php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79582 Crash seen when opcache.jit=1235 and opcache.jit_debug=2
Submitted: 2020-05-10 19:31 UTC Modified: 2020-05-12 08:05 UTC
From: tandre@php.net Assigned:
Status: Closed Package: opcache
PHP Version: master-Git-2020-05-10 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tandre@php.net
New email:
PHP Version: OS:

 

 [2020-05-10 19:31 UTC] tandre@php.net
Description:
------------
Seen when running the jit on php-src b452d5923de3bfef3268bcea289d59d6bc789437 from 2020-05-10 and Phan https://github.com/phan/phan/commit/a2eb629c09952383ae78315d240ce3770670c1a5

(occurs with NTS debug and non-debug)

The original example was `php -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 ./phan`, but it was simplified to the linked gist.

Test script:
---------------
https://gist.github.com/TysonAndre/4eee037dd9a8e7aa9144eb6b4886e71a

(Removing unused functions seemed to prevent the crash, somehow)

Expected result:
----------------
opcache.jit_debug=2 should not crash when opcache.jit=1235 (instead of the default of 1205)

If it is impossible to fix (e.g. because the necessary info is no longer available), then refuse to print debug output 

Actual result:
--------------
opcache crashed when jit_debug output was being printed to stderr with phan and the attached test script.

For some reason, it's trying to resolve a class name for a variable with broad(corrupt?) type info. opcache.protect_memory doesn't change the result.

```
ยป USE_ZEND_ALLOC=0 gdb -args `which php` -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 example.php 
....
FullyQualifiedGlobalStructuralElement::make:
... output for make()
BB5:
     ; target lines=[12-15]
     ; from=(BB2, BB3)
     ; to=(BB6)
     ; idom=BB2
     ; level=3
     ; children=(BB6)
     #17.CV0($namespace) [rc1, rcn, string] = Phi(#4.CV0($namespace) [rc1, rcn, string], #11.CV0($namespace) [rc1, rcn, string])
0012 FE_FREE #10.V4 [rc1, rcn, array [long] of [string]]
0013 INIT_STATIC_METHOD_CALL 1 (self) (exception) string("cleanNamespace")
0014 SEND_VAR #17.CV0($namespace) [rc1, rcn, string] -> #18.CV0($namespace) NOVAL [rc1, rcn, string] 1
0015 #19.V4 [rc1, rcn, class
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2b81cc0 in _IO_vfprintf_internal (s=0x7fffffff72f0, format=<optimized out>, ap=0x7fffffff99a8) at vfprintf.c:1632
1632    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007ffff2b81cc0 in _IO_vfprintf_internal (s=0x7fffffff72f0, format=<optimized out>, ap=0x7fffffff99a8) at vfprintf.c:1632
#1  0x00007ffff2b82ef1 in buffered_vfprintf (s=0x7ffff2ef8540 <_IO_2_1_stderr_>, format=<optimized out>, args=<optimized out>) at vfprintf.c:2320
#2  0x00007ffff2b8032d in _IO_vfprintf_internal (s=0x7ffff2ef8540 <_IO_2_1_stderr_>, format=0x7fffeb744c55 " (instanceof %s)", ap=ap@entry=0x7fffffff99a8) at vfprintf.c:1293
#3  0x00007ffff2b887f7 in __fprintf (stream=<optimized out>, format=<optimized out>) at fprintf.c:32
#4  0x00007fffeb68db3f in zend_dump_type_info (info=3952614054, ce=0xb75153 <execute_ex+1532>, is_instanceof=1, dump_flags=11)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:198
#5  0x00007fffeb68e6f6 in zend_dump_ssa_var_info (ssa=0x7fffffff9cf0, ssa_var_num=19, dump_flags=11) at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:327
#6  0x00007fffeb68e869 in zend_dump_ssa_var (op_array=0x408be8a8, ssa=0x7fffffff9cf0, ssa_var_num=19, var_type=4 '\004', var_num=4, dump_flags=11)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:352
#7  0x00007fffeb68ed33 in zend_dump_op (op_array=0x408be8a8, b=0x1b0b7c8, opline=0x408bebb8, dump_flags=11, ssa=0x7fffffff9cf0, ssa_op=0x1b0bc3c)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:418
#8  0x00007fffeb6902d7 in zend_dump_op_line (op_array=0x408be8a8, b=0x1b0b7c8, opline=0x408bebb8, dump_flags=11, data=0x7fffffff9cf0)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:729
#9  0x00007fffeb691438 in zend_dump_op_array (op_array=0x408be8a8, dump_flags=11, msg=0x7fffeb74f3b8 "JIT", data=0x7fffffff9cf0)
    at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:1014
#10 0x00007fffeb711375 in zend_real_jit_func (op_array=0x408be8a8, script=0x0, rt_opline=0x408bead8) at /path/to/php-src/ext/opcache/jit/zend_jit.c:3091
#11 0x00007fffeb7118e4 in zend_jit_hot_func (execute_data=0x1b1adb0, opline=0x408bead8) at /path/to/php-src/ext/opcache/jit/zend_jit.c:3195
#12 0x00000000480004ea in ?? ()
#13 0x00007fffffff9dd0 in ?? ()
#14 0x0000000001b1ad30 in ?? ()
#15 0x800000000002b60f in ?? ()
#16 0x00007ffff2ef7b20 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#17 0x0000010600000018 in ?? ()
#18 0x000000000044f760 in ?? ()
#19 0x00007fffffffd860 in ?? ()
#20 0x0000000001b1aec0 in ?? ()
#21 0x0000000000000000 in ?? ()

(go up in the trace)
(gdb) 
#4  0x00007fffeb68db3f in zend_dump_type_info (info=3952614054, ce=0xb75153 <execute_ex+1532>, is_instanceof=1, dump_flags=11) at /path/to/php-src/ext/opcache/Optimizer/zend_dump.c:198
198                                     fprintf(stderr, " (instanceof %s)", ce->name->val);
(gdb) print ce->name
$1 = (zend_string *) 0xfffffa9be9008b48
(gdb) print ce->name->val
Cannot access memory at address 0xfffffa9be9008b60
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-11 05:35 UTC] laruence@php.net
I can not reproduce this by using the example you provide in gist.
 [2020-05-11 14:07 UTC] tandre@php.net
It also happens inconsistently - Have you tried multiple times? Was other jit debug output printed?

USE_ZEND_ALLOC=0 valgrind php -d opcache.protect_memory=1 -d opcache.file_cache= -d opcache.enable_cli=1 -d opcache.jit=1235 -d opcache.jit_buffer_size=20M -d opcache.jit_debug=2 example.php

I'm on Linux Mint 18.3 (based on ubuntu 16.04, gcc 5.4.0)
 [2020-05-12 07:59 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-05-12 08:05 UTC] nikic@php.net
Looks like the DO_FCALL result type is corrupted and changes between runs. Maybe trying to use inter-procedural type info that is no longer available?
 [2020-05-13 10:01 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91b5571fcc5dd9c19d29f841a4f1281532d8ecba
Log: Fixed #79582 (Crash seen when opcache.jit=1235 and opcache.jit_debug=2)
 [2020-05-13 10:01 UTC] laruence@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 21:01:29 2024 UTC