Segfault on PHP 8.1 and following

[hschimpf]

I made a library around ext-parallel. On PHP 8.0 everything works fine, but from PHP 8.1+ I got segmentation fault errors.

Branch: https://github.com/hschimpf/parallel-sdk/tree/segfault

Run make to execute the tests on PHP 8.0

• Expected: Normal execution
• Actual result: process runs normally
• Output:

     *** cropped for brevity ***
(gdb) run
Starting program: /usr/local/bin/php vendor/bin/phpunit
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after vfork from child process 23]
PHPUnit 9.6.19 by Sebastian Bergmann and contributors.

.[New Thread 0x7ff9bebff700 (LWP 25)]
[New Thread 0x7ff9bdfff700 (LWP 26)]
..[New Thread 0x7ff9bd3ff700 (LWP 27)]
[New Thread 0x7ff9affff700 (LWP 28)]
. 0 of 52: Starting...
[>-------------------------------------------------------------------------------]   0%
elapsed: < 1 sec, remaining: < 1 sec, ?? items/s
memory: ??
[New Thread 0x7ff9af7fe700 (LWP 29)]
[New Thread 0x7ff9aeffd700 (LWP 30)]
[New Thread 0x7ff9ae7fc700 (LWP 31)]
[New Thread 0x7ff9adffb700 (LWP 32)]
[New Thread 0x7ff9ad3ff700 (LWP 33)]
[New Thread 0x7ff997fff700 (LWP 34)]
[New Thread 0x7ff9977fe700 (LWP 35)]
52 of 52: AnotherWorker >> I finished waiting 86ms from task #223!
[================================================================================] 100%
elapsed: < 1 sec, remaining: < 1 sec, ~51.00 items/s
memory: 551 KiB, threads: 12x ~428 KiB, Σ 5.0 MiB ↑ 5.0 MiB
.Task result from #HDSSolutions\Console\Tests\Workers\TestWorker => 6400
Task result from #HDSSolutions\Console\Tests\Workers\TestWorker => 6464
Task result from #HDSSolutions\Console\Tests\Workers\TestWorker => 6528
     *** cropped for brevity ***
Task result from #HDSSolutions\Console\Tests\Workers\AnotherWorker => 14272
Task result from #HDSSolutions\Console\Tests\Workers\AnotherWorker => 14336
Task result from #HDSSolutions\Console\Tests\Workers\AnotherWorker => 14400
..[New Thread 0x7ff97b7fe700 (LWP 41)]
[New Thread 0x7ff97a7fc700 (LWP 43)]
[New Thread 0x7ff979ffb700 (LWP 44)]
     *** cropped for brevity ***
[New Thread 0x7ff8623ff700 (LWP 106)]
[New Thread 0x7ff8617ff700 (LWP 107)]
[New Thread 0x7ff860bff700 (LWP 108)]
..                                                           9 / 9 (100%)

Time: 00:04.484, Memory: 4.00 MB

OK (9 tests, 39 assertions)
[Thread 0x7ff9bdfff700 (LWP 26) exited]
[Thread 0x7ff9bd3ff700 (LWP 27) exited]
[Thread 0x7ff9727fc700 (LWP 50) exited]
     *** cropped for brevity ***
[Thread 0x7ff995ffb700 (LWP 38) exited]
[Thread 0x7ff9953ff700 (LWP 39) exited]
[Thread 0x7ff9bebff700 (LWP 25) exited]
--Type <RET> for more, q to quit, c to continue without paging--
[Inferior 1 (process 19) exited normally]

Run make PHP=8.1 to execute the tests on PHP 8.1, 8.2 or 8.3

• Expected: Normal execution
• Actual result: Signal SIGSEGV, Segmentation fault
• Output:

     *** cropped for brevity ***
(gdb) run
Starting program: /usr/local/bin/php vendor/bin/phpunit
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after vfork from child process 23]
PHPUnit 9.6.19 by Sebastian Bergmann and contributors.

.[New Thread 0x7f14ce7ff6c0 (LWP 25)]
[New Thread 0x7f14cdbff6c0 (LWP 26)]
..[New Thread 0x7f14ccfff6c0 (LWP 27)]
[New Thread 0x7f14bffff6c0 (LWP 28)]
. 0 of 52: Starting...
[>-------------------------------------------------------------------------------]   0%
elapsed: < 1 sec, remaining: < 1 sec, ?? items/s
memory: ??
[New Thread 0x7f14bf7fe6c0 (LWP 29)]
[New Thread 0x7f14beffd6c0 (LWP 30)]
[New Thread 0x7f14be3ff6c0 (LWP 31)]
[New Thread 0x7f14bd7ff6c0 (LWP 32)]
[New Thread 0x7f14bcbff6c0 (LWP 33)]
[New Thread 0x7f14a7fff6c0 (LWP 34)]
[New Thread 0x7f14a73ff6c0 (LWP 35)]
[New Thread 0x7f14a67ff6c0 (LWP 36)]
[New Thread 0x7f14a5bff6c0 (LWP 37)]
[New Thread 0x7f14a4fff6c0 (LWP 38)]
[New Thread 0x7f148bfff6c0 (LWP 39)]

Thread 13 "php" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f14a67ff6c0 (LWP 36)]
0x0000559d5814bf05 in object_init_ex ()
(gdb) bt
#0  0x0000559d5814bf05 in object_init_ex ()
#1  0x0000559d58185f44 in ?? ()
#2  0x0000559d581b09ca in execute_ex ()
#3  0x00007f14cf6d1b32 in php_parallel_scheduler_run (frame=frame@entry=0x7f14a5c14020, runtime=0x7f14cdc79960) at /tmp/pear/temp/parallel/src/scheduler.c:316
#4  0x00007f14cf6d20df in php_parallel_thread (arg=0x7f14cdc79960) at /tmp/pear/temp/parallel/src/scheduler.c:486
#5  0x00007f14d245c134 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#6  0x00007f14d24dba40 in clone () from /lib/x86_64-linux-gnu/libc.so.6

[realFlowControl]

Hey there,
thanks for making a reproducer, that helps. The good news is that in the latest develop branch that segfault is fixed, but you get a zend_mm_heap corrupted instead at the end 😉
I'll try to hunt that down and report back!

[realFlowControl]

Hey @hschimpf,
I am still trying to fully understand the problem and I'd like to ask you for a favour. Could you:

• install parallel from latest develop branch
• and try running again with and without OPcache enabled?

Please note, that enabling OPcache on CLI requires you to set the opcache.enable_cli INI setting to 1, as it is default disabled.

[realFlowControl]

Reason is that I think it could be the same root cause as in #309

[realFlowControl]

@hschimpf could you give it a try with the version from #325?

[realFlowControl]

It is not fix the issue you are hitting

[Switching to Thread 0xffffe3e0ede0 (LWP 22411)]
0x0000aaaaab29c598 in zval_get_type (pz=0x0) at /usr/src/php/Zend/zend_types.h:648
648		return pz->u1.v.type;
(gdb) bt
#0  0x0000aaaaab29c598 in zval_get_type (pz=0x0) at /usr/src/php/Zend/zend_types.h:648
#1  zend_update_class_constants (class_type=0xffffec038ab8) at /usr/src/php/Zend/zend_API.c:1511
#2  0x0000aaaaab29e214 in _object_and_properties_init (properties=0x0, class_type=0xffffec038ab8, arg=0xffffea94e0f0) at /usr/src/php/Zend/zend_API.c:1764
#3  object_init_ex (arg=0xffffea94e0f0, class_type=0xffffec038ab8) at /usr/src/php/Zend/zend_API.c:1795
#4  0x0000aaaaab3a1270 in ZEND_NEW_SPEC_VAR_UNUSED_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:29687
#5  0x0000aaaaab42e600 in execute_ex (ex=0xffffea94e030) at /usr/src/php/Zend/zend_vm_execute.h:59893
#6  0x0000fffff418d61c in php_parallel_scheduler_run (runtime=0xffffe40b4a00, frame=0xffffea94e030) at /parallel/src/scheduler.c:333
#7  0x0000fffff418e52c in php_parallel_thread (arg=0xffffe40b4a00) at /parallel/src/scheduler.c:503
#8  0x0000fffff731ee30 in ?? () from /lib/aarch64-linux-gnu/libc.so.6
#9  0x0000fffff7387adc in ?? () from /lib/aarch64-linux-gnu/libc.so.6
(gdb) f 5
#5  0x0000aaaaab42e600 in execute_ex (ex=0xffffea94e030) at /usr/src/php/Zend/zend_vm_execute.h:59893
59893					ZEND_NEW_SPEC_VAR_UNUSED_HANDLER(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) p (char*)(*ex).func.common.function_name.val
$7 = 0xffffeb6c1a50 "HDSSolutions\\Console\\Parallel\\Internals\\Runner\\{closure}"
(gdb) f 2
#2  0x0000aaaaab29e214 in _object_and_properties_init (properties=0x0, class_type=0xffffec038ab8, arg=0xffffea94e0f0) at /usr/src/php/Zend/zend_API.c:1764
(gdb) p (char*)(*class_type).name.val
$13 = 0xffffeb649e00 "HDSSolutions\\Console\\Tests\\Workers\\AnotherWorker"

Not yet sure what to make out of that

[realFlowControl]

I build an ASAN version of PHP 8.3 and ran it, thanks @cmb69 for the hint.

This is with OPcache disabled. OPcache enabled leads to the segfault above

$ USE_ZEND_ALLOC=0 php vendor/bin/phpunit
... 
==41547==ERROR: AddressSanitizer: heap-use-after-free on address 0xffff84ce5584 at pc 0xaaaaad494b40 bp 0xffffd1412a60 sp 0xffffd1412a78
READ of size 4 at 0xffff84ce5584 thread T0
    #0 0xaaaaad494b3c in zend_string_release_ex /usr/src/php/Zend/zend_string.h:353
    #1 0xaaaaad494b3c in destroy_op_array /usr/src/php/Zend/zend_opcode.c:548
    #2 0xaaaaad4966dc in destroy_op_array /usr/src/php/Zend/zend_opcode.c:629
    #3 0xaaaaad48ae78 in zend_function_dtor /usr/src/php/Zend/zend_opcode.c:149
    #4 0xaaaaad561ed8 in zend_hash_destroy /usr/src/php/Zend/zend_hash.c:1764
    #5 0xaaaaad491a08 in destroy_zend_class /usr/src/php/Zend/zend_opcode.c:397
    #6 0xaaaaad472a5c in shutdown_executor /usr/src/php/Zend/zend_execute_API.c:455
    #7 0xaaaaad4e5040 in zend_deactivate /usr/src/php/Zend/zend.c:1294
    #8 0xaaaaad250b78 in php_request_shutdown /usr/src/php/main/main.c:1910
    #9 0xaaaaadd25784 in do_cli /usr/src/php/sapi/cli/php_cli.c:1136
    #10 0xaaaaadd264e4 in main /usr/src/php/sapi/cli/php_cli.c:1340
    #11 0xffff8b64773c  (/lib/aarch64-linux-gnu/libc.so.6+0x2773c)
    #12 0xffff8b647814 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x27814)
    #13 0xaaaaac4cb12c in _start (/usr/local/bin/php+0x3fb12c)

0xffff84ce5584 is located 4 bytes inside of 64-byte region [0xffff84ce5580,0xffff84ce55c0)
freed by thread T1 here:
    #0 0xffff8c4aa5a0 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0xaaaaad3cb40c in _efree_custom /usr/src/php/Zend/zend_alloc.c:2500
    #2 0xaaaaad3d7374 in _efree /usr/src/php/Zend/zend_alloc.c:2620
    #3 0xaaaaad494d64 in zend_string_release_ex /usr/src/php/Zend/zend_string.h:360
    #4 0xaaaaad494d64 in destroy_op_array /usr/src/php/Zend/zend_opcode.c:548
    #5 0xaaaaada53078 in zend_closure_free_storage /usr/src/php/Zend/zend_closures.c:525
    #6 0xaaaaadae4810 in zend_objects_store_del /usr/src/php/Zend/zend_objects_API.c:200
    #7 0xaaaaad4d4308 in rc_dtor_func /usr/src/php/Zend/zend_variables.c:57
    #8 0xaaaaadac0b4c in i_zval_ptr_dtor /usr/src/php/Zend/zend_variables.h:44
    #9 0xaaaaadac0b4c in zend_object_std_dtor /usr/src/php/Zend/zend_objects.c:77
    #10 0xaaaaadae4810 in zend_objects_store_del /usr/src/php/Zend/zend_objects_API.c:200
    #11 0xaaaaad4d4308 in rc_dtor_func /usr/src/php/Zend/zend_variables.c:57
    #12 0xaaaaad562f90 in i_zval_ptr_dtor /usr/src/php/Zend/zend_variables.h:44
    #13 0xaaaaad562f90 in zend_array_destroy /usr/src/php/Zend/zend_hash.c:1832
    #14 0xaaaaad4d4308 in rc_dtor_func /usr/src/php/Zend/zend_variables.c:57
    #15 0xaaaaadac0b4c in i_zval_ptr_dtor /usr/src/php/Zend/zend_variables.h:44
    #16 0xaaaaadac0b4c in zend_object_std_dtor /usr/src/php/Zend/zend_objects.c:77
    #17 0xaaaaadae4810 in zend_objects_store_del /usr/src/php/Zend/zend_objects_API.c:200
    #18 0xaaaaad4d4308 in rc_dtor_func /usr/src/php/Zend/zend_variables.c:57
    #19 0xaaaaad9845ac in i_zval_ptr_dtor /usr/src/php/Zend/zend_variables.h:44
    #20 0xaaaaad9845ac in i_free_compiled_variables /usr/src/php/Zend/zend_execute.c:3883
    #21 0xaaaaad9845ac in execute_ex /usr/src/php/Zend/zend_vm_execute.h:57160
    #22 0xffff87f4d618 in php_parallel_scheduler_run /parallel/src/scheduler.c:333
    #23 0xffff87f4e528 in php_parallel_thread /parallel/src/scheduler.c:503
    #24 0xffff8b69ee2c  (/lib/aarch64-linux-gnu/libc.so.6+0x7ee2c)
    #25 0xffff8b707ad8  (/lib/aarch64-linux-gnu/libc.so.6+0xe7ad8)

previously allocated by thread T0 here:
    #0 0xffff8c4ab734 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0xaaaaad3de54c in __zend_malloc /usr/src/php/Zend/zend_alloc.c:3128
    #2 0xaaaaad3cb37c in _malloc_custom /usr/src/php/Zend/zend_alloc.c:2491
    #3 0xaaaaad3d6f78 in _emalloc /usr/src/php/Zend/zend_alloc.c:2610
    #4 0xaaaaada68010 in zend_string_alloc /usr/src/php/Zend/zend_string.h:174
    #5 0xaaaaada68010 in zend_string_concat3 /usr/src/php/Zend/zend_string.c:498
    #6 0xaaaaad3e87ec in zend_concat_names /usr/src/php/Zend/zend_compile.c:987
    #7 0xaaaaad3e8944 in zend_prefix_with_ns /usr/src/php/Zend/zend_compile.c:993
    #8 0xaaaaad439c88 in zend_begin_func_decl /usr/src/php/Zend/zend_compile.c:7521
    #9 0xaaaaad43afa4 in zend_compile_func_decl /usr/src/php/Zend/zend_compile.c:7601
    #10 0xaaaaad46028c in zend_compile_expr_inner /usr/src/php/Zend/zend_compile.c:10606
    #11 0xaaaaad4602e0 in zend_compile_expr /usr/src/php/Zend/zend_compile.c:10625
    #12 0xaaaaad407a98 in zend_compile_args /usr/src/php/Zend/zend_compile.c:3781
    #13 0xaaaaad4092f0 in zend_compile_call_common /usr/src/php/Zend/zend_compile.c:3884
    #14 0xaaaaad418e48 in zend_compile_static_call /usr/src/php/Zend/zend_compile.c:4860
    #15 0xaaaaad460864 in zend_compile_var_inner /usr/src/php/Zend/zend_compile.c:10663
    #16 0xaaaaad460a44 in zend_compile_var /usr/src/php/Zend/zend_compile.c:10682
    #17 0xaaaaad460088 in zend_compile_expr_inner /usr/src/php/Zend/zend_compile.c:10503
    #18 0xaaaaad4602e0 in zend_compile_expr /usr/src/php/Zend/zend_compile.c:10625
    #19 0xaaaaad45f700 in zend_compile_stmt /usr/src/php/Zend/zend_compile.c:10465
    #20 0xaaaaad42cc7c in zend_compile_stmt_list /usr/src/php/Zend/zend_compile.c:6405
    #21 0xaaaaad45f58c in zend_compile_stmt /usr/src/php/Zend/zend_compile.c:10373
    #22 0xaaaaad43b8d8 in zend_compile_func_decl /usr/src/php/Zend/zend_compile.c:7678
    #23 0xaaaaad45f660 in zend_compile_stmt /usr/src/php/Zend/zend_compile.c:10426
    #24 0xaaaaad42cc7c in zend_compile_stmt_list /usr/src/php/Zend/zend_compile.c:6405
    #25 0xaaaaad45f58c in zend_compile_stmt /usr/src/php/Zend/zend_compile.c:10373
    #26 0xaaaaad441274 in zend_compile_class_decl /usr/src/php/Zend/zend_compile.c:8163
    #27 0xaaaaad45efac in zend_compile_top_stmt /usr/src/php/Zend/zend_compile.c:10348
    #28 0xaaaaad45eba0 in zend_compile_top_stmt /usr/src/php/Zend/zend_compile.c:10337
    #29 0xaaaaad3171b4 in zend_compile /usr/src/php/Zend/zend_language_scanner.c:620
    #30 0xaaaaad317860 in compile_file /usr/src/php/Zend/zend_language_scanner.c:655

Thread T1 created by T0 here:
    #0 0xffff8c44a234 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
    #1 0xffff87f4e5c0 in php_parallel_scheduler_start /parallel/src/scheduler.c:521
    #2 0xffff87f4c170 in php_parallel_runtime_construct /parallel/src/runtime.c:35
    #3 0xffff87f4bb50 in php_parallel_runtimes_fetch /parallel/src/parallel.c:103
    #4 0xffff87f4bb50 in php_parallel_run /parallel/src/parallel.c:131
    #5 0xaaaaad98682c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /usr/src/php/Zend/zend_vm_execute.h:1337
    #6 0xaaaaad98682c in execute_ex /usr/src/php/Zend/zend_vm_execute.h:57216
    #7 0xaaaaad9ea38c in zend_execute /usr/src/php/Zend/zend_vm_execute.h:61604
    #8 0xaaaaad4ebbc0 in zend_execute_scripts /usr/src/php/Zend/zend.c:1893
    #9 0xaaaaad253c7c in php_execute_script /usr/src/php/main/main.c:2528
    #10 0xaaaaadd23790 in do_cli /usr/src/php/sapi/cli/php_cli.c:966
    #11 0xaaaaadd264e4 in main /usr/src/php/sapi/cli/php_cli.c:1340
    #12 0xffff8b64773c  (/lib/aarch64-linux-gnu/libc.so.6+0x2773c)
    #13 0xffff8b647814 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x27814)
    #14 0xaaaaac4cb12c in _start (/usr/local/bin/php+0x3fb12c)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/php/Zend/zend_string.h:353 in zend_string_release_ex
Shadow bytes around the buggy address:
  0x200ff099ca60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x200ff099ca70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x200ff099ca80: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x200ff099ca90: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x200ff099caa0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x200ff099cab0:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x200ff099cac0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x200ff099cad0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x200ff099cae0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x200ff099caf0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x200ff099cb00: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==41547==ABORTING

[arnaud-lb]

The culprit seems to be this:

parallel/src/scheduler.c

Line 221 in 65cff10

ZEND_MAP_PTR_NEW(function->op_array.run_time_cache);

ZEND_MAP_PTR_NEW() can only be called during compilation, otherwise it will allocate the same ptr in multiple threads. This is an issue when opcache is enabled because the ptrs are stored into SHM.

In my understanding, function is a unique copy created here (function->op_array.opcodes is shared but function is unique), so we don't need a real map_ptr. Using ZEND_MAP_PTR_INIT(function->op_array.run_time_cache, NULL) instead of ZEND_MAP_PTR_NEW() should fix this.

[realFlowControl]

Awesome! I can confirm this works!

[realFlowControl]

@arnaud-lb how did you find this?

[realFlowControl]

Fixed for PHP 8.2, 8.3 and 8.4 with #327, still open for 8.1

ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0xaaaadc558d88 bp 0xffff7620a5e0 sp 0xffff7620a5e0 T5)
==22746==The signal is caused by a READ memory access.
==22746==Hint: address points to the zero page.
    #0 0xaaaadc558d88 in zend_gc_addref /usr/src/php/Zend/zend_types.h:1191
    #1 0xaaaadc558d88 in _object_properties_init /usr/src/php/Zend/zend_API.c:1522
    #2 0xaaaadc558d88 in _object_and_properties_init /usr/src/php/Zend/zend_API.c:1665
    #3 0xaaaadc558d88 in object_init_ex /usr/src/php/Zend/zend_API.c:1682
    #4 0xaaaadc8306fc in ZEND_NEW_SPEC_VAR_UNUSED_HANDLER /usr/src/php/Zend/zend_vm_execute.h:28924
    #5 0xaaaadc9d845c in execute_ex /usr/src/php/Zend/zend_vm_execute.h:58485
    #6 0xffff893cb7a8 in php_parallel_scheduler_run /parallel/src/scheduler.c:337
    #7 0xffff893cbd14 in php_parallel_thread /parallel/src/scheduler.c:507
    #8 0xffff8cc6ee2c  (/lib/aarch64-linux-gnu/libc.so.6+0x7ee2c)
    #9 0xffff8ccd7ad8  (/lib/aarch64-linux-gnu/libc.so.6+0xe7ad8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/php/Zend/zend_types.h:1191 in zend_gc_addref
Thread T5 created by T1 here:
    #0 0xffff8da4a234 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
    #1 0xffff893cc020 in php_parallel_scheduler_start /parallel/src/scheduler.c:525
    #2 0xffff893cb220 in php_parallel_runtime_construct /parallel/src/runtime.c:35
    #3 0xffff893ca7e8 in php_parallel_runtimes_fetch /parallel/src/parallel.c:103
    #4 0xffff893ca7e8 in php_parallel_run /parallel/src/parallel.c:131
    #5 0xaaaadc99765c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /usr/src/php/Zend/zend_vm_execute.h:1297
    #6 0xaaaadc99765c in execute_ex /usr/src/php/Zend/zend_vm_execute.h:55816
    #7 0xffff893cb7a8 in php_parallel_scheduler_run /parallel/src/scheduler.c:337
    #8 0xffff893cbd14 in php_parallel_thread /parallel/src/scheduler.c:507
    #9 0xffff8cc6ee2c  (/lib/aarch64-linux-gnu/libc.so.6+0x7ee2c)
    #10 0xffff8ccd7ad8  (/lib/aarch64-linux-gnu/libc.so.6+0xe7ad8)

Thread T1 created by T0 here:
    #0 0xffff8da4a234 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
    #1 0xffff893cc020 in php_parallel_scheduler_start /parallel/src/scheduler.c:525
    #2 0xffff893cb220 in php_parallel_runtime_construct /parallel/src/runtime.c:35
    #3 0xffff893ca7e8 in php_parallel_runtimes_fetch /parallel/src/parallel.c:103
    #4 0xffff893ca7e8 in php_parallel_run /parallel/src/parallel.c:131
    #5 0xaaaadc99765c in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /usr/src/php/Zend/zend_vm_execute.h:1297
    #6 0xaaaadc99765c in execute_ex /usr/src/php/Zend/zend_vm_execute.h:55816
    #7 0xaaaadc9f6b88 in zend_execute /usr/src/php/Zend/zend_vm_execute.h:60188
    #8 0xaaaadc540888 in zend_execute_scripts /usr/src/php/Zend/zend.c:1857
    #9 0xaaaadc2d5d94 in php_execute_script /usr/src/php/main/main.c:2551
    #10 0xaaaadcd3ae00 in do_cli /usr/src/php/sapi/cli/php_cli.c:965
    #11 0xaaaadcd3dfdc in main /usr/src/php/sapi/cli/php_cli.c:1367
    #12 0xffff8cc1773c  (/lib/aarch64-linux-gnu/libc.so.6+0x2773c)
    #13 0xffff8cc17814 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x27814)
    #14 0xaaaadb5c0aac in _start (/usr/local/bin/php+0x410aac)

==22746==ABORTING

[arnaud-lb]

@arnaud-lb how did you find this?

From an ASAN report I found that the address of some invalid read was coming from a map_ptr read. With gdb I watched what was writing this map_ptr and found out the same map_ptr had been assigned to different places.

[realFlowControl]

Hey @schimpf,
version 1.2.5 was tagged which should fix the problems for PHP 8.2, 8.3 and 8.4 (sadly not yet for 8.1).

[hschimpf]

Hey @realFlowControl!

Many thanks! Tests on v8.2 and v8.3 are working as expected 👌🏻.

I'm working on migrating most projects that use ext-parallel to PHP v8.2/v8.3. Only one project is still on PHP v8.0, but it’s unaffected since the issue isn't present in that version. So, it’s not a big deal that v8.1 isn't working, as we’ll be upgrading directly to v8.3.

Also, thanks @arnaud-lb for the help! 🚀

Closing the issue now