php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75573 Segmentation fault in 7.1.12 and 7.0.26
Submitted: 2017-11-26 15:48 UTC Modified: 2017-12-10 18:48 UTC
From: manuel-php at mausz dot at Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.12 OS: Linux
Private report: No CVE-ID: None
 [2017-11-26 15:48 UTC] manuel-php at mausz dot at
Description:
------------
After updating to 7.1.12 and 7.0.26 we noticed an increased rate in crashes across all our webservers. The crashes are somehow triggered by "NextGEN Gallery" and reverting https://github.com/php/php-src/commit/bc59289b7a25219ea2179554dc26c88e533250a5 + https://github.com/php/php-src/commit/98eee90734c4fabf3f3a3d4168576cb6b25ad9b1 fixed it.

Backtrace:
#0  zend_mm_alloc_small (bin_num=<optimized out>, size=<optimized out>, heap=0x7fe70d600040) at /tmp/php-7.0.26/fpm/Zend/zend_alloc.c:1318
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7fe70d600040) at /tmp/php-7.0.26/fpm/Zend/zend_alloc.c:1389
#2  _emalloc (size=<optimized out>) at /tmp/php-7.0.26/fpm/Zend/zend_alloc.c:2477
#3  0x00000000007bf579 in zend_hash_real_init_ex (packed=<optimized out>, ht=0x7fe70b0ccd20) at /tmp/php-7.0.26/fpm/Zend/zend_hash.c:135
#4  zend_hash_check_init (packed=<optimized out>, ht=0x7fe70b0ccd20) at /tmp/php-7.0.26/fpm/Zend/zend_hash.c:163
#5  _zend_hash_index_add_or_update_i (flag=10, pData=0x10cb840 <executor_globals>, h=0, ht=0x7fe70b0ccd20) at /tmp/php-7.0.26/fpm/Zend/zend_hash.c:729
#6  _zend_hash_index_add_new (ht=ht@entry=0x7fe70b0ccd20, h=0, pData=pData@entry=0x10cb840 <executor_globals>) at /tmp/php-7.0.26/fpm/Zend/zend_hash.c:853
#7  0x000000000081c8f8 in zend_fetch_dimension_address_inner (type=1, dim_type=16, dim=<optimized out>, ht=<optimized out>) at /tmp/php-7.0.26/fpm/Zend/zend_execute.c:1572
#8  ZEND_ASSIGN_DIM_SPEC_VAR_CV_HANDLER () at /tmp/php-7.0.26/fpm/Zend/zend_vm_execute.h:20864
#9  0x00000000007eddf8 in execute_ex (ex=<optimized out>) at /tmp/php-7.0.26/fpm/Zend/zend_vm_execute.h:414
#10 0x00000000007a3285 in zend_call_function (fci=fci@entry=0x7ffe0e1640e0, fci_cache=0x7fe70d6d6da0, fci_cache@entry=0x0) at /tmp/php-7.0.26/fpm/Zend/zend_execute_API.c:867
#11 0x00000000007a3698 in call_user_function_ex (function_table=<optimized out>, object=object@entry=0x0, function_name=<optimized out>, retval_ptr=retval_ptr@entry=0x7ffe0e164170, param_count=<optimized out>, params=<optimized out>, 
    no_separation=no_separation@entry=1, symbol_table=symbol_table@entry=0x0) at /tmp/php-7.0.26/fpm/Zend/zend_execute_API.c:675
#12 0x00000000007a36d0 in call_user_function (function_table=<optimized out>, object=object@entry=0x0, function_name=<optimized out>, retval_ptr=retval_ptr@entry=0x7ffe0e164170, param_count=<optimized out>, params=<optimized out>)
    at /tmp/php-7.0.26/fpm/Zend/zend_execute_API.c:657
#13 0x00000000006ab7b2 in user_shutdown_function_call (zv=<optimized out>) at /tmp/php-7.0.26/fpm/ext/standard/basic_functions.c:4934
#14 0x00000000007c1f6d in zend_hash_apply (ht=0x7fe70d79a3b8, apply_func=apply_func@entry=0x6ab6dd <user_shutdown_function_call>) at /tmp/php-7.0.26/fpm/Zend/zend_hash.c:1537
#15 0x00000000006ae9ad in php_call_shutdown_functions () at /tmp/php-7.0.26/fpm/ext/standard/basic_functions.c:5018
#16 0x0000000000754595 in php_request_shutdown (dummy=dummy@entry=0x0) at /tmp/php-7.0.26/fpm/main/main.c:1804
#17 0x000000000048e07a in main (argc=<optimized out>, argv=<optimized out>) at /tmp/php-7.0.26/fpm/sapi/fpm/fpm/fpm_main.c:2066

PHP backtrace from core dump:
(gdb) dump_bt executor_globals.current_execute_data
[0x7fe70d618740] WP_Hook->apply_filters("", array(1)[0x7fe70d6187b0]) /path/to/wp-includes/class-wp-hook.php:271 
[0x7fe70d618680] WP_Hook->do_action(array(1)[0x7fe70d6186e0]) /path/to/wp-includes/class-wp-hook.php:310 
[0x7fe70d618330] do_action("shutdown") /path/to/wp-includes/plugin.php:453 
[0x7fe70d6182b0] shutdown_action_hook() /path/to/wp-includes/load.php:679 
[0x7ffe0e164040] ???



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-11-27 04:18 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2017-11-27 04:18 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2017-11-28 14:28 UTC] thomas at shadowweb dot org
I can confirm this issue - we are also experiencing massive amounts of segmentation faults of PHP processes after upgrading from 7.0.25 to 7.0.26 and from 7.1.11 to 7.1.12 across our servers.

Providing a simple testcase will be difficult, since this issue mainly seems to occur in lager CMS installations - I will try to narrow this down.

Rolling back to the previous PHP versions in the meantime.
 [2017-11-29 00:35 UTC] manuel-php at mausz dot at
So I spend some time tracing the crash and trying to copy the minimal object model. The script I've come up with has different btacktrace and only crashes about 1 out of 5 runs, but it's related as PHP with both commits reverted doesn't crash anymore.

Script:
-------
<?php

class A
{
  var $_stdObject;
  function initialize($properties = FALSE) {
    $this->_stdObject = $properties ? (object) $properties : new stdClass();
    parent::initialize();
  }
  function &__get($property)
  {
    if (isset($this->_stdObject->{$property})) {
      $retval =& $this->_stdObject->{$property};
      return $retval;
    } else {
      return NULL;
    }
  }
  function &__set($property, $value)
  {
    return $this->_stdObject->{$property} = $value;
  }
  function __isset($property_name)
  {
    return isset($this->_stdObject->{$property_name});
  }
}

class B extends A
{
  function initialize($properties = array())
  {
      parent::initialize($properties);
  }
  function &__get($property)
  {
    if (isset($this->settings) && isset($this->settings[$property])) {
      $retval =& $this->settings[$property];
      return $retval;
    } else {
      return parent::__get($property);
    }
  }
}

$b = new B();
$b->settings = [ "foo" => "bar", "name" => "abc" ];
var_dump($b->name);
var_dump($b->settings);
 [2017-11-29 06:54 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8
Log: Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
 [2017-11-29 06:54 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2017-11-29 18:32 UTC] post at minhost dot no
I applied this patch http://git.php.net/?p=php-src.git;a=commit;h=3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8 to PHP 7.1.12 and it seems to have fixed the crashes I reported in Bug #75579

Can I also use this same patch for PHP 7.0.26, or must I wait for a modified patch for that PHP version?
 [2017-11-29 18:53 UTC] maunel-php at mausz dot at
@Xinchen: I'm unable to find the backport for the PHP 7.0 branch.
 [2017-11-29 21:47 UTC] rob-phpbugs at tigertech dot com
I agree that this patch solves the problem on PHP 7.1.12 in my testing.

It does seem that a different patch is needed for 7.0.26, though, as the logic appears to be slightly different.
 [2017-11-30 14:02 UTC] thomas at shadowweb dot org
This bug should be re-opened and the fix also applied to the 7.0 branch...

Patch for 7.0.26 looks like this:

--- Zend/zend_object_handlers.c.org     2017-11-21 12:57:10.000000000 +0100
+++ Zend/zend_object_handlers.c 2017-11-30 14:42:29.154940011 +0100
@@ -602,8 +602,8 @@
                        zval_ptr_dtor(&tmp_object);
                        goto exit;
                } else {
-                       zval_ptr_dtor(&tmp_object);
                        if (Z_STRVAL_P(member)[0] == '\0') {
+                               zval_ptr_dtor(&tmp_object);
                                if (Z_STRLEN_P(member) == 0) {
                                        zend_throw_error(NULL, "Cannot access empty property");
                                        retval = &EG(uninitialized_zval);

Thanks in advance
 [2017-11-30 15:02 UTC] post at minhost dot no
As I commented before, I applied the patch http://git.php.net/?p=php-src.git;a=commit;h=3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8 and it seemed to fix the bug. However after testing more today, the bug is still present. I don't know if it is the same bug or not, I have filled a bug report here previous https://bugs.php.net/bug.php?id=75579 - anyway the patch did not work after all.

What happens is that after visiting about nine wordpress sites (wich by the way was auto-updating from wordpress 4.9 to 4.9.1), then interned strings used memory became full and sites started to go down with HTTP ERROR 500, and apache error log got lines like this:

[Thu Nov 30 15:40:40.273796 2017] [proxy_fcgi:error] [pid 17990:tid 140238684755712] [client 176.74.214.18:42343] AH01071: Got error 'PHP message: PHP Fatal error:  Cannot declare interface JsonSerializable, because the name is already in use in /home/USER/domains/DOMAIN.TLD/public_html/wp-includes/compat.php on line 428\n'

[Thu Nov 30 15:40:41.697018 2017] [proxy_fcgi:error] [pid 17990:tid 140238693148416] [client 176.74.214.18:52760] AH01071: Got error 'PHP message: PHP Fatal error:  Cannot declare interface JsonSerializable, because the name is already in use in /home/USER/domains/DOMAIN.TLD/public_html/wp-includes/compat.php on line 428\n'

In PHP info page it looks like this when interned strings used memory become full (and sites stop working!):

Interned Strings Used memory	4194288
Interned Strings Free memory	16

This is a completely show stoppper wich makes PHP 7.1.12 not usable. Some developers at PHP really need to take time to look deep into this now. It is a critical bug introduced in PHP 7.1.12 and (possibly 7.0.26) if you use opcache, wich forces you to stay on PHP 7.1.11 wich do not have this bug. Can someone at PHP please understand the seriousness in this?

Please study both this bug #75573 and my bug report #75579, they could be the same thing, or separate issues but somehow related.
 [2017-12-01 04:49 UTC] nyseplaya at gmail dot com
NextGen gallery worked on my site for months with 7.0.26  why is it suddenly a problem with the PHP?  I foolishly updated today without reading the disabling ability. How can I uninstall the latest update?
 [2017-12-01 11:29 UTC] remi@php.net
@laruence, as far as I can see this is only fixed in 7.1+

While 7.0.26 is also affected.
 [2017-12-04 10:53 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d4dee4a6144ff12c6ac4b29968dda13eda406011
Log: Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
 [2017-12-08 20:39 UTC] michael at imagely dot com
Any sense when this commit/patch will be released? Thanks, Mike.
 [2017-12-10 18:48 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2017-12-10 18:48 UTC] cmb@php.net
> Any sense when this commit/patch will be released?

The fix will be released with PHP 7.0.27, 7.1.13 and 7.2.1. The
PHP 7.0 and 7.1 releases are scheduled for January, 4th.
 [2017-12-11 13:25 UTC] hello at clicksus dot com
So can you make an update? You can adapt the plug-in to the current version.
 [2017-12-11 13:30 UTC] spam2 at rhsoft dot net
> So can you make an update?

you can download tarballs with every commit at any time in point
https://git.php.net/?p=php-src.git;a=shortlog;h=refs/heads/PHP-7.1
 [2018-07-24 18:25 UTC] levim@php.net
Did the unused initialize methods have some bearing on this bug?

Since `A` does not have a parent it would fatal if it were ever called. I'm adding compile-time warnings to uses of `parent` when there isn't one and ran across this bug, but since it's "fixed" I can't tell if removing the unused methods has any bearing.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC