php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80968 JIT segfault with return from required file
Submitted: 2021-04-19 02:09 UTC Modified: 2021-05-11 08:21 UTC
From: ryan dot brothers at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: JIT
PHP Version: 8.0.3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ryan dot brothers at gmail dot com
New email:
PHP Version: OS:

 

 [2021-04-19 02:09 UTC] ryan dot brothers at gmail dot com 
Description:
------------
I am seeing a few segfaults when running PHP 8.0.3 with JIT enabled under nginx/php-fpm on CentOS 8.  I'm not sure if all the segfaults I'm getting are related, but I've been able to reproduce one of them so far.

To reproduce, set-up scripts 1.php and 2.php as listed, and then go to 1.php via nginx/php-fpm.  You may have to hit the URL a few times to get the segfault.

My php.ini has:
opcache.jit = tracing
opcache.jit_buffer_size = 100M

Please let me know if I can give any more info to help reproduce it.

Thank you for your help.

Test script:
---------------
1.php:

<?php
class c1
{
	public static function __callStatic($method_name, $arguments)
	{
		return require('2.php');
	}
}

$data = array(1, 2);

for ($i = 0; $i < 100; $i++)
{
	c1::test($data);
}

=======

2.php:

<?php
if (is_array($arguments[0]) == true)
{
	foreach ($arguments[0] as $item)
	{
		c1::test($item);
	}
}

return $arguments[0];


Expected result:
----------------
No output.

Actual result:
--------------
nginx returns "An error occurred."

php-fpm.log has:
[18-Apr-2021 21:53:25] WARNING: [pool www] child 193586 exited on signal 11 (SIGSEGV) after 11.391747 seconds from start

/var/log/messages has:
Apr 18 21:53:25 server1 kernel: traps: php-fpm[193586] general protection fault ip:55fa3e1d2dbf sp:7ffe87e6d8c0 error:0 in php-fpm[55fa3e0e4000+11c000]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-04-19 10:34 UTC] nikic@php.net 
I'm not able to reproduce this on current master. It's possible that the issue has already been fixed.
 [2021-04-23 01:55 UTC] ryan dot brothers at gmail dot com 
Thanks, I was able to reproduce the issue in master.  It seems to be related to certain php.ini files.  What I did was take the default php.ini-development file, but added these 4 lines at the top of the file:

zend_extension = opcache
opcache.enable = 1
opcache.jit = tracing
opcache.jit_buffer_size = 100M

When I do that, I can reproduce the issue.  The same issue happens if I start with php.ini-production and add the 4 lines.

Please let me know if this helps to reproduce the issue, or I'll try to narrow it down further.  Thank you again for your help.
 [2021-05-04 13:17 UTC] philippreddigau+php at gmail dot com 
We can also confirm this issue on PHP 8.0.5 alpine based docker image.
Disabling the feature, fixes the problem.

dmesg logs:
1. Crash after refeshing the site:
[27876.626172] php-fpm[65114]: segfault at 0 ip 0000000000000000 sp 00007ffcf2210d50 error 14 in zero (deleted)[41e5e000+6400000]
[27876.626353] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.

2. Crash after try to access again 
[27925.466121] php-fpm[65115]: segfault at 18 ip 0000558b23029c94 sp 00007ffcf2210d38 error 4 in php-fpm[558b23000000+3ba000]
[27925.466297] Code: eb 19 49 83 c7 20 80 bb 22 02 00 00 00 74 0c 5a 5b 5d 41 5c 41 5d e9 7b c2 30 00 58 5b 5d 41 5c 41 5d c3 55 53 51 49 8b 46 08 <48> 8b 68 18 48 8b 50 30 4d 89 3e 8b 58 2c 49 89 56 08 48 8b 55 48

3. Crash, refreshing again
[27945.021344] php-fpm[65116]: segfault at 0 ip 0000000000000000 sp 00007ffcf22084a8 error 14 in zero (deleted)[41e5e000+6400000]
[27945.021448] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
 [2021-05-05 07:52 UTC] philippreddigau+php at gmail dot com 
Added a repository with docker image that reproduces the issue:
https://github.com/ItsReddi/sandbox

Reproduce:
1) clone repo
2) docker-compose up -d
3) Refresh one or multiple times at http://localhost:8080/php/bug_80968.php
 [2021-05-05 13:34 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2021-05-05 13:34 UTC] nikic@php.net 
Not sure what I did wrong before, but I can reproduce the issue now (using built-in server, just --repeat mode doesn't seem to be sufficient) and get this assertion failure:

php: ext/opcache/jit/zend_jit_trace.c:340: zend_jit_trace_type_to_info_ex: Assertion `info & (1 << type)' failed.

type is IS_UNDEF and the opline is the RETURN in __callStatic().
 [2021-05-05 14:47 UTC] nikic@php.net
-Summary: jit segfault on php-fpm +Summary: JIT segfault with return from required file
 [2021-05-05 14:47 UTC] nikic@php.net 
Slightly reduced variant just to show that this has no relation to __callStatic trampolines:

1.php
<?php
function foo($arguments) { 
    var_dump(require('2.php'));
}
for ($i = 0; $i < 100; $i++) {
    foo([[1, 2]]);
}

2.php
<?php 
if (is_array($arguments[0])) {
    foreach ($arguments[0] as $item) {
        foo([$item]);
    }
}
return $arguments[0];
 [2021-05-11 08:21 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2021-05-20 13:51 UTC] git@php.net 
Automatic comment on behalf of dstogov
Revision: https://github.com/php/php-src/commit/6e2d47e071f5343b3de169a2dc6ce648d145d1a2
Log: Fixed bug #80968 (JIT segfault with return from required file)
 [2021-05-20 13:51 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Feb 01 22:01:29 2025 UTC