php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52752 Crash when lexing
Submitted: 2010-08-31 20:43 UTC Modified: 2021-10-06 07:40 UTC
Votes:42
Avg. Score:4.4 ± 0.8
Reproduced:37 of 39 (94.9%)
Same Version:7 (18.9%)
Same OS:6 (16.2%)
From: paulgao at yeah dot net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3SVN-2010-08-31 (SVN) OS: Centos 5 32bit
Private report: No CVE-ID: None
 [2010-08-31 20:43 UTC] paulgao at yeah dot net
Description:
------------
sometimes, PHP was core dump, error message is 'Program terminated with signal 7, Bus error.'.

Test script:
---------------
I don't know code.

Actual result:
--------------
gdb backtrace message:


#0  0x00000000007e9179 in lex_scan (zendlval=0x7fffe9900bd8) at Zend/zend_language_scanner.l:1635
#1  0x0000000000814517 in zendlex (zendlval=0x7fffe9900bd0) at /root/php-5.3.3/Zend/zend_compile.c:4946
#2  0x00000000007e2700 in zendparse () at /root/php-5.3.3/Zend/zend_language_parser.c:3280
#3  0x00000000007e817c in compile_file (file_handle=0x7fffe9901fc0, type=2) at Zend/zend_language_scanner.l:354
#4  0x00000000004c5bd8 in my_compile_file (h=0x7fffe9901fc0, type=2) at /root/php-5.3.3/ext/apc/apc_main.c:541
#5  0x00000000007e82f3 in compile_filename (type=2, filename=0x4ce0440) at Zend/zend_language_scanner.l:397
#6  0x000000000087ee91 in ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER (execute_data=0x2ac39df370f0) at /root/php-5.3.3/Zend/zend_vm_execute.h:8569
#7  0x000000000085a9f3 in execute (op_array=0x3e1cd80) at /root/php-5.3.3/Zend/zend_vm_execute.h:107
#8  0x000000000082a2d7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.3.3/Zend/zend.c:1194
#9  0x00000000007b44cb in php_execute_script (primary_file=0x7fffe9906920) at /root/php-5.3.3/main/main.c:2260
#10 0x000000000091deae in main (argc=3, argv=0x7fffe9906b28) at /root/php-5.3.3/sapi/fpm/fpm/fpm_main.c:1865

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-31 20:45 UTC] paulgao at yeah dot net
I use 5.3.4-dev, and APC 3.1.5-dev.
 [2010-09-01 06:01 UTC] aharvey@php.net
-Status: Open +Status: Feedback
 [2010-09-01 06:01 UTC] aharvey@php.net
Please test if this fails without APC. If so, we'll need a test script to diagnose the problem.
 [2010-09-01 07:00 UTC] rasmus@php.net
That doesn't seem to be APC-related if the backtrace is to be believed.  It seems 
to be happening on the initial compile.  But yes, please verify that it happens 
without APC as well.
 [2010-09-01 15:17 UTC] paulgao at yeah dot net
test script:
<?php

file_put_contents(__DIR__ . '/test.tpl', "TEST");

ob_start();

include __DIR__ . '/test.tpl';

file_put_contents(__DIR__ . '/cache.tpl', ob_get_clean());

include __DIR__ . '/cache.tpl';

?>

core dump backtreace message:


#0  0x082fd8d6 in lex_scan (zendlval=0xbff7295c) at Zend/zend_language_scanner.c:930
930                     yych = *YYCURSOR;
(gdb) bt
#0  0x082fd8d6 in lex_scan (zendlval=0xbff7295c) at Zend/zend_language_scanner.c:930
#1  0x08324d5d in zendlex (zendlval=0xbff72958) at /root/php-5.3.3/Zend/zend_compile.c:4947
#2  0x082f7447 in zendparse () at /root/php-5.3.3/Zend/zend_language_parser.c:3280
#3  0x082fcc97 in compile_file (file_handle=0xbff72ad0, type=2) at Zend/zend_language_scanner.l:354
#4  0x082fcdec in compile_filename (type=2, filename=0xa179af0) at Zend/zend_language_scanner.l:397
#5  0x0837983e in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0xa179a04) at /root/php-5.3.3/Zend/zend_vm_execute.h:5199
#6  0x08369b48 in execute (op_array=0xa1467a4) at /root/php-5.3.3/Zend/zend_vm_execute.h:107
#7  0x083398ca in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.3.3/Zend/zend.c:1266
#8  0x082cc48f in php_execute_script (primary_file=0xbff77034) at /root/php-5.3.3/main/main.c:2275
#9  0x0840f171 in main (argc=3, argv=0xbff77174) at /root/php-5.3.3/sapi/fpm/fpm/fpm_main.c:1865
 [2010-09-01 15:19 UTC] paulgao at yeah dot net
script run in Centos 5 32bit server, php-fpm mode.

configure command:
./configure --prefix=/usr/local/php --without-pear --with-mysqli=mysqlnd --disable-phar --with-iconv --with-zlib --enable-exif --enable-sockets --enable-mbstring=all --enable-inline-optimization --enable-debug --enable-static --disable-ipv6 --disable-pdo --without-sqlite --enable-fpm --with-libevent=shared
 [2010-09-02 08:15 UTC] paulgao at yeah dot net
please use “ab -n 200 -n 20 http://xxx/xxx.php“ test.
 [2010-09-04 18:24 UTC] paulgao at yeah dot net
Anybody There?
 [2010-09-09 07:26 UTC] aharvey@php.net
-Status: Feedback +Status: Open -Operating System: irrelevant +Operating System: Centos 5 32bit
 [2010-09-09 07:39 UTC] paulgao at yeah dot net
and, centos 64bit server, same result.
 [2010-11-24 00:20 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2010-11-24 00:20 UTC] felipe@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2011-02-09 12:38 UTC] paulgao at yeah dot net
<?php

file_put_contents(__DIR__ . '/test.tpl', 'AAA<?php $string = "'. str_repeat('A', mt_rand(1, 256 * 1024)) .'"; ?>BBB' . "\r\n", LOCK_EX);

require_once __DIR__ . '/test.tpl';

?>

please use “ab -n 200 -n 20 http://localhost/test.php“ to test it.
 [2011-02-09 12:40 UTC] paulgao at yeah dot net
core dump:

(gdb) bt
#0  0x082a1ac8 in lex_scan (zendlval=0xbf85525c) at /root/php-5.3.5/Zend/zend_language_scanner.c:2063
#1  0x082b2df8 in zendlex (zendlval=0xbf855258) at /root/php-5.3.5/Zend/zend_compile.c:4949
#2  0x0829c0f9 in zendparse () at /root/php-5.3.5/Zend/zend_language_parser.c:3280
#3  0x082a0f3c in compile_file (file_handle=0xbf855330, type=8) at /root/php-5.3.5/Zend/zend_language_scanner.c:359
#4  0x082fa1ca in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0x9fbd1b8) at /root/php-5.3.5/Zend/zend_vm_execute.h:5200
#5  0x082ed7e8 in execute (op_array=0x9f88d68) at /root/php-5.3.5/Zend/zend_vm_execute.h:107
#6  0x082cb847 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.3.5/Zend/zend.c:1194
#7  0x0827ae7e in php_execute_script (primary_file=0xbf859858) at /root/php-5.3.5/main/main.c:2265
#8  0x08352122 in main (argc=131072, argv=0x640004) at /root/php-5.3.5/sapi/fpm/fpm/fpm_main.c:1882
 [2011-10-31 21:32 UTC] juraj at lutter dot sk
This same happens on Solaris 10/x86 with PHP 5.3.8 compiled using GCC4 and using Apache 2.2.21.

root@[nwebs3 /var/crash/nwebs3]# pstack httpd-29691-cust_zend_apache3
core 'httpd-29691-cust_zend_apache3' of 29691:  /opt/csw/apache2/sbin/httpd -f /opt/csw/apache2/etc/httpd.conf -k star
 fe0485d4 lex_scan (8046c74, 6c632f61, 746e6569, fe062825, 69762f63, 72656c6c) + 60
 fe062863 zendlex  (8046c70, 8045ae0, 8045690, fe04344b) + 4f
 fe043ac2 zendparse (85af794, 2, 40, 2, 81c3ecc, 9) + 69a
 fe047cd1 compile_file (8046e00, 8, 2, fe3630c8, 81f399c, 85b1265) + bd
 fdd7706c sg_compile_file (8046e00, 8, 55, 0, fe3ae224, 31) + 20
 fe0abaac ???????? (8047800, 81c3e12, 8046e98, fe3ae0c0, 88b39c8, 1007800)
 fe0945d9 execute  (81e10b4, 0, 2, 81c3ba8, 8046ecc, 8046ed4) + 195
 fe074111 zend_execute_scripts (8, 0, 3, 0, 8047800, 0) + 129
 fe0255af php_execute_script (8047800, 8380c78, 9c, fe0f72a9, fdc20000, 8000) + 1df
 fe0f7508 ???????? (8386cd0, 25, 8386fb0, 8387f60)
 0807cdce ap_run_handler (8386cd0, 3b, 8047ae8, 807d135, 11e1a300, 0) + 32
 0807d19f ap_invoke_handler (8386cd0, 0, 8047b18, 80712de) + af
 08087fdd ap_process_request (8386cd0, 4, 8386cd0, 8386cd0) + 18d
 0808599d ap_process_http_connection (837cf40, 0, 8047b78, 8082aed) + f1
 08082802 ap_run_process_connection (837cf40, 837cca8, 837cc68, 80bcdd8, fec42c40, 0) + 32
 0808c34a child_main (10, 808beb8, 1, 0) + 406
 0808c52e make_child (fddc1a5e, feb7667a, fec43c80, 6, 0, fec43c80) + de
 0808d0ae ap_mpm_run (80be830, 80ec8e8, 80c0728, 80c0728) + aea
 0806c9e4 main     (6, 8047e08, 8047e24) + 6f8
 0806be7c _start   (6, 8047ea8, 8047ec4, 8047ec7, 8047ee7, 8047eea) + 80
 [2011-12-22 22:36 UTC] vc at artstyle dot ru
Same here. Apache doesn't matter, I've get this SIGBUS couple times a day. With APC or xcache different versions,latest - all the same. PHP is stock Debian:
PHP 5.3.3-7+squeeze3 with Suhosin-Patch (cli) (built: Jun 28 2011 13:13:26) 
Using fastcgi SAPI with pretty large PHP application (thousands of files).
I'll try to make it reproducible.

# gdb /usr/lib/cgi-bin/php5-fcgi ./3002.php5-fcgi.7.9143
[...]
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=0xbfffa2ec) at /build/buildd-php5_5.3.3-7+squeeze3-i386-H_HNTR/php5-5.3.3/Zend/zend_language_scanner.c:940
940                     yych = *YYCURSOR;
(gdb) l
935                               0,   0,   0,   0,   0,   0,   0,   0, 
936                     };
937     
938                     YYDEBUG(0, *YYCURSOR);
939                     YYFILL(8);
940                     yych = *YYCURSOR;
941                     if (yych != '<') goto yy4;
942                     YYDEBUG(2, *YYCURSOR);
943                     yyaccept = 0;
944                     yych = *(YYMARKER = ++YYCURSOR);

(gdb) p language_scanner_globals.yy_cursor
$1 = (unsigned char *) 0xb77c1000 <Address 0xb77c1000 out of bounds>
(gdb) inf target
Symbols from "/usr/lib/cgi-bin/php5-fcgi".
Local core dump file:
        `/var/tmp/./3002.php5-fcgi.7.9143', file type elf32-i386.
[...]
        0xb7759000 - 0xb7781000 is load52
        0xb77c1000 - 0xb77c1000 is load53
        0xb77c2000 - 0xb77c5000 is load54
[...]
 [2011-12-22 23:56 UTC] vc at artstyle dot ru
Test case:

# cat test3.php 
<?php
if ($argv[1] > 0) {
  while ($argv[1]--) file_put_contents('test.tpl', "<?php #".str_repeat('A', mt_rand(4000, 5000))." ?>\n", LOCK_EX);
} else {
  $p2 = popen("php test3.php 100", "r");
  while (1) include 'test.tpl';
}
?>
# php test3.php 
Bus error
# php test3.php 
Bus error
# php test3.php 
Bus error
# php test3.php 
PHP Parse error:  syntax error, unexpected $end, expecting T_VARIABLE or T_DOLLAR_OPEN_CURLY_BRACES or T_CURLY_OPEN in /var/tmp/test.tpl on line 1
Parse error: syntax error, unexpected $end, expecting T_VARIABLE or T_DOLLAR_OPEN_CURLY_BRACES or T_CURLY_OPEN in /var/tmp/test.tpl on line 1

In my case it's an application (Bitrix) to blame. Ugly code that frequently rewrites cached template in place, instead of creating new and renaming it.
 [2012-02-07 18:57 UTC] mbreid at thepei dot com
I believe I'm running into this exact same error. I'm new to PHP-FPM (v5.3.9) as well as GDB, so here's what I managed to pull from the "core dump" / gdb backtrace log:

Core was generated by `php-fpm: pool www '.
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=0x7fffbe65e368) at Zend/zend_language_scanner.l:1801
1801				if (*YYCURSOR == '\'') {

AND


#0  lex_scan (zendlval=0x7fffbe65e368) at Zend/zend_language_scanner.l:1801
#1  0x000000000076fe90 in zendlex (zendlval=0x7fffbe65e360)
    at /usr/src/install/php-5.3.9/Zend/zend_compile.c:4975
#2  0x00000000007598ae in zendparse ()
    at /usr/src/install/php-5.3.9/Zend/zend_language_parser.c:3285
#3  0x0000000000765268 in compile_file (file_handle=0x7fffbe65e6e0, type=2)
    at Zend/zend_language_scanner.l:364
#4  0x00000000005ee40a in phar_compile_file (file_handle=<value optimized out>, 
    type=<value optimized out>) at /usr/src/install/php-5.3.9/ext/phar/phar.c:3393
#5  0x00000000007b88ac in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0x31432a8)
    at /usr/src/install/php-5.3.9/Zend/zend_vm_execute.h:5234
#6  0x00000000007ad538 in execute (op_array=0x32c4900)
    at /usr/src/install/php-5.3.9/Zend/zend_vm_execute.h:107
#7  0x000000000078806a in zend_execute_scripts (type=8, retval=<value optimized out>, 
    file_count=3) at /usr/src/install/php-5.3.9/Zend/zend.c:1236
#8  0x000000000073686d in php_execute_script (primary_file=<value optimized out>)
    at /usr/src/install/php-5.3.9/main/main.c:2308
#9  0x0000000000817545 in main (argc=<value optimized out>, argv=<value optimized out>)
    at /usr/src/install/php-5.3.9/sapi/fpm/fpm/fpm_main.c:1858

I'm running Ubuntu 10.10 (64-bit) -- Any ideas one what could be happening here or ways to address this moving forward?
 [2012-02-08 09:58 UTC] vc at artstyle dot ru
About the only way - disable use of mmap() on PHP code files. Need to patch and recompile. Something like this:

--- main/main.c~        2012-02-08 06:00:52.000000000 +0400
+++ main/main.c 2012-02-08 06:01:28.000000000 +0400
@@ -1229,7 +1229,7 @@
                /* can we mmap immeadiately? */
                memset(&handle->handle.stream.mmap, 0, sizeof(handle->handle.stream.mmap));     
                len = php_zend_stream_fsizer(stream TSRMLS_CC);
-               if (len != 0
+               if (0 && len != 0
 #if HAVE_MMAP  
                && ((len - 1) % page_size) <= page_size - ZEND_MMAP_AHEAD
 #endif
 [2012-04-26 21:17 UTC] michael at vstadi dot com
We are experiencing the same thing:

CentOS5, Nginx 1.1.12, PHP-FPM 5.3.10, (extensions APC 3.1.9 and memcache 2.2.6)
Occasional SIGBUS, [26-Apr-2012 17:05:23] WARNING: [pool www] child 2562 exited on signal 7 (SIGBUS - core dumped) after 84.407806 seconds from start

gdb core dump and backtrace:

Core was generated by `php-fpm:'.
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=0x7fffd5e9fde8) at Zend/zend_language_scanner.c:943
943                     if (yych != '<') goto yy4;
(gdb) bt
#0  lex_scan (zendlval=0x7fffd5e9fde8) at Zend/zend_language_scanner.c:943
#1  0x0000000000591ee0 in zendlex (zendlval=0x7fffd5e9fde0)
    at /usr/src/debug/php-5.3.10/Zend/zend_compile.c:4975
#2  0x000000000057c6a6 in zendparse ()
    at /usr/src/debug/php-5.3.10/Zend/zend_language_parser.c:3287
#3  0x0000000000587352 in compile_file (file_handle=0x7fffd5ea1360,
    type=<value optimized out>) at Zend/zend_language_scanner.l:364
#4  0x00007f02feaf344f in my_compile_file (h=0x7fffd5ea1360, type=8)
    at /usr/src/debug/php-pecl-apc-3.1.9/APC-3.1.9/apc_main.c:543
#5  0x00007f02f8b7f291 in phar_compile_file (file_handle=0x7fffd5ea1360,
    type=8) at /usr/src/debug/php-5.3.10/ext/phar/phar.c:3393
#6  0x0000000000586bde in compile_filename (type=8, filename=0x2a97418)
    at Zend/zend_language_scanner.l:407
#7  0x00000000005d8442 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (
    execute_data=0x294c6a8)
    at /usr/src/debug/php-5.3.10/Zend/zend_vm_execute.h:22529
#8  0x00000000005d1770 in execute (op_array=0x2a43d58)
    at /usr/src/debug/php-5.3.10/Zend/zend_vm_execute.h:107
#9  0x00000000005a197a in zend_call_function (fci=0x7fffd5ea16f0,
    fci_cache=<value optimized out>)
    at /usr/src/debug/php-5.3.10/Zend/zend_execute_API.c:969
#10 0x00000000004f6e33 in zif_call_user_func (ht=<value optimized out>,
    return_value=0x2b39d68, return_value_ptr=<value optimized out>,
    this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /usr/src/debug/php-5.3.10/ext/standard/basic_functions.c:4774
#11 0x00000000005fa0d8 in zend_do_fcall_common_helper_SPEC (
    execute_data=<value optimized out>)
    at /usr/src/debug/php-5.3.10/Zend/zend_vm_execute.h:320
#12 0x00000000005d1770 in execute (op_array=0x2a64df8)
    at /usr/src/debug/php-5.3.10/Zend/zend_vm_execute.h:107
#13 0x00000000005ab2bd in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /usr/src/debug/php-5.3.10/Zend/zend.c:1236
#14 0x0000000000558558 in php_execute_script (primary_file=0x7fffd5ea3ea0)
    at /usr/src/debug/php-5.3.10/main/main.c:2308
#15 0x000000000063e269 in main (argc=44076704, argv=0x2a08bc0)
    at /usr/src/debug/php-5.3.10/sapi/fpm/fpm/fpm_main.c:1858
 [2012-12-19 13:09 UTC] jani dot ollikainen at mmd dot net
This problem is wider than the report says! It's not just Centos 5 and 32bit. Tested with 5.3.19, 5.4.9 and trunk 201212191230 and got bus error.

Suggested workaround by disabling mmap seems to work, so problem lies
in mmap handling. Real fix/patch would be nice and really appreciated.

5.3.19:
Core was generated by `sapi/cli/php test3.php'.
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=<value optimized out>)
    at Zend/zend_language_scanner.l:1709
1709                    switch (*YYCURSOR++) {
(gdb) list
1704    }
1705
1706
1707    <ST_IN_SCRIPTING>"#"|"//" {
1708            while (YYCURSOR < YYLIMIT) {
1709                    switch (*YYCURSOR++) {
1710                            case '\r':
1711                                    if (*YYCURSOR == '\n') {
1712                                            YYCURSOR++;
1713                                    }
#0  lex_scan (zendlval=<value optimized out>)
    at Zend/zend_language_scanner.l:1709
#1  0x0000000000636640 in zendlex (zendlval=0x7fff2476cb90)
    at /root/php-5.3.19/Zend/zend_compile.c:4975
#2  0x0000000000620e66 in zendparse ()
    at /root/php-5.3.19/Zend/zend_language_parser.c:3285
#3  0x000000000062bb52 in compile_file (file_handle=0x7fff2476ce80,
    type=<value optimized out>) at Zend/zend_language_scanner.l:364
#4  0x00000000005362d1 in phar_compile_file (file_handle=0x7fff2476ce80,
    type=2) at /root/php-5.3.19/ext/phar/phar.c:3394
#5  0x000000000062b3de in compile_filename (type=2, filename=0x185ac58)
    at Zend/zend_language_scanner.l:407
#6  0x000000000067c63e in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
    execute_data=0x7fe9b5916050)
    at /root/php-5.3.19/Zend/zend_vm_execute.h:1967
#7  0x0000000000675a30 in execute (op_array=0x184f358)
    at /root/php-5.3.19/Zend/zend_vm_execute.h:107
#8  0x000000000064f86f in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /root/php-5.3.19/Zend/zend.c:1259
#9  0x00000000005fcd67 in php_execute_script (primary_file=0x7fff24770780)
    at /root/php-5.3.19/main/main.c:2316
#10 0x00000000006da002 in main (argc=2, argv=0x7fff24770a18)
    at /root/php-5.3.19/sapi/cli/php_cli.c:1189

PHP 5.4.9:
Core was generated by `sapi/cli/php test3.php'.
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=<value optimized out>)
    at Zend/zend_language_scanner.l:1904
1904                    switch (*YYCURSOR++) {
(gdb) list
1899    }
1900
1901
1902    <ST_IN_SCRIPTING>"#"|"//" {
1903            while (YYCURSOR < YYLIMIT) {
1904                    switch (*YYCURSOR++) {
1905                            case '\r':
1906                                    if (*YYCURSOR == '\n') {
1907                                            YYCURSOR++;
1908                                    }
(gdb) bt
#0  lex_scan (zendlval=<value optimized out>)
    at Zend/zend_language_scanner.l:1904
#1  0x000000000063fd90 in zendlex (zendlval=0x7fff4739ebf0)
    at /root/php-5.4.9/Zend/zend_compile.c:6707
#2  0x0000000000628ba4 in zendparse ()
    at /root/php-5.4.9/Zend/zend_language_parser.c:3430
#3  0x0000000000634d4d in compile_file (file_handle=0x7fff4739ef40,
    type=<value optimized out>) at Zend/zend_language_scanner.l:582
#4  0x0000000000539ae1 in phar_compile_file (file_handle=0x7fff4739ef40,
    type=2) at /root/php-5.4.9/ext/phar/phar.c:3388
#5  0x00000000006344ae in compile_filename (type=2, filename=0x7f66ed826d20)
    at Zend/zend_language_scanner.l:625
#6  0x00000000006acb6b in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
    execute_data=0x7f66ed7ea060) at /root/php-5.4.9/Zend/zend_vm_execute.h:2608
#7  0x00000000006c98a0 in execute (op_array=0x7f66ed81f938)
    at /root/php-5.4.9/Zend/zend_vm_execute.h:410
#8  0x00000000006608cd in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /root/php-5.4.9/Zend/zend.c:1309
#9  0x0000000000603e27 in php_execute_script (primary_file=0x7fff473a2680)
    at /root/php-5.4.9/main/main.c:2482
#10 0x000000000070aeac in do_cli (argc=2, argv=0x7fff473a2a88)
    at /root/php-5.4.9/sapi/cli/php_cli.c:988
#11 0x000000000070b608 in main (argc=2, argv=0x7fff473a2a88)
    at /root/php-5.4.9/sapi/cli/php_cli.c:1364

trunk:
Core was generated by `sapi/cli/php test3.php'.
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=<value optimized out>)
    at Zend/zend_language_scanner.l:1917
1917                    switch (*YYCURSOR++) {
(gdb) list
1912    }
1913
1914
1915    <ST_IN_SCRIPTING>"#"|"//" {
1916            while (YYCURSOR < YYLIMIT) {
1917                    switch (*YYCURSOR++) {
1918                            case '\r':
1919                                    if (*YYCURSOR == '\n') {
1920                                            YYCURSOR++;
1921                                    }
(gdb) bt
#0  lex_scan (zendlval=<value optimized out>)
    at Zend/zend_language_scanner.l:1917
#1  0x0000000000641c30 in zendlex (zendlval=0x7fff34ca46c0)
    at /root/php-trunk-201212191230/Zend/zend_compile.c:6881
#2  0x000000000062a713 in zendparse ()
    at /root/php-trunk-201212191230/Zend/zend_language_parser.c:3428
#3  0x0000000000636d75 in compile_file (file_handle=0x7fff34ca4a30,
    type=<value optimized out>) at Zend/zend_language_scanner.l:585
#4  0x000000000053a921 in phar_compile_file (file_handle=0x7fff34ca4a30,
    type=2) at /root/php-trunk-201212191230/ext/phar/phar.c:3388
#5  0x000000000063641e in compile_filename (type=2, filename=0x7f6444584978)
    at Zend/zend_language_scanner.l:628
#6  0x00000000006d48eb in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
    execute_data=0x7f64445481e0)
    at /root/php-trunk-201212191230/Zend/zend_vm_execute.h:2695
#7  0x00000000006d4b40 in execute_ex (execute_data=0x7f64445481e0)
    at /root/php-trunk-201212191230/Zend/zend_vm_execute.h:356
#8  0x00000000006634d9 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /root/php-trunk-201212191230/Zend/zend.c:1309
#9  0x0000000000605ed9 in php_execute_script (primary_file=0x7fff34ca8180)
    at /root/php-trunk-201212191230/main/main.c:2468
#10 0x0000000000710d7c in do_cli (argc=2, argv=0x7fff34ca8588)
    at /root/php-trunk-201212191230/sapi/cli/php_cli.c:988
#11 0x00000000007114d8 in main (argc=2, argv=0x7fff34ca8588)
    at /root/php-trunk-201212191230/sapi/cli/php_cli.c:1364
 [2012-12-19 13:17 UTC] jani dot ollikainen at mmd dot net
Oh and here's the backtraces for the production enviroment using PHP 5.3.3, APC 3.1.13 on CentOS 6 (x86_64). Backtrace have two options but still problem seems to be the same:

Core was generated by `/usr/bin/php-cgi'.
Program terminated with signal 7, Bus error.
#0  lex_scan (zendlval=0x7fff2f98cf48) at Zend/zend_language_scanner.c:931
931                     if (yych != '<') goto yy4;
(gdb) list
926                     };
927
928                     YYDEBUG(0, *YYCURSOR);
929                     YYFILL(8);
930                     yych = *YYCURSOR;
931                     if (yych != '<') goto yy4;
932                     YYDEBUG(2, *YYCURSOR);
933                     yyaccept = 0;
934                     yych = *(YYMARKER = ++YYCURSOR);
935                     if (yych <= '?') {

(gdb) bt
#0  lex_scan (zendlval=0x7fff901eca58) at Zend/zend_language_scanner.c:931
#1  0x000000000058deb0 in zendlex (zendlval=0x7fff901eca50)
    at /usr/src/debug/php-5.3.3/Zend/zend_compile.c:4942
#2  0x00000000005786f7 in zendparse ()
    at /usr/src/debug/php-5.3.3/Zend/zend_language_parser.c:3282
#3  0x0000000000583342 in compile_file (file_handle=0x7fff901edfe0,
    type=<value optimized out>) at Zend/zend_language_scanner.l:354
#4  0x00007f413988da8f in my_compile_file (h=0x7fff901edfe0, type=2)
    at /usr/src/debug/php-pecl-apc-3.1.13/APC-3.1.13/apc_main.c:532
#5  0x00007f4134c64721 in phar_compile_file (file_handle=0x7fff901edfe0,
    type=2) at /usr/src/debug/php-5.3.3/ext/phar/phar.c:3393
#6  0x00000000005d8148 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0x1263560)
    at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:5179
#7  0x00000000005cc810 in execute (op_array=0x11f5ce0)
    at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:107
#8  0x00000000005a6f4d in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /usr/src/debug/php-5.3.3/Zend/zend.c:1194
#9  0x00000000005551b8 in php_execute_script (primary_file=0x7fff901f07b0)
    at /usr/src/debug/php-5.3.3/main/main.c:2261
#10 0x000000000063081d in main (argc=1, argv=0x7fff901f29c8)
    at /usr/src/debug/php-5.3.3/sapi/cgi/cgi_main.c:2127

(gdb) bt
#0  lex_scan (zendlval=0x7fffa8dc3898) at Zend/zend_language_scanner.c:931
#1  0x000000000058deb0 in zendlex (zendlval=0x7fffa8dc3890)
    at /usr/src/debug/php-5.3.3/Zend/zend_compile.c:4942
#2  0x00000000005786f7 in zendparse ()
    at /usr/src/debug/php-5.3.3/Zend/zend_language_parser.c:3282
#3  0x0000000000583342 in compile_file (file_handle=0x7fffa8dc5340,
    type=<value optimized out>) at Zend/zend_language_scanner.l:354
#4  0x00007f55ee3c65b7 in apc_compile_cache_entry (key=0x7fffa8dc5170,
    h=0x7fffa8dc5340, type=2, t=<value optimized out>,
    op_array=0x7fffa8dc40b8, cache_entry=0x7fffa8dc40c0)
    at /usr/src/debug/php-pecl-apc-3.1.13/APC-3.1.13/apc_main.c:398
#5  0x00007f55ee3c6f9b in my_compile_file (h=0x7fffa8dc5340, type=2)
    at /usr/src/debug/php-pecl-apc-3.1.13/APC-3.1.13/apc_main.c:603
#6  0x00007f55e979d721 in phar_compile_file (file_handle=0x7fffa8dc5340,
    type=2) at /usr/src/debug/php-5.3.3/ext/phar/phar.c:3393
#7  0x00000000005d8148 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0x1e26370)
    at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:5179
#8  0x00000000005cc810 in execute (op_array=0x1d187e0)
    at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:107
#9  0x00000000005a6f4d in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /usr/src/debug/php-5.3.3/Zend/zend.c:1194
#10 0x00000000005551b8 in php_execute_script (primary_file=0x7fffa8dc7b10)
    at /usr/src/debug/php-5.3.3/main/main.c:2261
#11 0x000000000063081d in main (argc=1, argv=0x7fffa8dc9d28)
    at /usr/src/debug/php-5.3.3/sapi/cgi/cgi_main.c:2127
 [2012-12-20 01:09 UTC] aharvey@php.net
-Status: Feedback +Status: Open
 [2012-12-22 01:58 UTC] felipe@php.net
-Summary: Program terminated with signal 7, Bus error. +Summary: Crash when lexing
 [2012-12-28 19:06 UTC] jani dot ollikainen at mmd dot net
Hi,

After emailing to php-dev and fixing my code I've got rid of the error.
Problem is that I've thought that PHP will handle concurrent stuff so
I don't need to.

My problem was having code that does something like this:

fopen($fp,"file.php");
fputs($fp,"<?php /*code*/ ?>");
fclose($fp);

And also in other parts of code to have:
include("file.php");

Which caused sometimes the include have a broken file. I still think that crashing to broken file is not acceptable behavior, but I've understood that you can crash PHP by coding something wrong and PHP doesn't protect you or crash nicely. Which can be problem in hosted environment if not running basic PHP-CGI for every request.

I think include/require documentation should have warning box saying something that you have to handle concurrent stuff and/or PHP can crash to broken PHP files without nice error. I think that might helped me.

For the fix in my code was to change my writing to file:
fopen($fp,"file.php.tmp.".getmypid());
fputs($fp,"<?php /*code*/ ?>");
fclose($fp);
rename("file.php.tmp.".getmypid(),"file.php");

Pretty easy fix if you know that you have to do it or expect PHP to crash to broken files.

Of course I can't say anything about the other crashes, but as the backtraces seem similar and the example code to used to crash PHP has similar problem might that help.
 [2013-07-24 10:12 UTC] ab@php.net
-Status: Open +Status: Duplicate
 [2013-07-24 10:12 UTC] ab@php.net
see bug #52752
 [2014-11-19 15:00 UTC] igor at wiedler dot ch
Which bug is this a duplicate of? From what I can tell, all related bugs have been closed. Was this one closed by accident?
 [2014-12-04 12:05 UTC] kostik dot lv at gmail dot com
It's marked as a duplicate to itself:
[2013-07-24 10:12 UTC] ab@php.net
-Status: Open
+Status: Duplicate
 [2013-07-24 10:12 UTC] ab@php.net
see bug #52752
 [2015-05-06 20:16 UTC] fbastani at perennate dot com
I am still encountering this bug with PHP 5.5.9, using php5-fpm without opcache/APC.

Backtrace:

#0  lex_scan (zendlval=zendlval@entry=0x7fffefa33e58) at Zend/zend_language_scanner.c:2271
#1  0x00000000006d7772 in zendlex (zendlval=zendlval@entry=0x7fffefa33e50) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_compile.c:6749
#2  0x00000000006b2766 in zendparse () at /build/buildd/php5-5.5.9+dfsg/Zend/zend_language_parser.c:3438
#3  0x00000000006b7d18 in compile_file (file_handle=file_handle@entry=0x7fffefa36330, type=8) at Zend/zend_language_scanner.l:588
#4  0x00000000006dd4ea in dtrace_compile_file (file_handle=0x7fffefa36330, type=<optimized out>)
    at /build/buildd/php5-5.5.9+dfsg/Zend/zend_dtrace.c:40
#5  0x0000000000566674 in phar_compile_file (file_handle=<optimized out>, type=<optimized out>)
    at /build/buildd/php5-5.5.9+dfsg/ext/phar/phar.c:3379
#6  0x000000000079cb9d in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0x7fc1d68e6688)
    at /build/buildd/php5-5.5.9+dfsg/Zend/zend_vm_execute.h:7994
#7  0x00000000007173e8 in execute_ex (execute_data=0x7fc1d68e6688) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_vm_execute.h:363
#8  0x00000000006dd559 in dtrace_execute_ex (execute_data=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_dtrace.c:73
#9  0x000000000079d1bf in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fc1d68e60f8)
    at /build/buildd/php5-5.5.9+dfsg/Zend/zend_vm_execute.h:2748
#10 0x00000000007173e8 in execute_ex (execute_data=0x7fc1d68e60f8) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_vm_execute.h:363
#11 0x00000000006dd559 in dtrace_execute_ex (execute_data=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_dtrace.c:73
#12 0x00000000006eefe0 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /build/buildd/php5-5.5.9+dfsg/Zend/zend.c:1316
#13 0x000000000068eec5 in php_execute_script (primary_file=primary_file@entry=0x7fffefa38ad0)
    at /build/buildd/php5-5.5.9+dfsg/main/main.c:2506
#14 0x0000000000463b00 in main (argc=<optimized out>, argv=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/sapi/fpm/fpm/fpm_main.c:1933

Line 2271 is this switch statement:

                YYDEBUG(121, *YYCURSOR);
                YYFILL(16);
                yych = *YYCURSOR;
		YYDEBUG(-1, yych);
2271            switch (yych) {
                case 0x00:
                case 0x01:
                case 0x02:
		case 0x03:


This bug is marked duplicate, but all of the references bugs also appear to be marked duplicate.

The error does not happen on every request, but occurs several ten or so times a day on our webserver. The file being compiled is "/var/www/include/include.php", which is included on every request, so there does not appear to be anything special about the requests that are failing (usually it is just a GET request for a static page that's parsed through PHP).
 [2015-12-21 11:39 UTC] mfractal at gmail dot com
I am seeing similar behaviour in PHP 7.0.1 as well :

[New LWP 30950]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                          '.
Program terminated with signal SIGBUS, Bus error.
#0  0x0000000000746e13 in lex_scan ()
(gdb) bt
#0  0x0000000000746e13 in lex_scan ()
#1  0x000000000075958b in zendlex ()
#2  0x000000000073dd5e in zendparse ()
#3  0x000000000074181b in compile_file ()
#4  0x00000000007673c2 in dtrace_compile_file ()
#5  0x00000000005d3b83 in ?? ()
#6  0x0000000000741a05 in compile_filename ()
#7  0x00000000007f7c37 in ?? ()
#8  0x00000000007b205b in execute_ex ()
#9  0x0000000000767439 in dtrace_execute_ex ()
#10 0x00000000007eed70 in ?? ()
#11 0x00000000007b205b in execute_ex ()
#12 0x0000000000767439 in dtrace_execute_ex ()
#13 0x00000000007eed70 in ?? ()
#14 0x00000000007b205b in execute_ex ()
#15 0x0000000000767439 in dtrace_execute_ex ()
#16 0x00000000007eed70 in ?? ()
#17 0x00000000007b205b in execute_ex ()
#18 0x0000000000767439 in dtrace_execute_ex ()
#19 0x0000000000768d2c in zend_call_function ()
#20 0x0000000000792124 in zend_call_method ()
#21 0x00000000007ac0d2 in ?? ()
#22 0x00000000007b2292 in ?? ()
#23 0x00000000007b205b in execute_ex ()
---Type <return> to continue, or q <return> to quit---
#24 0x0000000000767439 in dtrace_execute_ex ()
#25 0x0000000000768d2c in zend_call_function ()
#26 0x0000000000792124 in zend_call_method ()
#27 0x00000000007aa37c in ?? ()
#28 0x00000000007ab804 in zend_std_read_property ()
#29 0x00000000007b52e1 in ?? ()
#30 0x00000000007b205b in execute_ex ()
#31 0x0000000000767439 in dtrace_execute_ex ()
#32 0x00000000007eed70 in ?? ()
#33 0x00000000007b205b in execute_ex ()
#34 0x0000000000767439 in dtrace_execute_ex ()
#35 0x00000000007eed70 in ?? ()
#36 0x00000000007b205b in execute_ex ()
#37 0x0000000000767439 in dtrace_execute_ex ()
#38 0x00000000007eed70 in ?? ()
#39 0x00000000007b205b in execute_ex ()
#40 0x0000000000767439 in dtrace_execute_ex ()
#41 0x00000000007facdf in zend_execute ()
#42 0x0000000000776a74 in zend_execute_scripts ()
#43 0x000000000071a9e8 in php_execute_script ()
#44 0x00000000004789bc in main ()
 [2016-02-24 11:10 UTC] bwoebi@php.net
-Status: Duplicate +Status: Re-Opened
 [2016-02-24 11:10 UTC] bwoebi@php.net
This had been marked as duplicate of itself … reopening.
 [2016-12-16 21:41 UTC] nikic@php.net
-Status: Re-Opened +Status: Verified
 [2016-12-16 21:41 UTC] nikic@php.net
I can repro using the script provided by paulgao

    <?php
    file_put_contents(__DIR__ . '/test.tpl', 'AAA<?php $string = "'. str_repeat('A', mt_rand(1, 256 * 1024)) .'"; ?>BBB' . "\r\n");
    require_once __DIR__ . '/test.tpl';

together with

    for ((n=0;n<100;n++)); do sapi/cli/php test.php & done

A few of the PHP processes will trigger a SIGBUS.

The issue here seems pretty clear. We are mmap()ing the file. While the file is mapped, it is modified, resulting in an effective ftruncate(). Here is what the man page for ftruncate() has to say on the topic:

> If the effect of ftruncate() is to decrease the size of a shared memory object or memory mapped file and whole pages beyond the new end were previously mapped, then the whole pages beyond the new end shall be discarded.
> 
> If the Memory Protection option is supported, references to discarded pages shall result in the generation of a SIGBUS signal; otherwise, the result of such references is undefined.

This is precisely what we are observing here.

I don't think there is any good way of fixing this short of dropping the mmap() and reading the file into memory instead (which we already do in the fallback code).
 [2017-02-22 13:44 UTC] ironsmile at gmail dot com
You can actually hit this bug when you are not in a position to do anything about it. For example, my organisation is using Codeception and Paracept for running our tests. Every now and then a testing process would fail because of this bug. Save for abandoning the whole testing framework one cannot do anything about it and have to accept false negatives. And this because PHP is indeterministic and its processes fail from time to time. Surely, this can be easily fixed!

For what is worth, here is a back trace from a failure in our environment, which is 64bit CentOS 7.3.1611:

#0  0x00007f2097dd86ed in lex_scan ()
#1  0x00007f2097df7062 in zendlex ()
#2  0x00007f2097dd1956 in zendparse ()
#3  0x00007f2097dd6f5b in compile_file ()
#4  0x00007f2097dfd12a in dtrace_compile_file ()
#5  0x00007f2085d7bc9a in phar_compile_file () from /usr/lib64/php/modules/phar.so
#6  0x00007f2097ec08b3 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
#7  0x00007f2097e39e68 in execute_ex ()
#8  0x00007f2097dfd1a9 in dtrace_execute_ex ()
#9  0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#10 0x00007f2097e39e68 in execute_ex ()
#11 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#12 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#13 0x00007f2097e39e68 in execute_ex ()
#14 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#15 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#16 0x00007f2097e39e68 in execute_ex ()
#17 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#18 0x00007f2097dff571 in zend_call_function ()
#19 0x00007f2097e261a8 in zend_call_method ()
#20 0x00007f2097d0e3aa in zif_spl_autoload_call ()
#21 0x00007f2097dfd2cb in dtrace_execute_internal ()
#22 0x00007f2097dff710 in zend_call_function ()
#23 0x00007f2097dffe92 in zend_lookup_class_ex ()
#24 0x00007f2097e005f0 in zend_fetch_class_by_name ()
#25 0x00007f2097e48362 in ZEND_ADD_TRAIT_SPEC_HANDLER ()
#26 0x00007f2097e39e68 in execute_ex ()
#27 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#28 0x00007f2097ec0980 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
#29 0x00007f2097e39e68 in execute_ex ()
#30 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#31 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#32 0x00007f2097e39e68 in execute_ex ()
#33 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#34 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#35 0x00007f2097e39e68 in execute_ex ()
#36 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#37 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#38 0x00007f2097e39e68 in execute_ex ()
#39 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#40 0x00007f2097dff571 in zend_call_function ()
#41 0x00007f2097e261a8 in zend_call_method ()
#42 0x00007f2097d0e3aa in zif_spl_autoload_call ()
#43 0x00007f2097dfd2cb in dtrace_execute_internal ()
#44 0x00007f2097dff710 in zend_call_function ()
#45 0x00007f2097dffe92 in zend_lookup_class_ex ()
#46 0x00007f2097e20c48 in zif_get_class_methods ()
#47 0x00007f2097dfd2cb in dtrace_execute_internal ()
#48 0x00007f2097ec2160 in zend_do_fcall_common_helper_SPEC ()
#49 0x00007f2097e39e68 in execute_ex ()
#50 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#51 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#52 0x00007f2097e39e68 in execute_ex ()
#53 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#54 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#55 0x00007f2097e39e68 in execute_ex ()
#56 0x00007f2097dfd1a9 in dtrace_execute_ex ()
---Type <return> to continue, or q <return> to quit---
#57 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#58 0x00007f2097e39e68 in execute_ex ()
#59 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#60 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#61 0x00007f2097e39e68 in execute_ex ()
#62 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#63 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#64 0x00007f2097e39e68 in execute_ex ()
#65 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#66 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#67 0x00007f2097e39e68 in execute_ex ()
#68 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#69 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#70 0x00007f2097e39e68 in execute_ex ()
#71 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#72 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#73 0x00007f2097e39e68 in execute_ex ()
#74 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#75 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#76 0x00007f2097e39e68 in execute_ex ()
#77 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#78 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#79 0x00007f2097e39e68 in execute_ex ()
#80 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#81 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#82 0x00007f2097e39e68 in execute_ex ()
#83 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#84 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#85 0x00007f2097e39e68 in execute_ex ()
#86 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#87 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#88 0x00007f2097e39e68 in execute_ex ()
#89 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#90 0x00007f2097ec27cb in zend_do_fcall_common_helper_SPEC ()
#91 0x00007f2097e39e68 in execute_ex ()
#92 0x00007f2097dfd1a9 in dtrace_execute_ex ()
#93 0x00007f2097e0f45b in zend_execute_scripts ()
#94 0x00007f2097dacb02 in php_execute_script ()
#95 0x00007f2097ec4198 in do_cli ()
#96 0x00007f2097c437ea in main ()
 [2017-05-14 17:16 UTC] pollita@php.net
Wouldn't acquiring a shared lock work here? We only lex when including an uncached file, so the extra flock() hit would be negligible over time (except for scripts like this which void assumptions about file permanence, obviously).
 [2017-06-02 14:12 UTC] blazej dot adamczyk at gmail dot com
+1 for the flock. 

Alternatively another way would be to handle the SIGBUS and recover from such situation.
 [2017-06-09 19:17 UTC] zac at sprackett dot com
Hi Pollita,

We're running the IUS package of 5.6.30 (https://github.com/iuscommunity-pkg/php56u/blob/master/SPECS/php56u.spec) and are seeing the following backtrace:



(gdb) bt
#0 lex_scan (zendlval=0x7ffcfe165598) at Zend/zend_language_scanner.c:1082
#1 0x00000000005c57e0 in zendlex (zendlval=0x7ffcfe165590)
at /usr/src/debug/php-5.6.30/Zend/zend_compile.c:6919
#2 0x00000000005ac9a3 in zendparse ()
at /usr/src/debug/php-5.6.30/Zend/zend_language_parser.c:3732
#3 0x00000000005b95f5 in compile_file (file_handle=0x7ffcfe165920,
type=<value optimized out>) at Zend/zend_language_scanner.l:586
#4 0x00000000005d96ea in dtrace_compile_file (file_handle=0x7ffcfe165920,
type=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:40
#5 0x00007f9dcff71b02 in phar_compile_file (file_handle=0x7ffcfe165920,
type=2) at /usr/src/debug/php-5.6.30/ext/phar/phar.c:3370
#6 0x00000000005b8c6e in compile_filename (type=2, filename=0x83bdd78)
at Zend/zend_language_scanner.l:629
#7 0x0000000000657683 in ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER (
execute_data=0x7f9de0a7abf0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:13753
#8 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a7abf0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#9 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a7abf0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#10 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#11 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a7a640)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#12 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a7a640)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#13 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#14 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a79de0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#15 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a79de0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#16 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#17 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a77ab0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#18 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a77ab0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#19 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#20 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a779c0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#21 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a779c0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#22 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#23 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a778d0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#24 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a778d0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#25 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#26 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a777d0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#27 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a777d0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#28 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#29 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a775e8)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#30 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a775e8)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#31 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#32 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a76800)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#33 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a76800)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#34 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#35 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a76220)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#36 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a76220)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#37 0x00000000006583c9 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
execute_data=0x7f9de0a745e8)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:3026
#38 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a745e8)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#39 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a745e8)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#40 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#41 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a74278)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#42 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a74278)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#43 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#44 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a73418)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#45 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a73418)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#46 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#47 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a72bf8)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#48 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a72bf8)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#49 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#50 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a725a0)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#51 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a725a0)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#52 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#53 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a71250)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#54 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a71250)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#55 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#56 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a70f78)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#57 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a70f78)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#58 0x0000000000669054 in zend_do_fcall_common_helper_SPEC (
execute_data=<value optimized out>)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:592
#59 0x00000000006584b8 in execute_ex (execute_data=0x7f9de0a70898)
at /usr/src/debug/php-5.6.30/Zend/zend_vm_execute.h:363
#60 0x00000000005d95be in dtrace_execute_ex (execute_data=0x7f9de0a70898)
at /usr/src/debug/php-5.6.30/Zend/zend_dtrace.c:73
#61 0x00000000005e8d6c in zend_execute_scripts (type=8, retval=0x0,
file_count=2) at /usr/src/debug/php-5.6.30/Zend/zend.c:1341
#62 0x0000000000586965 in php_execute_script (primary_file=0x7ffcfe169ea0)
at /usr/src/debug/php-5.6.30/main/main.c:2610
#63 0x0000000000690b86 in do_cli (argc=11, argv=0x2335510)
at /usr/src/debug/php-5.6.30/sapi/cli/php_cli.c:998
#64 0x0000000000691318 in main (argc=11, argv=0x2335510)
at /usr/src/debug/php-5.6.30/sapi/cli/php_cli.c:1382
 [2017-06-09 19:28 UTC] pollita@php.net
It seems to be over-allocating on the stack.
Let's see if we can narrow the problem down to finding the file that's causing the problem.

In gbd, jump to frame 5 and print file_handle as well as file_handle as well as file_handle->filename and file_handle->opened_path

(gdb) f 5
(gdb) p file_handle
(gdb) p file_handle->filename
(gdb) p file_handle->opened_path
 [2017-06-10 00:25 UTC] zac at sprackett dot com
If I run two copies of the script below at once it happens pretty much instantly.  It's also reproducible under php7.1.5:

<?php
while(true) {
    file_put_contents(__DIR__ . '/test.tpl', 'AAA<?php $string = "'. str_repeat('A', mt_rand(1, 256 * 1024)) .'"; ?>BBB' . "\r\n");
    require __DIR__ . '/test.tpl';
}


* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=10, address=0x102a79000)
  * frame #0: 0x000000010037243f php`lex_scan + 996
    frame #1: 0x0000000100388317 php`zendlex + 71
    frame #2: 0x000000010036d737 php`zendparse + 207
    frame #3: 0x0000000100371710 php`zend_compile + 103
    frame #4: 0x0000000100371656 php`compile_file + 55
    frame #5: 0x0000000100225d59 php`phar_compile_file + 267
    frame #6: 0x00000001012b16c3 xdebug.so`xdebug_compile_file + 12
    frame #7: 0x0000000100371899 php`compile_filename + 147
    frame #8: 0x00000001004342da php`zend_include_or_eval + 260
    frame #9: 0x00000001003fafe0 php`ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER + 40
    frame #10: 0x00000001003e2569 php`execute_ex + 56
    frame #11: 0x00000001012b1e7e xdebug.so`xdebug_execute_ex + 1927
    frame #12: 0x00000001003e27c7 php`zend_execute + 537
    frame #13: 0x00000001003a7415 php`zend_execute_scripts + 285
    frame #14: 0x000000010034fded php`php_execute_script + 611
    frame #15: 0x000000010043d3f1 php`do_cli + 3698
    frame #16: 0x000000010043c3f4 php`main + 1195
    frame #17: 0x00007fffbd01c515 libdyld.dylib`start + 1
    frame #18: 0x00007fffbd01c515 libdyld.dylib`start + 1
 [2017-06-14 15:59 UTC] zac at sprackett dot com
Anyone have any ideas?  this is a pretty long standing bug that is still evident in current PHP.  We're getting hit by it pretty hard in production so I'm interested in any options possible.  In the meantime, I've had to hack up PHP not to use mmap() for file io.
 [2017-06-21 17:56 UTC] zac at sprackett dot com
This patch seems to help in my case.


diff -ruN php-5.6.30/Zend/zend_language_scanner.c php-5.6.30.patched/Zend/zend_language_scanner.c
--- php-5.6.30/Zend/zend_language_scanner.c	2017-01-18 19:17:47.000000000 -0500
+++ php-5.6.30.patched/Zend/zend_language_scanner.c	2017-06-21 13:18:53.000000000 -0400
@@ -125,6 +125,14 @@
 
 BEGIN_EXTERN_C()
 
+#ifndef _WIN32
+static sigjmp_buf sigbus_jmpbuf;
+static void sigbus_handler (int sig, siginfo_t *siginfo, void *ptr)
+{
+  siglongjmp(sigbus_jmpbuf, 1);
+}
+#endif
+
 static size_t encoding_filter_script_to_internal(unsigned char **to, size_t *to_length, const unsigned char *from, size_t from_length TSRMLS_DC)
 {
 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
@@ -580,6 +588,36 @@
 		}
 		compilation_successful=0;
 	} else {
+#ifndef _WIN32
+    struct sigaction sigbus_signal;
+    struct sigaction old_sigbus_signal;
+
+    memset(&sigbus_signal, 0, sizeof(sigbus_signal));
+    memset(&old_sigbus_signal, 0, sizeof(old_sigbus_signal));
+    sigbus_signal.sa_sigaction = sigbus_handler;
+    sigbus_signal.sa_flags = SA_SIGINFO;
+#endif
+
+#if defined(ZEND_SIGNALS) && !defined(_WIN32)
+    zend_try { zend_sigaction(SIGBUS, &sigbus_signal, &old_sigbus_signal TSRMLS_CC); } zend_end_try();
+#elif !defined(_WIN32)
+    sigaction(SIGBUS, &sigbus_signal, &old_sigbus_signal);
+#endif
+
+#ifndef _WIN32
+    if (sigsetjmp(sigbus_jmpbuf, 1)) {
+			if (file_handle->type != ZEND_HANDLE_STREAM) {
+				file_handle->type = ZEND_HANDLE_STREAM;
+			}
+    }
+#endif
+
 		init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
 		CG(in_compilation) = 1;
 		CG(active_op_array) = op_array;
@@ -592,6 +630,13 @@
 			zend_bailout();
 		}
 		compilation_successful=1;
+
+#if defined(ZEND_SIGNALS) && !defined(_WIN32)
+  zend_try { zend_sigaction(SIGBUS, &old_sigbus_signal, 0 TSRMLS_CC); } zend_end_try();
+#elif !defined(_WIN32)
+  sigaction(SIGBUS, &old_sigbus_signal, 0);
+#endif
+
 	}
 
 	if (retval) {
diff -ruN php-5.6.30/Zend/zend_language_scanner.l php-5.6.30.patched/Zend/zend_language_scanner.l
--- php-5.6.30/Zend/zend_language_scanner.l	2017-01-18 19:17:47.000000000 -0500
+++ php-5.6.30.patched/Zend/zend_language_scanner.l	2017-06-21 13:18:38.000000000 -0400
@@ -123,6 +123,14 @@
 
 BEGIN_EXTERN_C()
 
+#ifndef _WIN32
+static sigjmp_buf sigbus_jmpbuf;
+static void sigbus_handler (int sig, siginfo_t *siginfo, void *ptr)
+{
+	siglongjmp(sigbus_jmpbuf, 1);
+}
+#endif
+ 
 static size_t encoding_filter_script_to_internal(unsigned char **to, size_t *to_length, const unsigned char *from, size_t from_length TSRMLS_DC)
 {
 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
@@ -578,6 +586,34 @@
 		}
 		compilation_successful=0;
 	} else {
+#ifndef _WIN32
+		struct sigaction sigbus_signal;
+		struct sigaction old_sigbus_signal;
+
+		memset(&sigbus_signal, 0, sizeof(sigbus_signal));
+		memset(&old_sigbus_signal, 0, sizeof(old_sigbus_signal));
+		sigbus_signal.sa_sigaction = sigbus_handler;
+		sigbus_signal.sa_flags = SA_SIGINFO;
+#endif
+
+#if defined(ZEND_SIGNALS) && !defined(_WIN32)
+		zend_try { zend_sigaction(SIGBUS, &sigbus_signal, &old_sigbus_signal TSRMLS_CC); } zend_end_try();
+#elif !defined(_WIN32)
+		sigaction(SIGBUS, &sigbus_signal, &old_sigbus_signal);
+#endif
+
+#ifndef _WIN32
+		if (sigsetjmp(sigbus_jmpbuf, 1)) {
+			file_handle->type = ZEND_HANDLE_STREAM;
+		}
+#endif
+
 		init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
 		CG(in_compilation) = 1;
 		CG(active_op_array) = op_array;
@@ -590,6 +626,12 @@
 			zend_bailout();
 		}
 		compilation_successful=1;
+
+#if defined(ZEND_SIGNALS) && !defined(_WIN32)
+		zend_try { zend_sigaction(SIGBUS, &old_sigbus_signal, 0 TSRMLS_CC); } zend_end_try();
+#elif !defined(_WIN32)
+		sigaction(SIGBUS, &old_sigbus_signal, 0);
+#endif
 	}
 
 	if (retval) {
 [2017-06-25 23:46 UTC] zac at sprackett dot com
Patch for php 5.6.30 is here:

https://gist.github.com/zsprackett/8197f0242040c2e43d8d800521f09e22
 [2018-05-28 19:42 UTC] poonandrew88 at hotmail dot com
Also reproducible on Amazon Linux PHP 5.6.36. Our production httpds also crash every day.
 [2018-07-10 12:04 UTC] maroszek at gmx dot net
This is still an issue on PHP 7.2 on any linux system we use. (We are using embed SAPI with disable-zend-signals)

Is there anything I can do to help tackle the issue? Can we update the version information to PHP 7.2?
 [2019-07-16 13:48 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5161cebe28cca36fa7f7989b5a799290a3f1eb6a
Log: Fix bug #52752 by not using mmap() to lex files
 [2019-07-16 13:48 UTC] nikic@php.net
-Status: Verified +Status: Closed
 [2021-10-05 21:40 UTC] mthomas at rawnet dot com
php7.2 - This seems to be related for us also, if a file that is read and removed in the same PID proccess ends up with a nill pointer reference in memory the process crashes with the same Signal 7. I can see this has been fixed in php7.4 but it would be nice if this could be back ported.
 [2021-10-06 07:40 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2021-10-06 07:40 UTC] nikic@php.net
PHP 7.2 is no longer supported, so nothing can be backported to that version.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC