Segmentation faults in 8.1.5 with opcache enabled

[ffang-imvu]

Description

After upgrade from PHP 7.4 to 8.1.5, we see many segmentation faults. The segmentation faults disappear if we disable Opcache. Segfaults happen when loading different php files and intermittently. This is a sample stack trace:

#0  zend_hash_find_bucket (known_hash=true, key=0x413ea6e8, ht=ht@entry=0x55f036f74200) at ./Zend/zend_hash.c:661
#1  zend_hash_find_known_hash (ht=ht@entry=0x55f036f74200, key=0x413ea6e8) at ./Zend/zend_hash.c:2281
#2  0x00007f129660d605 in zend_accel_function_hash_copy (source=0x4256a778, source=0x4256a778, target=0x55f036f74200) at ./ext/opcache/zend_accelerator_util_funcs.c:141
#3  zend_accel_load_script (persistent_script=persistent_script@entry=0x4256a680, from_shared_memory=from_shared_memory@entry=1) at ./ext/opcache/zend_accelerator_util_funcs.c:226
#4  0x00007f12965fbf94 in persistent_compile_file (file_handle=<optimized out>, type=<optimized out>) at ./ext/opcache/ZendAccelerator.c:2240
#5  0x00007f129f41f0e8 in zend_include_or_eval (inc_filename_zv=<optimized out>, type=<optimized out>) at ./Zend/zend_execute.c:4590
#6  0x00007f129f42d3fc in ZEND_INCLUDE_OR_EVAL_SPEC_OBSERVER_HANDLER () at ./Zend/zend_vm_execute.h:4919
#7  0x00007f129f4566fa in execute_ex (ex=0x55f036f74200) at ./Zend/zend_vm_execute.h:55815
#8  0x00007f129f45dffd in zend_execute (op_array=0x7f1296269000, return_value=0x0) at ./Zend/zend_vm_execute.h:59771
#9  0x00007f129f3eb454 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1792
#10 0x00007f129f3870f1 in php_execute_script (primary_file=primary_file@entry=0x7fffcc9596d0) at ./main/main.c:2538
#11 0x00007f129f4d5818 in php_handler (r=<optimized out>) at ./sapi/apache2handler/sapi_apache2.c:705
#12 0x000055f034eea530 in ap_run_handler ()
#13 0x000055f034eeaaad in ap_invoke_handler ()
#14 0x000055f034f029fb in ap_process_async_request ()
#15 0x000055f034f02bde in ap_process_request ()
#16 0x000055f034efee34 in ?? ()
#17 0x000055f034ef3f20 in ap_run_process_connection ()
#18 0x00007f12a13c59aa in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#19 0x00007f12a13c5cc4 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#20 0x00007f12a13c671e in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#21 0x000055f034ecb90e in ap_run_mpm ()
#22 0x000055f034ec37ab in main ()

(gdb) f 0
#0  zend_hash_find_bucket (known_hash=true, key=0x413ea6e8, ht=ht@entry=0x55f036f74200) at ./Zend/zend_hash.c:661
661		if (EXPECTED(p->key == key)) { /* check for the same interned string */
(gdb) p idx
$43 = 1156309792
(gdb) p ht->nTableSize
$44 = 4096

This one index is out of bounds. Other index in the table is either HT_INVALID_IDX or a valid value, except this one. Not sure if this is a useful piece of information: the count of valid indexes is smaller than ht->nNumUsed, e.g. nNumUsed = 2881 and only only 2405 valid indexes (!(idx == HT_INVALID_IDX || idx >= HT_IDX_TO_HASH(ht->nTableSize))

PHP Version

PHP 8.1.5 & 8.1.6

Operating System

Ubuntu 18.04

[Girgias]

Is this due to OpCache or the JIT engine? And would it possible to produce the stack trace while running a debug build of PHP?

[cmb69]

Also, is opcache.file_cache enabled?

[ffang-imvu]

JIT and file_cache are disabled. This is due to Opcache. It is possible to turn on debug in build. I will try it.

[arnaud-lb]

Does it crash with opcache.optimization_level=0 ?

[ffang-imvu]

Yes, it also crashes with opcache.optimization_level=0. All segfaults are gone if downgrade to PHP 8.0.20

[ffang-imvu]

I have tested PHP 8.1.14 and no longer see this problem.