Segfault when using opcache and JIT

[danog]

Description

Runnning https://github.com/vimeo/psalm with this php.ini causes a segfault (ref vimeo/psalm#9340):

zend_extension=opcache.so
opcache.optimization_level="0"
opcache.enable_cli=1
opcache.jit_buffer_size=512M
opcache.jit=1205

Command:

git clone https://github.com/vimeo/psalm
cd psalm
git checkout 5.7.0
composer i
php -n -c php.ini ./psalm --no-cache

gdb backtrace:

(gdb) backtrace
#0  0x00005555558c4a74 in zend_parse_arg (arg_num=4106310752, arg=0x7fffffffa0e0, va=0x55555642a70c, spec=0x7fffffffa278, flags=-23928) at /usr/src/debug/php/php-8.2.3/Zend/zend_API.c:989
#1  0x0000000000000000 in ?? ()

gdb zbacktrace:

(gdb) zbacktrace
[0x7ffff4c15400] DOMDocument->getElementsByTagNameNS("https://getpsalm.org/schema/config", unknown type 103) [internal function]
[0x7ffff4c151a0] Psalm\Config->processConfigDeprecations(object[0x7ffff4c151f0], object[0x7ffff4c15200], "<?xml version="1.0"?>\12<psalm\12    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instanc
e"\12    xmlns="https://getpsalm.org/schema/config"\12    name="Psalm for Psalm"\12    errorLevel="1"\12    throwExceptionOnError="0"\12    findUnusedCode="true"\12    ensureArrayStrin...", "/ho
me/daniil/repos/psalm/psalm.xml.dist") /home/daniil/repos/psalm/src/Psalm/Config.php:1003
[0x7ffff4c135d0] Psalm\Config->fromXmlAndPaths("/home/daniil/repos/psalm/", "<?xml version="1.0"?>\12<psalm\12    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\12    xmlns="https://getps
alm.org/schema/config"\12    name="Psalm for Psalm"\12    errorLevel="1"\12    throwExceptionOnError="0"\12    findUnusedCode="true"\12    ensureArrayStrin...", "/home/daniil/repos/psalm/", "/ho
me/daniil/repos/psalm/psalm.xml.dist") /home/daniil/repos/psalm/src/Psalm/Config.php:1033
[0x7ffff4c13500] Psalm\Config->loadFromXML("/home/daniil/repos/psalm/", "<?xml version="1.0"?>\12<psalm\12    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\12    xmlns="https://getpsalm.
org/schema/config"\12    name="Psalm for Psalm"\12    errorLevel="1"\12    throwExceptionOnError="0"\12    findUnusedCode="true"\12    ensureArrayStrin...", "/home/daniil/repos/psalm/", "/home/d
aniil/repos/psalm/psalm.xml.dist") /home/daniil/repos/psalm/src/Psalm/Config.php:823
[0x7ffff4c132b0] Psalm\Config->loadFromXMLFile("/home/daniil/repos/psalm/psalm.xml.dist", "/home/daniil/repos/psalm/") /home/daniil/repos/psalm/src/Psalm/Config.php:785
[0x7ffff4c131c0] Psalm\Config->getConfigForPath("/home/daniil/repos/psalm/", "/home/daniil/repos/psalm/") /home/daniil/repos/psalm/src/Psalm/Config.php:734
[0x7ffff4c12fa0] Psalm\Internal\CliUtils->initializeConfig(NULL, "/home/daniil/repos/psalm/", "console", object[0x7ffff4c13020], false)
/home/daniil/repos/psalm/src/Psalm/Internal/CliUtils.php:348
[0x7ffff4c12df0] Psalm\Internal\Cli\Psalm->loadConfig(NULL, "/home/daniil/repos/psalm/", "console", object[0x7ffff4c12e70], false, array(1)[0x7ffff4c12e90])
/home/daniil/repos/psalm/src/Psalm/Internal/Cli/Psalm.php:559
[0x7ffff4c12c30] Psalm\Internal\Cli\Psalm->initConfig("/home/daniil/repos/psalm/", array(1)[0x7ffff4c12c90], "vendor", object[0x7ffff4c12cb0], NULL, "console", false, array(1)[0x7ffff4c12cf0])
/home/daniil/repos/psalm/src/Psalm/Internal/Cli/Psalm.php:1020
[0x7ffff4c120a0] Psalm\Internal\Cli\Psalm->run(array(2)[0x7ffff4c120f0]) /home/daniil/repos/psalm/src/Psalm/Internal/Cli/Psalm.php:238
[0x7ffff4c12020] (main) /home/daniil/repos/psalm/psalm:9

PHP Version

PHP 8.2.3

Operating System

Arch linux

[weirdan]

Note that getElementsByTagNameNS() call happens in a loop over an array, however that array is empty (we don't have any deprecated elements at the moment), and execution should have never entered the loop body.

[nielsdos]

arg_num is also a ridiculously high number, so looks like something got corrupted somewhere

[weirdan]

Minimal reproducer:

<?php

function f(): void {
        $a = [];
        foreach ($a as $b) {}
}

f();
echo "finished" . PHP_EOL;

Expected:

finished

Actual:

Segmentation fault (core dumped)

[dstogov]

@weirdan your test doesn't show any problems for me nor with php-8.2.3 neither with PHP-8.2.
Can you run the script under gdb and show backtrace. (PHP debug build is preferred).

$ gdb --args php -d opcache.jit=1205 -d opcache.jit_debug=0x400 test.php
(gdb) r
after crash
(gdb) bt

This may be already fixed by commit 7d68f91, but it's included into php-8.2.3. Please check if you really use php 8.2.3 and the installed opcache is from the same PHP version.

[dstogov]

Yeah. This is definitely fixed by 7d68f91. Reverting it starts crashing on both minimal test and psalm. There are no crashes with patch applied.

[weirdan]

@dstogov this is still reproducible on 8.2.3:

root@bd7ce12598d5:/app# php -n -v
PHP 8.2.3 (cli) (built: Feb 14 2023 20:28:49) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.3, Copyright (c) Zend Technologies
root@bd7ce12598d5:/app# cat /tmp/bug.php
<?php

function f(): void {
        foreach ([] as $b) {}
}

f();
echo "finished" . PHP_EOL;
root@bd7ce12598d5:/app# /usr/local/bin/php -dopcache.enable_cli=1 -dopcache.jit_buffer_size=512M -dopcache.jit=1205 -dzend_extension=opcache.so -dopcache.optimization_level=0 -n  /tmp/bug.php
Segmentation fault (core dumped)
root@bd7ce12598d5:/app# gdb /usr/local/bin/php -c core
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/bin/php...
(No debugging symbols found in /usr/local/bin/php)

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 1193]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/local/bin/php -dopcache.enable_cli=1 -dopcache.jit_buffer_size=512M -dopca'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055ea5fa00b3d in ?? ()
(gdb) bt
#0  0x000055ea5fa00b3d in ?? ()
#1  0x0000000000000004 in ?? ()
#2  0x0000000000000000 in ?? ()
quit)

I'll try to get debug symbols installed, but meanwhile, the culprit seems to be -dopcache.optimization_level=0

[weirdan]

And the OPcache version (reported by php -v) matches the php version:

    with Zend OPcache v8.2.3, Copyright (c), by Zend Technologies

[danog]

@weirdan It seems that the commit with the fix was only merged into master, and wasn't tagged yet

[weirdan]

Backtrace with debug symbols added (from another machine):

(gdb) bt
#0  0x000055e952e00b8d in ?? ()
#1  0x00007fe1a83bd4bf in __cpu_indicator_init ()
   from /home/weirdan/.phpenv/versions/8.2.3/lib/php/extensions/debug-non-zts-20220829/opcache.so
#2  0x00007fe1ac8d8020 in _dl_catch_error@got.plt () from /lib64/ld-linux-x86-64.so.2
#3  0x000055e9488e8e58 in __frame_dummy_init_array_entry ()
#4  0x00007ffef30b34e0 in ?? ()
#5  0x00007fe1a828c79c in zend_accel_error (type=0,
    format=0x7fe1a8400000 <zend_assign_to_string_offset+22> "@")
    at /tmp/php-build/source/8.2.3/ext/opcache/zend_accelerator_debug.c:103
#6  0x000055e947b6d1d8 in zend_execute (op_array=0x7fe1a8482000 <zend_jit_fetch_dim_read+5532>,
    return_value=0x0) at /tmp/php-build/source/8.2.3/Zend/zend_vm_execute.h:60384
#7  0x000055e947ab4e67 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php-build/source/8.2.3/Zend/zend.c:1780
#8  0x000055e947a183fb in php_execute_script (primary_file=0x7ffef30b5bb0)
    at /tmp/php-build/source/8.2.3/main/main.c:2541
#9  0x000055e947c24dd9 in do_cli (argc=8, argv=0x55e94aa56040)
    at /tmp/php-build/source/8.2.3/sapi/cli/php_cli.c:964
#10 0x000055e947c25974 in main (argc=8, argv=0x55e94aa56040)
    at /tmp/php-build/source/8.2.3/sapi/cli/php_cli.c:1333

[weirdan]

and with jit_debug=0x400:

$ cat bug.php
<?php

function f(): void {
        foreach ([] as $b) {}
}

f();
echo "finished" . PHP_EOL;
$ php -n -dopcache.enable_cli=1 -dopcache.jit_buffer_size=512M -dopcache.jit=1205 -dzend_extension=opcache.so -dopcache.optimization_level=0 -dopcache.jit_debug=0x400 bug.php
zsh: segmentation fault (core dumped)  php -n -dopcache.enable_cli=1 -dopcache.jit_buffer_size=512M     bug.php
$ gdb ~/.phpenv/versions/8.2.3/bin/php -c core
GNU gdb (Debian 13.0.91.20230210-0.1) 13.0.91.20230210-git
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/weirdan/.phpenv/versions/8.2.3/bin/php...

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 3664575]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php -n -dopcache.enable_cli=1 -dopcache.jit_buffer_size=512M -dopcache.jit=1205'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000564663c00b8d in ?? ()
(gdb) pipe info sharedlibrary | grep opcache
0x00007f3817053410  0x00007f3817193483  Yes         /home/weirdan/.phpenv/versions/8.2.3/lib/php/extensions/debug-non-zts-20220829/opcache.so
(gdb) add-symbol-file /home/weirdan/.phpenv/versions/8.2.3/lib/php/extensions/debug-non-zts-20220829/opcache.so 0x00007f3817193483
add symbol table from file "/home/weirdan/.phpenv/versions/8.2.3/lib/php/extensions/debug-non-zts-20220829/opcache.so" at
        .text_addr = 0x7f3817193483
(y or n) y
Reading symbols from /home/weirdan/.phpenv/versions/8.2.3/lib/php/extensions/debug-non-zts-20220829/opcache.so...
(gdb) bt
#0  0x0000564663c00b8d in ?? ()
#1  0x00007f38171944bf in __cpu_indicator_init ()
   from /home/weirdan/.phpenv/versions/8.2.3/lib/php/extensions/debug-non-zts-20220829/opcache.so
#2  0x00007f381b557020 in _dl_catch_error@got.plt () from /lib64/ld-linux-x86-64.so.2
#3  0x00005646596e8e58 in __frame_dummy_init_array_entry ()
#4  0x00007ffd322a66f0 in ?? ()
#5  0x00007f381706379c in zend_accel_error (type=0, format=0x7f3817200000 <zend_jit_math_helper+7527> "@")
    at /tmp/php-build/source/8.2.3/ext/opcache/zend_accelerator_debug.c:103
#6  0x000056465896d1d8 in zend_execute (op_array=0x7f3817282000 <zend_jit_switch+8939>, return_value=0x0)
    at /tmp/php-build/source/8.2.3/Zend/zend_vm_execute.h:60384
#7  0x00005646588b4e67 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php-build/source/8.2.3/Zend/zend.c:1780
#8  0x00005646588183fb in php_execute_script (primary_file=0x7ffd322a8dc0)
    at /tmp/php-build/source/8.2.3/main/main.c:2541
#9  0x0000564658a24dd9 in do_cli (argc=9, argv=0x56465b763040)
    at /tmp/php-build/source/8.2.3/sapi/cli/php_cli.c:964
#10 0x0000564658a25974 in main (argc=9, argv=0x56465b763040)
    at /tmp/php-build/source/8.2.3/sapi/cli/php_cli.c:1333
(gdb)

[weirdan]

Having built master and PHP-8.2 branches from git I can confirm that neither exhibit this bug. PHP 8.2.3 is still affected though.

[dstogov]

Right, the fix was not included into PHP-8.2.3. The last commit is from February 13, see https://github.com/php/php-src/commits/php-8.2.3 The fix was committed into PHP-8.2 on February 20. It's going to be included into 8.2.4.

As a temporary workaround you may use default value of opcache.optimization_level.

[weirdan]

As a temporary workaround you may use default value of opcache.optimization_level.

That's what we did.

[dstogov]

In any case, thanks for your good report(s).

[vasilvestre]

Is this possible that this issue also exists on 8.1 and hasn't been backported ?

[nielsdos]

Is this possible that this issue also exists on 8.1 and hasn't been backported ?

The fix did make it into PHP 8.1.17.
Can you post more details (in a new issue) about your bug?
Also, please note that PHP 8.1 is not under bugfix support anymore, so it's worth checking if it reproduces under PHP 8.2 before making a report.
Thanks.