 [2020-07-21 09:34 UTC] nikic@php.net
It looks like in the meantime another crash appeared inside src/Symfony/Component/Form:

==474779==ERROR: AddressSanitizer: heap-use-after-free on address 0x612001fccfc0 at pc 0x56484bfeb52f bp 0x7fff6a6e3570 sp 0x7fff6a6e3560
READ of size 4 at 0x612001fccfc0 thread T0
    #0 0x56484bfeb52e in zend_gc_delref /home/nikic/php/php-src-asan/Zend/zend_types.h:1162
    #1 0x56484bfec7fd in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:43
    #2 0x56484bff949a in zend_array_destroy /home/nikic/php/php-src-asan/Zend/zend_hash.c:1636
    #3 0x56484bf93921 in destroy_op_array /home/nikic/php/php-src-asan/Zend/zend_opcode.c:456
    #4 0x56484c1b29f0 in zend_closure_free_storage /home/nikic/php/php-src-asan/Zend/zend_closures.c:464
    #5 0x56484c1f34d3 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:193
    #6 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #7 0x56484bfec80d in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:44
    #8 0x56484bff949a in zend_array_destroy /home/nikic/php/php-src-asan/Zend/zend_hash.c:1636
    #9 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #10 0x56484c1e001d in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:44
    #11 0x56484c1e0ab3 in zend_object_std_dtor /home/nikic/php/php-src-asan/Zend/zend_objects.c:70
    #12 0x56484c1f34d3 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:193
    #13 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #14 0x56484c1e001d in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:44
    #15 0x56484c1e0ab3 in zend_object_std_dtor /home/nikic/php/php-src-asan/Zend/zend_objects.c:70
    #16 0x56484c1f34d3 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:193
    #17 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #18 0x7fb33722d689  (/dev/zero (deleted)+0x89f1689)

0x612001fccfc0 is located 0 bytes inside of 280-byte region [0x612001fccfc0,0x612001fcd0d8)
freed by thread T0 here:
    #0 0x7fb37e14d7cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x56484bf30252 in _efree_custom /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2426
    #2 0x56484bf30484 in _efree /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2546
    #3 0x56484c1f35c8 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:197
    #4 0x7fb336fddc4b  (/dev/zero (deleted)+0x87a1c4b)
    #5 0x56484c17ebd1 in zend_execute /home/nikic/php/php-src-asan/Zend/zend_vm_execute.h:56402
    #6 0x56484bfc0763 in zend_execute_scripts /home/nikic/php/php-src-asan/Zend/zend.c:1669
    #7 0x56484be67fab in php_execute_script /home/nikic/php/php-src-asan/main/main.c:2548
    #8 0x56484c20f194 in do_cli /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:951
    #9 0x56484c211372 in main /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:1349
    #10 0x7fb37ca990b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7fb37e14dbc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x56484bf3253d in __zend_malloc /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2992
    #2 0x56484bf30168 in _malloc_custom /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2417
    #3 0x56484bf303d5 in _emalloc /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2536
    #4 0x56484c1e12b7 in zend_objects_new /home/nikic/php/php-src-asan/Zend/zend_objects.c:178
    #5 0x56484c1e2116 in zend_objects_clone_obj /home/nikic/php/php-src-asan/Zend/zend_objects.c:261
    #6 0x56484c094f64 in ZEND_CLONE_SPEC_TMPVAR_HANDLER /home/nikic/php/php-src-asan/Zend/zend_vm_execute.h:13192
    #7 0x7fb336fd94e5  (/dev/zero (deleted)+0x879d4e5)
    #8 0x56484c17ebd1 in zend_execute /home/nikic/php/php-src-asan/Zend/zend_vm_execute.h:56402
    #9 0x56484bfc0763 in zend_execute_scripts /home/nikic/php/php-src-asan/Zend/zend.c:1669
    #10 0x56484be67fab in php_execute_script /home/nikic/php/php-src-asan/main/main.c:2548
    #11 0x56484c20f194 in do_cli /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:951
    #12 0x56484c211372 in main /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:1349
    #13 0x7fb37ca990b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

(There are also lots of ParseError exceptions, but this is currently "normal" due to a PhpUnit issue.)
 [2020-07-21 14:18 UTC] dmitry@php.net
The incorrect JIT code generation caused by invalid setting of IS_SMART_BRANCH_JMPZ flag in zend_redo_pass_two[_ex]().
 [2020-07-21 17:54 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b44169e9ddd46d32342c68493eebf446e707fbde
Log: Fixed bug #79864 (JIT segfault in Symfony OptionsResolver)
 [2020-07-21 17:54 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC