php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79582 Crash seen when opcache.jit=1235 and opcache.jit_debug=2
Submitted: 2020-05-10 19:31 UTC Modified: 2020-05-12 08:05 UTC
From: tandre@php.net Assigned:
Status: Closed Package: opcache
PHP Version: master-Git-2020-05-10 (Git) OS:
Private report: No CVE-ID: None
 [2020-05-10 19:31 UTC] tandre@php.net
Description:
------------
Seen when running the jit on php-src b452d5923de3bfef3268bcea289d59d6bc789437 from 2020-05-10 and Phan https://github.com/phan/phan/commit/a2eb629c09952383ae78315d240ce3770670c1a5

(occurs with NTS debug and non-debug)

The original example was `php -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 ./phan`, but it was simplified to the linked gist.

Test script:
---------------
https://gist.github.com/TysonAndre/4eee037dd9a8e7aa9144eb6b4886e71a

(Removing unused functions seemed to prevent the crash, somehow)

Expected result:
----------------
opcache.jit_debug=2 should not crash when opcache.jit=1235 (instead of the default of 1205)

If it is impossible to fix (e.g. because the necessary info is no longer available), then refuse to print debug output 

Actual result:
--------------
opcache crashed when jit_debug output was being printed to stderr with phan and the attached test script.

For some reason, it's trying to resolve a class name for a variable with broad(corrupt?) type info. opcache.protect_memory doesn't change the result.

```
ยป USE_ZEND_ALLOC=0 gdb -args `which php` -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 example.php 
....
FullyQualifiedGlobalStructuralElement::make:
... output for make()
BB5:
     ; target lines=[12-15]
     ; from=(BB2, BB3)
     ; to=(BB6)
     ; idom=BB2
     ; level=3
     ; children=(BB6)
     #17.CV0($namespace) [rc1, rcn, string] = Phi(#4.CV0($namespace) [rc1, rcn, string], #11.CV0($namespace) [rc1, rcn, string])
0012 FE_FREE #10.V4 [rc1, rcn, array [long] of [string]]
0013 INIT_STATIC_METHOD_CALL 1 (self) (exception) string("cleanNamespace")
0014 SEND_VAR #17.CV0($namespace) [rc1, rcn, string] -> #18.CV0($namespace) NOVAL [rc1, rcn, string] 1
0015 #19.V4 [rc1, rcn, class
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2b81cc0 in _IO_vfprintf_internal (s=0x7fffffff72f0, format=<optimized out>, ap=0x7fffffff99a8) at vfprintf.c:1632
1632    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007ffff2b81cc0 in _IO_vfprintf_internal (s=0x7fffffff72f0, format=<optimized out>, ap=0x7fffffff99a8) at vfprintf.c:1632
#1  0x00007ffff2b82ef1 in buffered_vfprintf (s=0x7ffff2ef8540 <_IO_2_1_stderr_>, format=<optimized out>, args=<optimized out>) at vfprintf.c:2320
#2  0x00007ffff2b8032d in _IO_vfprintf_internal (s=0x7ffff2ef8540 <_IO_2_1_stderr_>, format=0x7fffeb744c55 " (instanceof %s)", ap=ap@entry=0x7fffffff99a8) at vfprintf.c:1293
#3  0x00007ffff2b887f7 in __fprintf (stream=<optimized out>, format=<optimized out>) at fprintf.c:32
#4  0x00007fffeb68db3f in zend_dump_type_info (info=3952614054, ce=0xb75153 <execute_ex+1532>, is_instanceof=1, dump_flags=11)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:198
#5  0x00007fffeb68e6f6 in zend_dump_ssa_var_info (ssa=0x7fffffff9cf0, ssa_var_num=19, dump_flags=11) at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:327
#6  0x00007fffeb68e869 in zend_dump_ssa_var (op_array=0x408be8a8, ssa=0x7fffffff9cf0, ssa_var_num=19, var_type=4 '\004', var_num=4, dump_flags=11)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:352
#7  0x00007fffeb68ed33 in zend_dump_op (op_array=0x408be8a8, b=0x1b0b7c8, opline=0x408bebb8, dump_flags=11, ssa=0x7fffffff9cf0, ssa_op=0x1b0bc3c)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:418
#8  0x00007fffeb6902d7 in zend_dump_op_line (op_array=0x408be8a8, b=0x1b0b7c8, opline=0x408bebb8, dump_flags=11, data=0x7fffffff9cf0)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:729
#9  0x00007fffeb691438 in zend_dump_op_array (op_array=0x408be8a8, dump_flags=11, msg=0x7fffeb74f3b8 "JIT", data=0x7fffffff9cf0)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:1014
#10 0x00007fffeb711375 in zend_real_jit_func (op_array=0x408be8a8, script=0x0, rt_opline=0x408bead8) at /path/to/php-src/ext/opcache/jit/zend_jit.c:3091
#11 0x00007fffeb7118e4 in zend_jit_hot_func (execute_data=0x1b1adb0, opline=0x408bead8) at /path/to/php-src/ext/opcache/jit/zend_jit.c:3195
#12 0x00000000480004ea in ?? ()
#13 0x00007fffffff9dd0 in ?? ()
#14 0x0000000001b1ad30 in ?? ()
#15 0x800000000002b60f in ?? ()
#16 0x00007ffff2ef7b20 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#17 0x0000010600000018 in ?? ()
#18 0x000000000044f760 in ?? ()
#19 0x00007fffffffd860 in ?? ()
#20 0x0000000001b1aec0 in ?? ()
#21 0x0000000000000000 in ?? ()

(go up in the trace)
(gdb) 
#4  0x00007fffeb68db3f in zend_dump_type_info (info=3952614054, ce=0xb75153 <execute_ex+1532>, is_instanceof=1, dump_flags=11) at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:198
198                                     fprintf(stderr, " (instanceof %s)", ce->name->val);
(gdb) print ce->name
$1 = (zend_string *) 0xfffffa9be9008b48
(gdb) print ce->name->val
Cannot access memory at address 0xfffffa9be9008b60
```

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-11 05:35 UTC] laruence@php.net
I can not reproduce this by using the example you provide in gist.
 [2020-05-11 14:07 UTC] tandre@php.net
It also happens inconsistently - Have you tried multiple times? Was other jit debug output printed?

USE_ZEND_ALLOC=0 valgrind php -d opcache.protect_memory=1 -d opcache.file_cache= -d opcache.enable_cli=1 -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 example.php

I'm on Linux Mint 18.3 (based on ubuntu 16.04, gcc 5.4.0)
 [2020-05-12 07:59 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-05-12 08:05 UTC] nikic@php.net
Looks like the DO_FCALL result type is corrupted and changes between runs. Maybe trying to use inter-procedural type info that is no longer available?
 [2020-05-13 10:01 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91b5571fcc5dd9c19d29f841a4f1281532d8ecba
Log: Fixed #79582 (Crash seen when opcache.jit=1235 and opcache.jit_debug=2)
 [2020-05-13 10:01 UTC] laruence@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Jan 20 14:01:23 2021 UTC