|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79582 Crash seen when opcache.jit=1235 and opcache.jit_debug=2
Submitted: 2020-05-10 19:31 UTC Modified: 2020-05-12 08:05 UTC
From: Assigned:
Status: Closed Package: opcache
PHP Version: master-Git-2020-05-10 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2020-05-10 19:31 UTC]
Seen when running the jit on php-src b452d5923de3bfef3268bcea289d59d6bc789437 from 2020-05-10 and Phan

(occurs with NTS debug and non-debug)

The original example was `php -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 ./phan`, but it was simplified to the linked gist.

Test script:

(Removing unused functions seemed to prevent the crash, somehow)

Expected result:
opcache.jit_debug=2 should not crash when opcache.jit=1235 (instead of the default of 1205)

If it is impossible to fix (e.g. because the necessary info is no longer available), then refuse to print debug output 

Actual result:
opcache crashed when jit_debug output was being printed to stderr with phan and the attached test script.

For some reason, it's trying to resolve a class name for a variable with broad(corrupt?) type info. opcache.protect_memory doesn't change the result.

ยป USE_ZEND_ALLOC=0 gdb -args `which php` -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 example.php 
... output for make()
     ; target lines=[12-15]
     ; from=(BB2, BB3)
     ; to=(BB6)
     ; idom=BB2
     ; level=3
     ; children=(BB6)
     #17.CV0($namespace) [rc1, rcn, string] = Phi(#4.CV0($namespace) [rc1, rcn, string], #11.CV0($namespace) [rc1, rcn, string])
0012 FE_FREE #10.V4 [rc1, rcn, array [long] of [string]]
0013 INIT_STATIC_METHOD_CALL 1 (self) (exception) string("cleanNamespace")
0014 SEND_VAR #17.CV0($namespace) [rc1, rcn, string] -> #18.CV0($namespace) NOVAL [rc1, rcn, string] 1
0015 #19.V4 [rc1, rcn, class
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2b81cc0 in _IO_vfprintf_internal (s=0x7fffffff72f0, format=<optimized out>, ap=0x7fffffff99a8) at vfprintf.c:1632
1632    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007ffff2b81cc0 in _IO_vfprintf_internal (s=0x7fffffff72f0, format=<optimized out>, ap=0x7fffffff99a8) at vfprintf.c:1632
#1  0x00007ffff2b82ef1 in buffered_vfprintf (s=0x7ffff2ef8540 <_IO_2_1_stderr_>, format=<optimized out>, args=<optimized out>) at vfprintf.c:2320
#2  0x00007ffff2b8032d in _IO_vfprintf_internal (s=0x7ffff2ef8540 <_IO_2_1_stderr_>, format=0x7fffeb744c55 " (instanceof %s)", ap=ap@entry=0x7fffffff99a8) at vfprintf.c:1293
#3  0x00007ffff2b887f7 in __fprintf (stream=<optimized out>, format=<optimized out>) at fprintf.c:32
#4  0x00007fffeb68db3f in zend_dump_type_info (info=3952614054, ce=0xb75153 <execute_ex+1532>, is_instanceof=1, dump_flags=11)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:198
#5  0x00007fffeb68e6f6 in zend_dump_ssa_var_info (ssa=0x7fffffff9cf0, ssa_var_num=19, dump_flags=11) at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:327
#6  0x00007fffeb68e869 in zend_dump_ssa_var (op_array=0x408be8a8, ssa=0x7fffffff9cf0, ssa_var_num=19, var_type=4 '\004', var_num=4, dump_flags=11)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:352
#7  0x00007fffeb68ed33 in zend_dump_op (op_array=0x408be8a8, b=0x1b0b7c8, opline=0x408bebb8, dump_flags=11, ssa=0x7fffffff9cf0, ssa_op=0x1b0bc3c)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:418
#8  0x00007fffeb6902d7 in zend_dump_op_line (op_array=0x408be8a8, b=0x1b0b7c8, opline=0x408bebb8, dump_flags=11, data=0x7fffffff9cf0)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:729
#9  0x00007fffeb691438 in zend_dump_op_array (op_array=0x408be8a8, dump_flags=11, msg=0x7fffeb74f3b8 "JIT", data=0x7fffffff9cf0)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:1014
#10 0x00007fffeb711375 in zend_real_jit_func (op_array=0x408be8a8, script=0x0, rt_opline=0x408bead8) at /path/to/php-src/ext/opcache/jit/zend_jit.c:3091
#11 0x00007fffeb7118e4 in zend_jit_hot_func (execute_data=0x1b1adb0, opline=0x408bead8) at /path/to/php-src/ext/opcache/jit/zend_jit.c:3195
#12 0x00000000480004ea in ?? ()
#13 0x00007fffffff9dd0 in ?? ()
#14 0x0000000001b1ad30 in ?? ()
#15 0x800000000002b60f in ?? ()
#16 0x00007ffff2ef7b20 in ?? () from /lib/x86_64-linux-gnu/
#17 0x0000010600000018 in ?? ()
#18 0x000000000044f760 in ?? ()
#19 0x00007fffffffd860 in ?? ()
#20 0x0000000001b1aec0 in ?? ()
#21 0x0000000000000000 in ?? ()

(go up in the trace)
#4  0x00007fffeb68db3f in zend_dump_type_info (info=3952614054, ce=0xb75153 <execute_ex+1532>, is_instanceof=1, dump_flags=11) at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:198
198                                     fprintf(stderr, " (instanceof %s)", ce->name->val);
(gdb) print ce->name
$1 = (zend_string *) 0xfffffa9be9008b48
(gdb) print ce->name->val
Cannot access memory at address 0xfffffa9be9008b60


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-11 05:35 UTC]
I can not reproduce this by using the example you provide in gist.
 [2020-05-11 14:07 UTC]
It also happens inconsistently - Have you tried multiple times? Was other jit debug output printed?

USE_ZEND_ALLOC=0 valgrind php -d opcache.protect_memory=1 -d opcache.file_cache= -d opcache.enable_cli=1 -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 example.php

I'm on Linux Mint 18.3 (based on ubuntu 16.04, gcc 5.4.0)
 [2020-05-12 07:59 UTC]
-Status: Open +Status: Verified
 [2020-05-12 08:05 UTC]
Looks like the DO_FCALL result type is corrupted and changes between runs. Maybe trying to use inter-procedural type info that is no longer available?
 [2020-05-13 10:01 UTC]
Automatic comment on behalf of
Log: Fixed #79582 (Crash seen when opcache.jit=1235 and opcache.jit_debug=2)
 [2020-05-13 10:01 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 19 23:01:31 2024 UTC