php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79864 JIT segfault in Symfony OptionsResolver
Submitted: 2020-07-15 10:24 UTC Modified: 2020-07-21 14:18 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nikic@php.net Assigned: dmitry (profile)
Status: Closed Package: opcache
PHP Version: 8.0Git-2020-07-15 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2020-07-15 10:24 UTC] nikic@php.net 
Description:
------------
After https://github.com/symfony/symfony/commit/d8338dc3586ccc5086bdaf4ffae83b84fb2a655d Symfony tests segfault:

~/php/php-src/sapi/cli/php -c ~/php/php-src/php.ini -d opcache.jit_buffer_size=1G ./phpunit src/Symfony/Component/OptionsResolver

0x0000555555de7f87 in i_zend_is_true (op=0x7ffff3e15420)
    at /home/nikic/php/php-src/Zend/zend_operators.h:378
378				if (EXPECTED(Z_OBJ_HT_P(op)->cast_object == zend_std_cast_object_tostring)) {
(gdb) bt
#0  0x0000555555de7f87 in i_zend_is_true (op=0x7ffff3e15420)
    at /home/nikic/php/php-src/Zend/zend_operators.h:378
#1  0x0000555555df040c in zend_is_true (op=0x7ffff3e15420)
    at /home/nikic/php/php-src/Zend/zend_operators.c:2451
#2  0x00007fffb3ed320b in ?? ()
#3  0x00007fffffffa4e0 in ?? ()
#4  0x0000555555e9956d in execute_ex (ex=0x7ffff3e14020)
    at /home/nikic/php/php-src/Zend/zend_vm_execute.h:52398
#5  0x0000555555e9e2ee in zend_execute (op_array=0x7ffff3e5c280, return_value=0x0)
    at /home/nikic/php/php-src/Zend/zend_vm_execute.h:56402
#6  0x0000555555df804a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/nikic/php/php-src/Zend/zend.c:1667
#7  0x0000555555d5e9dd in php_execute_script (primary_file=0x7fffffffcb10)
    at /home/nikic/php/php-src/main/main.c:2537
#8  0x0000555555edd2c6 in do_cli (argc=7, argv=0x555556bbbac0)
    at /home/nikic/php/php-src/sapi/cli/php_cli.c:951
#9  0x0000555555ede3be in main (argc=7, argv=0x555556bbbac0)
    at /home/nikic/php/php-src/sapi/cli/php_cli.c:1349

The problematic function is OptionsResolver::verifyTypes().

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-21 09:27 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2020-07-21 09:27 UTC] nikic@php.net 
@dmitry: If you have time, could you please take a look at this JIT crash?

This if for the current default options (no tracing) and should be reproducible with:

git clone git@github.com:symfony/symfony.git
cd symfony
composer install
.../sapi/cli/php -c .../php.ini -d opcache.jit_buffer_size=1G ./phpunit src/Symfony/Component/OptionsResolver
 [2020-07-21 09:34 UTC] nikic@php.net 
It looks like in the meantime another crash appeared inside src/Symfony/Component/Form:

==474779==ERROR: AddressSanitizer: heap-use-after-free on address 0x612001fccfc0 at pc 0x56484bfeb52f bp 0x7fff6a6e3570 sp 0x7fff6a6e3560
READ of size 4 at 0x612001fccfc0 thread T0
    #0 0x56484bfeb52e in zend_gc_delref /home/nikic/php/php-src-asan/Zend/zend_types.h:1162
    #1 0x56484bfec7fd in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:43
    #2 0x56484bff949a in zend_array_destroy /home/nikic/php/php-src-asan/Zend/zend_hash.c:1636
    #3 0x56484bf93921 in destroy_op_array /home/nikic/php/php-src-asan/Zend/zend_opcode.c:456
    #4 0x56484c1b29f0 in zend_closure_free_storage /home/nikic/php/php-src-asan/Zend/zend_closures.c:464
    #5 0x56484c1f34d3 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:193
    #6 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #7 0x56484bfec80d in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:44
    #8 0x56484bff949a in zend_array_destroy /home/nikic/php/php-src-asan/Zend/zend_hash.c:1636
    #9 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #10 0x56484c1e001d in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:44
    #11 0x56484c1e0ab3 in zend_object_std_dtor /home/nikic/php/php-src-asan/Zend/zend_objects.c:70
    #12 0x56484c1f34d3 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:193
    #13 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #14 0x56484c1e001d in i_zval_ptr_dtor /home/nikic/php/php-src-asan/Zend/zend_variables.h:44
    #15 0x56484c1e0ab3 in zend_object_std_dtor /home/nikic/php/php-src-asan/Zend/zend_objects.c:70
    #16 0x56484c1f34d3 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:193
    #17 0x56484bfb63e9 in rc_dtor_func /home/nikic/php/php-src-asan/Zend/zend_variables.c:57
    #18 0x7fb33722d689  (/dev/zero (deleted)+0x89f1689)

0x612001fccfc0 is located 0 bytes inside of 280-byte region [0x612001fccfc0,0x612001fcd0d8)
freed by thread T0 here:
    #0 0x7fb37e14d7cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x56484bf30252 in _efree_custom /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2426
    #2 0x56484bf30484 in _efree /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2546
    #3 0x56484c1f35c8 in zend_objects_store_del /home/nikic/php/php-src-asan/Zend/zend_objects_API.c:197
    #4 0x7fb336fddc4b  (/dev/zero (deleted)+0x87a1c4b)
    #5 0x56484c17ebd1 in zend_execute /home/nikic/php/php-src-asan/Zend/zend_vm_execute.h:56402
    #6 0x56484bfc0763 in zend_execute_scripts /home/nikic/php/php-src-asan/Zend/zend.c:1669
    #7 0x56484be67fab in php_execute_script /home/nikic/php/php-src-asan/main/main.c:2548
    #8 0x56484c20f194 in do_cli /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:951
    #9 0x56484c211372 in main /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:1349
    #10 0x7fb37ca990b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7fb37e14dbc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x56484bf3253d in __zend_malloc /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2992
    #2 0x56484bf30168 in _malloc_custom /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2417
    #3 0x56484bf303d5 in _emalloc /home/nikic/php/php-src-asan/Zend/zend_alloc.c:2536
    #4 0x56484c1e12b7 in zend_objects_new /home/nikic/php/php-src-asan/Zend/zend_objects.c:178
    #5 0x56484c1e2116 in zend_objects_clone_obj /home/nikic/php/php-src-asan/Zend/zend_objects.c:261
    #6 0x56484c094f64 in ZEND_CLONE_SPEC_TMPVAR_HANDLER /home/nikic/php/php-src-asan/Zend/zend_vm_execute.h:13192
    #7 0x7fb336fd94e5  (/dev/zero (deleted)+0x879d4e5)
    #8 0x56484c17ebd1 in zend_execute /home/nikic/php/php-src-asan/Zend/zend_vm_execute.h:56402
    #9 0x56484bfc0763 in zend_execute_scripts /home/nikic/php/php-src-asan/Zend/zend.c:1669
    #10 0x56484be67fab in php_execute_script /home/nikic/php/php-src-asan/main/main.c:2548
    #11 0x56484c20f194 in do_cli /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:951
    #12 0x56484c211372 in main /home/nikic/php/php-src-asan/sapi/cli/php_cli.c:1349
    #13 0x7fb37ca990b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

(There are also lots of ParseError exceptions, but this is currently "normal" due to a PhpUnit issue.)
 [2020-07-21 14:18 UTC] dmitry@php.net 
The incorrect JIT code generation caused by invalid setting of IS_SMART_BRANCH_JMPZ flag in zend_redo_pass_two[_ex]().
 [2020-07-21 17:54 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b44169e9ddd46d32342c68493eebf446e707fbde
Log: Fixed bug #79864 (JIT segfault in Symfony OptionsResolver)
 [2020-07-21 17:54 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 09:01:28 2024 UTC