php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77434 php-fpm workers are segfaulting in zend_gc_addref
Submitted: 2019-01-09 14:15 UTC Modified: 2019-01-10 09:29 UTC
From: bugs dot php dot net at mundpropaganda dot net Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 7.3Git-2019-01-09 (Git) OS: Archlinux
Private report: No CVE-ID: None
 [2019-01-09 14:15 UTC] bugs dot php dot net at mundpropaganda dot net
Description:
------------
So I created a snapshot from the current PHP-7.3 branch (as of c4c6b80) to try out the patches for #77289. While doing so I might have found another bug:

When I try to use the "Advanced Editor" plugin in the BBS software Vanilla with an empty cache (the app's internal caching engine that is) the button row is missing. On subsequent hits to the same route the php-fpm workers are sefaulting.

Diff of the resulting HTML code with the missing button row of that first render:
https://gist.github.com/kkkrist/8741e7fb9a28c6196497602732a22e14

Related php code:
https://github.com/vanilla/vanilla/blob/Vanilla_2.6.4/plugins/editor/views/editor.php

Backtrace:
#0  0x00005647c1105df4 in zend_gc_addref (p=0x7f7df80f1e40) at /home/krist/tmp/php-7.3.2/Zend/zend_types.h:991
#1  0x00005647c1105f17 in zval_addref_p (pz=0x7f7dfaa87638) at /home/krist/tmp/php-7.3.2/Zend/zend_types.h:1025
#2  0x00005647c110cac0 in zend_fetch_dimension_address_read (result=0x7f7e0141ff30, container=0x7f7dfaa87338,
    dim=0x7f7e0141fe80, dim_type=8, type=0, support_strings=1, slow=0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_execute.c:1945
#3  0x00005647c110d0d1 in zend_fetch_dimension_address_read_R (container=0x7f7dfaa87338, dim=0x7f7e0141fe80,
    dim_type=8) at /home/krist/tmp/php-7.3.2/Zend/zend_execute.c:2050
#4  0x00005647c11242c8 in ZEND_FETCH_DIM_R_SPEC_CONST_CV_HANDLER ()
    at /home/krist/tmp/php-7.3.2/Zend/zend_vm_execute.h:9941
#5  0x00005647c117f318 in execute_ex (ex=0x7f7e0141fc30)
    at /home/krist/tmp/php-7.3.2/Zend/zend_vm_execute.h:56351
#6  0x00005647c1091836 in zend_call_function (fci=0x7ffdd8c63bb0, fci_cache=0x7ffdd8c63b90)
    at /home/krist/tmp/php-7.3.2/Zend/zend_execute_API.c:756
#7  0x00005647c0ec535a in zif_call_user_func_array (execute_data=0x7f7e0141fbc0, return_value=0x7f7e0141fb90)
    at /home/krist/tmp/php-7.3.2/ext/standard/basic_functions.c:4942
#8  0x00005647c1111a4c in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER ()
    at /home/krist/tmp/php-7.3.2/Zend/zend_vm_execute.h:892
#9  0x00005647c117e511 in execute_ex (ex=0x7f7e0141f030)
    at /home/krist/tmp/php-7.3.2/Zend/zend_vm_execute.h:55433
#10 0x00005647c1183b03 in zend_execute (op_array=0x7f7e01479000, return_value=0x0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_vm_execute.h:60833
#11 0x00005647c10a95da in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/krist/tmp/php-7.3.2/Zend/zend.c:1568
#12 0x00005647c100fa58 in php_execute_script (primary_file=0x7ffdd8c66320)
    at /home/krist/tmp/php-7.3.2/main/main.c:2630
#13 0x00005647c1196def in main (argc=3, argv=0x7ffdd8c667b8)
    at /home/krist/tmp/php-7.3.2/sapi/fpm/fpm/fpm_main.c:1950

Thanks for looking into it, it's greatly appreciated!

–Christian



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-09 14:21 UTC] bugs dot php dot net at mundpropaganda dot net
Forgot to mention: When I disable opcache, the problem goes away. Also by downgrading back to PHP 7.2 (with opcache enabled)
 [2019-01-09 14:26 UTC] nikic@php.net
Does the problem go away if you set opcache.optimization_level=0?
 [2019-01-09 14:31 UTC] bugs dot php dot net at mundpropaganda dot net
Unfortunately it doesn't. It's exactly the same with opcache.optimization_level=0
 [2019-01-09 14:35 UTC] nikic@php.net
In that case, does setting opcache.protect_memory=1 produce a different backtrace?
 [2019-01-09 14:48 UTC] bugs dot php dot net at mundpropaganda dot net
Oh, I'm sorry… The problem indeed goes away after I set "opcache.protect_memory=1". I hadn't reloaded php-fpm correctly before. 

The backtrace I get with opcache.protect_memory=1 follows:

#0  0x00007f7ddb598d7f in raise () from /usr/lib/libc.so.6
#1  0x00007f7ddb583672 in abort () from /usr/lib/libc.so.6
#2  0x00007f7ddb583548 in __assert_fail_base.cold.0 () from /usr/lib/libc.so.6
#3  0x00007f7ddb591396 in __assert_fail () from /usr/lib/libc.so.6
#4  0x000055a2619614f0 in rc_dtor_func (p=0x7f7ddad66d80) at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:64
#5  0x000055a261977277 in i_zval_ptr_dtor (zval_ptr=0x7f7dd20e0060,
    __zend_filename=0x55a2621cc210 "/home/krist/tmp/php-7.3.2/Zend/zend_hash.c", __zend_lineno=1491)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.h:44
#6  0x000055a26197c072 in zend_array_destroy (ht=0x7f7dd213b480)
    at /home/krist/tmp/php-7.3.2/Zend/zend_hash.c:1491
#7  0x000055a261961694 in zend_array_destroy_wrapper (arr=0x7f7dd213b480)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:90
#8  0x000055a26196151f in rc_dtor_func (p=0x7f7dd213b480) at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:65
#9  0x000055a261977277 in i_zval_ptr_dtor (zval_ptr=0x7f7ddad6c788,
    __zend_filename=0x55a2621cc210 "/home/krist/tmp/php-7.3.2/Zend/zend_hash.c", __zend_lineno=1487)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.h:44
#10 0x000055a26197c034 in zend_array_destroy (ht=0x7f7dd213b5a0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_hash.c:1487
#11 0x000055a261961694 in zend_array_destroy_wrapper (arr=0x7f7dd213b5a0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:90
#12 0x000055a26196151f in rc_dtor_func (p=0x7f7dd213b5a0) at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:65
#13 0x000055a261977277 in i_zval_ptr_dtor (zval_ptr=0x7f7dd213a620,
    __zend_filename=0x55a2621cc210 "/home/krist/tmp/php-7.3.2/Zend/zend_hash.c", __zend_lineno=1487)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.h:44
#14 0x000055a26197c034 in zend_array_destroy (ht=0x7f7dd213b540)
    at /home/krist/tmp/php-7.3.2/Zend/zend_hash.c:1487
#15 0x000055a261961694 in zend_array_destroy_wrapper (arr=0x7f7dd213b540)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:90
#16 0x000055a26196151f in rc_dtor_func (p=0x7f7dd213b540) at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:65
#17 0x000055a261977277 in i_zval_ptr_dtor (zval_ptr=0x7f7dd2131408,
    __zend_filename=0x55a2621cc210 "/home/krist/tmp/php-7.3.2/Zend/zend_hash.c", __zend_lineno=1487)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.h:44
#18 0x000055a26197c034 in zend_array_destroy (ht=0x7f7dd213b4e0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_hash.c:1487
#19 0x000055a261961694 in zend_array_destroy_wrapper (arr=0x7f7dd213b4e0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:90
#20 0x000055a26196151f in rc_dtor_func (p=0x7f7dd213b4e0) at /home/krist/tmp/php-7.3.2/Zend/zend_variables.c:65
#21 0x000055a2619b28e1 in i_zval_ptr_dtor (zval_ptr=0x7f7dd2136238,
    __zend_filename=0x55a2621d13c0 "/home/krist/tmp/php-7.3.2/Zend/zend_objects.c", __zend_lineno=55)
    at /home/krist/tmp/php-7.3.2/Zend/zend_variables.h:44
#22 0x000055a2619b2bbe in zend_object_std_dtor (object=0x7f7dd21361c0)
    at /home/krist/tmp/php-7.3.2/Zend/zend_objects.c:55
#23 0x000055a2619b9b0d in zend_objects_store_free_object_storage (objects=0x55a26237e568 <executor_globals+840>,
    fast_shutdown=0 '\000') at /home/krist/tmp/php-7.3.2/Zend/zend_objects_API.c:118
#24 0x000055a26194ba71 in shutdown_executor () at /home/krist/tmp/php-7.3.2/Zend/zend_execute_API.c:268
#25 0x000055a261963f7d in zend_deactivate () at /home/krist/tmp/php-7.3.2/Zend/zend.c:1104
#26 0x000055a2618ca496 in php_request_shutdown (dummy=0x0) at /home/krist/tmp/php-7.3.2/main/main.c:1926
#27 0x000055a261a52f3b in main (argc=3, argv=0x7ffdbd24e6e8)
 [2019-01-09 14:50 UTC] bugs dot php dot net at mundpropaganda dot net
I meant the problem goes away when I set "opcache.optimization_level=0" (checked twice , sorry again)
 [2019-01-10 09:00 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2019-01-10 09:00 UTC] nikic@php.net
I believe the issue is not in the template, but the code generating the data: https://github.com/vanilla/vanilla/blob/818e6a6dc387dd47a0a9fa78c6899aebf6ba7ecb/plugins/editor/class.editor.plugin.php#L323

For now I have this test case causing memory leaks in opcache:

<?php
function test(int $x) {
    $a = ['a' => 0, 'b' => $x];
    $b = [];
    $b[0] = $a;
    $c = $b[0];
}

SCCP value dump:

    #5.X4 = null
    #6.X4 = partial ["a" => int(0)]
    #7.CV1($a) = partial ["a" => int(0)]
    #8.CV2($b) = []
    #9.CV2($b) = [0 => zval(type=253)]
    #10.X4 = partial ["a" => int(0)]
    #11.CV3($c) = partial ["a" => int(0)]

And importantly, we end up embedding #9.CV2($b) as a literal -- but of course nothing will be able to handle the partial array it contains, as this is an SCCP only concept.
 [2019-01-10 09:10 UTC] nikic@php.net
Two possible ways to fix: Either we can check recursively for partial arrays when replacing constants, or we can mark arrays as partial if they contain partial arrays. Not totally sure, but I think the latter is required for correctness in other cases as well. In particular we assume that for non-partial arrays a constant lattice value can only lower to overdetermined, while in the case where it contains a partial array it could lower to another, different constant value.
 [2019-01-10 09:28 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ade702a0d299f0c8967720fb4887cd1447419cd9
Log: Fixed bug #77434
 [2019-01-10 09:28 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2019-01-10 09:29 UTC] nikic@php.net
Can you please confirm whether this fixes the issue you're seeing? I've fixed *something* here, but I'm not sure if this is also what was causing the problem, or just an unrelated problem.
 [2019-01-10 11:07 UTC] bugs dot php dot net at mundpropaganda dot net
Yes, it does indeed fix the issue! Thanks a lot!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC