php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64720 SegFault on zend_deactivate
Submitted: 2013-04-26 10:44 UTC Modified: 2013-05-23 07:15 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: d dot ananyev at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.10 OS: CentOS release 6.4 (Final)
Private report: No CVE-ID: None
 [2013-04-26 10:44 UTC] d dot ananyev at gmail dot com
Description:
------------
Every approximately 30 minutes i got segfaults in php-fpm 
Debuginfo gives me the following trace

Core was generated by `php-fpm: pool www                                                             
'.
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x1c39330, p=0x23671b8) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install cairo-1.8.8-3.1.el6.x86_64 
fftw-3.2.1-3.1.el6.x86_64 lcms-libs-1.19-1.el6.x86_64 libc-client-2007e-
11.el6.x86_64 libidn-1.18-2.el6.x86_64 libmcrypt-2.5.8-9.el6.x86_64 librabbitmq-
0.2-0.1.git2059570.el6.remi.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 sqlite-
3.6.20-1.el6.x86_64 xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64
(gdb) bt
#0  _zend_mm_free_int (heap=0x1c39330, p=0x23671b8) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
#1  0x00000000007116d7 in _zval_dtor (zval_ptr=0x29076d8) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_variables.h:35
#2  _zval_ptr_dtor (zval_ptr=0x29076d8) at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:438
#3  0x00000000007163af in cleanup_user_class_data (pce=<value optimized out>) at 
/usr/build/php-5.4.10/php-5.4.10/Zend/zend_opcode.c:165
#4  zend_cleanup_user_class_data (pce=<value optimized out>) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_opcode.c:198
#5  0x000000000072b944 in zend_hash_reverse_apply (ht=0x1c39c90, 
apply_func=0x716340 <zend_cleanup_user_class_data>) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_hash.c:799
#6  0x0000000000714156 in shutdown_executor () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:289
#7  0x000000000071f412 in zend_deactivate () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend.c:938
#8  0x00000000006c2a3c in php_request_shutdown (dummy=<value optimized out>) at 
/usr/build/php-5.4.10/php-5.4.10/main/main.c:1790
#9  0x00000000007d0d49 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /usr/build/php-5.4.10/php-5.4.10/sapi/fpm/fpm/fpm_main.c:1948

server runs ~ 100 req/sec
it has 8Gb of ram
and 120 fpm workers
la = 0.5


Expected result:
----------------
dont segfault

Actual result:
--------------
[26-Apr-2013 14:30:19] WARNING: [pool www] child 15002 exited on signal 11 
(SIGSEGV - core dumped) after 1613.465551 seconds from start
[26-Apr-2013 14:30:19] NOTICE: [pool www] child 1423 started


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-26 10:47 UTC] d dot ananyev at gmail dot com
My opcache stats (screenshots)
https://drive.google.com/folderview?id=0B4F2-uZsSusnLWF0a2ZrQ2REUmc&usp=sharing
 [2013-04-26 13:10 UTC] d dot ananyev at gmail dot com
i'sorry we're using php-5.4.10 because not all modules can run on 5.4.14
 [2013-04-26 17:13 UTC] sixd@php.net
-Status: Open +Status: Feedback
 [2013-04-26 17:13 UTC] sixd@php.net
Where did you install opcache from?
Does the crash happen without opcache?
 [2013-04-26 17:43 UTC] d dot ananyev at gmail dot com
I installed OpCache from this link:
http://pecl.php.net/package/ZendOpcache/7.0.1

I'll check if it will be reproduced without opcode cache.
 [2013-04-26 18:39 UTC] sixd@php.net
If it is OPcache related, try using OPcache from https://github.com/zend-
dev/ZendOptimizerPlus.  This has various fixes that aren't yet in PECL.
 [2013-04-29 09:01 UTC] d dot ananyev at gmail dot com
We've got the same segfault trace without any opcode cache.

Core was generated by `php-fpm: pool www                                                             
'.
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install fftw-3.2.1-3.1.el6.x86_64 
lcms-libs-1.19-1.el6.x86_64 libc-client-2007e-11.el6.x86_64 libidn-1.18-
2.el6.x86_64 libmcrypt-2.5.8-9.el6.x86_64 librabbitmq-0.2-
0.1.git2059570.el6.remi.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 xz-libs-
4.999.9-0.3.beta.20091007git.el6.x86_64
(gdb) bt
#0  _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
#1  0x00000000007116d7 in _zval_dtor (zval_ptr=0x16beb60) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_variables.h:35
#2  _zval_ptr_dtor (zval_ptr=0x16beb60) at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:438
#3  0x00000000007163af in cleanup_user_class_data (pce=<value optimized out>) at 
/usr/build/php-5.4.10/php-5.4.10/Zend/zend_opcode.c:165
#4  zend_cleanup_user_class_data (pce=<value optimized out>) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_opcode.c:198
#5  0x000000000072b944 in zend_hash_reverse_apply (ht=0x1177c90, 
apply_func=0x716340 <zend_cleanup_user_class_data>) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_hash.c:799
#6  0x0000000000714156 in shutdown_executor () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:289
#7  0x000000000071f412 in zend_deactivate () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend.c:938
#8  0x00000000006c2a3c in php_request_shutdown (dummy=<value optimized out>) at 
/usr/build/php-5.4.10/php-5.4.10/main/main.c:1790
#9  0x00000000007d0d49 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /usr/build/php-5.4.10/php-5.4.10/sapi/fpm/fpm/fpm_main.c:1948
 [2013-04-29 09:14 UTC] d dot ananyev at gmail dot com
It's not opcache related
 [2013-04-29 09:14 UTC] d dot ananyev at gmail dot com
-Status: Feedback +Status: Open -Package: opcache +Package: Reproducible crash -PHP Version: 5.4.14 +PHP Version: 5.4.10
 [2013-05-21 05:09 UTC] dmitry@php.net
Script to Reproduce
-------------------
<?php
class Stat {
    private static $requests;
    public static function getInstance() {
        if (!isset(self::$requests[1])) {
            self::$requests[1] = new self();
        }
        return self::$requests[1];
    }
    
    public function __destruct() {
        unset(self::$requests[1]);
    }
}

class Foo {
    public function __construct() {
        Stat::getInstance();
    }
}

class Error {
    private $trace;
    public function __construct() {
        $this->trace = debug_backtrace(1);
    }
}

class Bar {
    public function __destruct() {
        Stat::getInstance();
        new Error();
    }

    public function test() {
        new Error();
    }
}

$foo = new Foo();
$bar = new Bar();
$bar->test();
?>

The crash occurs because PHP tries to access static properties of class "Stat" after they are destroyed.

==22607== Invalid read of size 4
==22607==    at 0x84EA438: _zval_dtor_func (zend_variables.c:46)
==22607==    by 0x84DAA42: _zval_dtor (zend_variables.h:35)
==22607==    by 0x84DAAEF: i_zval_ptr_dtor (zend_execute.h:81)
==22607==    by 0x84DB851: _zval_ptr_dtor (zend_execute_API.c:428)
==22607==    by 0x84E032A: cleanup_user_class_data (zend_opcode.c:169)
==22607==    by 0x84E0419: zend_cleanup_user_class_data (zend_opcode.c:202)
==22607==    by 0x84FC771: zend_hash_reverse_apply (zend_hash.c:799)
==22607==    by 0x84DB4BE: shutdown_executor (zend_execute_API.c:289)
==22607==    by 0x84EC528: zend_deactivate (zend.c:939)
==22607==    by 0x84744D6: php_request_shutdown (main.c:1800)
==22607==    by 0x8585386: do_cli (php_cli.c:1176)
==22607==    by 0x8585B2F: main (php_cli.c:1377)
==22607==  Address 0x4949fa8 is 0 bytes inside a block of size 20 free'd
==22607==    at 0x4007F0F: free (vg_replace_malloc.c:446)
==22607==    by 0x84BFEA5: _efree (zend_alloc.c:2437)
==22607==    by 0x851CDEB: i_zval_ptr_dtor (zend_execute.h:82)
==22607==    by 0x8541EA6: ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:15900)
==22607==    by 0x8521499: execute_ex (zend_vm_execute.h:356)
==22607==    by 0x85214FD: zend_execute (zend_vm_execute.h:381)
==22607==    by 0x84DD3D5: zend_call_function (zend_execute_API.c:941)
==22607==    by 0x85080A9: zend_call_method (zend_interfaces.c:97)
==22607==    by 0x8515232: zend_objects_destroy_object (zend_objects.c:123)
==22607==    by 0x851B546: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:207)
==22607==    by 0x851B426: zend_objects_store_del_ref (zend_objects_API.c:173)
==22607==    by 0x84EA474: _zval_dtor_func (zend_variables.c:54)
 [2013-05-21 05:09 UTC] dmitry@php.net
-Summary: SegFault on zend_deactivate (php-fpm) +Summary: SegFault on zend_deactivate -Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2013-05-21 06:34 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2013-05-21 06:34 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=77fffff15762137e2d8173df9b733b4cb70fc996
Log: Fixed bug #64720 (SegFault on zend_deactivate)
 [2013-05-21 06:35 UTC] dmitry@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-05-21 06:35 UTC] dmitry@php.net
-Status: Closed +Status: Assigned
 [2013-05-23 07:15 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2013-05-23 07:15 UTC] dmitry@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-10-07 23:19 UTC] stas@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=77fffff15762137e2d8173df9b733b4cb70fc996
Log: Fixed bug #64720 (SegFault on zend_deactivate)
 [2014-10-07 23:30 UTC] stas@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=77fffff15762137e2d8173df9b733b4cb70fc996
Log: Fixed bug #64720 (SegFault on zend_deactivate)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC