php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76205 PHP-FPM sporadic crash when running Infinitewp
Submitted: 2018-04-10 17:02 UTC Modified: 2018-05-03 10:55 UTC
From: post at minhost dot no Assigned: dmitry (profile)
Status: Closed Package: opcache
PHP Version: 7.1.16 OS: CentOS 7.4
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: post at minhost dot no
New email:
PHP Version: OS:

 

 [2018-04-10 17:02 UTC] post at minhost dot no
Description:
------------
After upgrading our shared hosting servers from PHP 7.1.15 to PHP 7.1.16, some users running Infinitewp to update their WordPress sites experience that when they do "Reload data" in Infinitewp, then some of their WordPress sites go down with this error:

"HTTP Error 503: Service Unavailable - The request was not completed. The server is temporarily overloading or down."

And PHP-FPM is down on those sites. This never happen in previous PHP 7.1.15

To get the sites up and running again, I need to reload php-fpm71

In Apache error log we get errors like this:

[Tue Apr 10 17:12:06.695643 2018] [proxy_fcgi:error] [pid 31674:tid 139648101607168] [client 194.242.11.18:56034] AH01067: Failed to read FastCGI header, referer: https://domain.tld/?no_cache_KFoZ4ai5=1523373126
[Tue Apr 10 17:12:06.695691 2018] [proxy_fcgi:error] [pid 31674:tid 139648101607168] (104)Connection reset by peer: [client 194.242.11.18:56034] AH01075: Error dispatching request to : , referer: https://domain.tld/?no_cache_KFoZ4ai5=1523373126

In /usr/local/php71/var/log/php-fpm.log I get this:

[10-Apr-2018 17:12:06] WARNING: [pool sommerfr] child 24746 exited on signal 11 (SIGSEGV) after 8409.340823 seconds from start
[10-Apr-2018 17:12:06] NOTICE: [pool sommerfr] child 17221 started

Please note that I am running both normal opcache in memory, and also has opcache on disk as a fallback cache (to be used whenever opcache get empty during restarts). Here is my ini settings:

opcache.memory_consumption=32768
opcache.interned_strings_buffer=64
opcache.max_accelerated_files=1000000
opcache.revalidate_freq=0
opcache.validate_timestamps=1
opcache.fast_shutdown=1
opcache.enable_cli=0
opcache.validate_permission=1
opcache.validate_root=1
opcache.use_cwd=1
opcache.revalidate_path=1
opcache.enable_file_override=1
opcache.file_cache_only=0
opcache.max_wasted_percentage=10

One thing I suspect could play a role, is that all the sites that went down after running "Reload data" in Infinitewp, had one thing in common, that is: Nobody had visited WordPress dashboard on those sites, so at:

/home/USER/.opcache/0d01841927accbb2865ecf61ea43a8ce/home/USER/domains/DOMAIN.TLD/public_html/wp/wp-admin

There was only 1 directory and 2 files, when I manually visited WordPress dashboard, several more files where added in opcache on that path. So maybe the bug only happen if disk based opcache have not yet cached all needed files before running "Reload data" in Infinitewp?

I can not say for sure, as the problem has been sporadic when running Infinitewp after upgrading to PHP 7.1.16

Further I have been looking at the changelog for PHP 7.1.16 and PHP 7.2.4, in PHP 7.1.6 changelog at http://www.php.net/ChangeLog-7.php#7.1.16 there is this:

Opcache:
Fixed bug #76074 (opcache corrupts variable in for-loop).

However when looking at changelog for PHP 7.2.4, bug #76074 is not mentioned at all! I find that strange because at the page for bug #76074 it says "PHP Version: 7.2.3"

So why was fix for bug #76074 not added in PHP 7.2.4? And was it a mistake that it was added to 7.1.16?

Beacause that is the only bug fix for Opcache in PHP 7.1.16, I think it could be related to our users problems in PHP 7.2.16 as described above.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-10 17:20 UTC] nikic@php.net
It's unlikely that the mentioned bug is related (because it affects optimization, not caching). However, PHP 7.1.16 contains a number of changes in the caching logic, including https://github.com/php/php-src/commit/50949c9332b897c6848839357ad97223a0e1dd38, which introduced an issue subsequently fixed in https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e. Unfortunately, it looks like this commit missed the PHP 7.1.16 cut.

You might want to try applying the patch from the second commit and see if it resolves the issue.
 [2018-04-10 17:36 UTC] post at minhost dot no
Thanks. After manually applying the patch at https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e into ext/opcache/zend_persist.c in PHP 7.1.16 and then recompiling PHP 7.1.16 - would it then be needed or recommended to empty all opcache files in .opcache folders on disk?

I hope you wil make sure that the patch will make it into the next PHP 7.1.17?

I must also comment that there has been to many problems with running opcache on disk as fallback cache, and I feel I am the only one doing it, and therefor bugs might not be reported by anyone but me. I really consider to stop using opcache on disk as second level fallback cache to avoid any more problems. But I would like to keep it, if it would just not be so many bugs popping up from time to time.
 [2018-04-11 02:07 UTC] post at minhost dot no
Are you sure I can use the patch at https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e directly into the stable PHP 7.1.16 file ext/opcache/zend_persist.c?

Because if I copy the entire file from the patch and overwrite it, there is other differences then just the commit at the patch.
 [2018-04-11 02:28 UTC] post at minhost dot no
What I mean is that if I click on "View" from the patch at https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e I get this file https://github.com/php/php-src/blob/b6a41ad5ba2f853d44e6184375968a86c8167f1e/ext/opcache/zend_persist.c wich has other differences when adding to stable PHP 7.1.16 then the diff at https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e

Kind of confusing, please confirm I can manually add the patch at https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e into the stable PHP 7.1.16 file?
 [2018-04-13 11:58 UTC] post at minhost dot no
I have patched PHP 7.1.16 now. The problem described seems to have been resolved. However, for a few months we have customers running Drupal that get 503 errors sporadic, mostly when running update.php in Drupal, but lately also when doing other changes in Drupal control panel.

We are running both opcache in memory, and has second level fallback opcache on disk in a directory for each user. I suspect most of the 503 errors in Drupal is related to opcache on disk. It just does not seems to be stable enough for production servers.

However the only reason we run second level fallback opcache on disk, is to avoid users not getting cache after each time apache or php-fpm is reloaded. This happens several times each day, because it must happen whenever a user add a domain og install lets encrypt certificates. Also it happens every night during log rotate.

If you could add a ini setting that would allow us to set opcache to not be empty whenever there is a apache og php-fpm reload, then we would no longer need second level fallback opcache on disk.

Would it be possible to add a ini setting to set opcache to not be emptied whenever apache or php-fpm is reloaded? So that we could deactivate opcache on disk and only use opcache in memory?
 [2018-04-16 11:12 UTC] post at minhost dot no
Update: The patch did not solve the problem after all. It happened again for a customer running "Reload data" in IWP, PHP-FPM on 3 of his sites crashed and displayed a 503 error.

This time I reset OPcache with a PHP file containing this, and the sites started working again:

<?php
opcache_reset();
?>

So whenever this happen, I must either reload PHP-FPM, or run the above PHP code. So the patch at https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e did not work!

Ever since PHP 7.1.11 there has been nothing but problems with bugs relateded to OPcache poping up all the time. And you continue to create new bugs in OPcache every time you release a new PHP version, and the new bugs is not fixed.

Do you ever do any testing of your code changes at all? No, it does not seem like you do any testing at all!
 [2018-04-16 11:23 UTC] post at minhost dot no
Follow up on previous comment: What I meant to say is that PHP 7.1.11 was the last PHP version that did not have a lot of OPcache bugs. From PHP 7.1.12 up to the current PHP 7.1.16, there has been nothing but sporadic OPcache bugs crashing sites:

Currently we experience sporadic PHP-FPM crashes when users run /update.php in Drupal, and when users run "Reload data" in IWP. It does not happen on every run, and because of that I am not able to reproduce it so that I can debug it.
 [2018-04-23 20:57 UTC] post at minhost dot no
I have now generated backtrace of core dumps from a sporadic crash of a wordpress site when running "Reload data" in Infinitewp against that WordPress site. Please note that the server is running PHP 7.1.16 WITH this patch https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e (but the crash also happen without the patch).

Please note that this bug proably only happen if you have opcache with both opcache in memory and file cache as secondary fallback cache.

When the crash happened it generated two cre dumps, core-php-fpm71.7935 and core-php-fpm71.7936 below is output of both of them:

# Output of /tmp/core-php-fpm71.7935:

[root@dns2 ~]# gdb /usr/local/php71/sbin/php-fpm71 /tmp/core-php-fpm71.7935
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php71/sbin/php-fpm71...done.
[New LWP 7935]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `php-fpm: pool asle                           '.
Program terminated with signal 6, Aborted.
#0  0x00007f2732feb1f7 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-13.el7.x86_64 elfutils-libelf-0.168-8.el7.x86_64 elfutils-libs-0.168-8.el7.x86_64 glibc-2.17-196.el7_4.2.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-8.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libcap-2.22-9.el7.x86_64 libcom_err-1.42.9-10.el7.x86_64 libgcc-4.8.5-16.el7_4.2.x86_64 libgcrypt-1.5.3-14.el7.x86_64 libgpg-error-1.12-3.el7.x86_64 libselinux-2.5-11.el7.x86_64 libstdc++-4.8.5-16.el7_4.2.x86_64 nss-softokn-freebl-3.28.3-8.el7_4.x86_64 openssl-libs-1.0.2k-8.el7.x86_64 systemd-libs-219-42.el7_4.10.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb)

(gdb) bt full
#0  0x00007f2732feb1f7 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f2732fec8e8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f2732fe4266 in __assert_fail_base () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007f2732fe4312 in __assert_fail () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007f272ac5d490 in zend_file_cache_unserialize_prop_info (zv=0x7f2721abbd40, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1149
        prop = 0x7f2721ab4b48
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_prop_info"
#5  0x00007f272ac5b524 in zend_file_cache_unserialize_hash (ht=0x7f2721ab4be0, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0, func=0x7f272ac5d198 <zend_file_cache_unserialize_prop_info>, dtor=0x0)
    at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:912
        p = 0x7f2721abbd40
        end = 0x7f2721abbd60
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_hash"
#6  0x00007f272ac5e020 in zend_file_cache_unserialize_class (zv=0x7f2721ab4e00, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1215
        ce = 0x7f2721ab4b68
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_class"
#7  0x00007f272ac5b524 in zend_file_cache_unserialize_hash (ht=0x7f2721ab40d0, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0, func=0x7f272ac5da43 <zend_file_cache_unserialize_class>, dtor=0xa2efe4 <destroy_zend_class>)
    at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:912
        p = 0x7f2721ab4e00
        end = 0x7f2721ab4e20
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_hash"
#8  0x00007f272ac5f174 in zend_file_cache_unserialize (script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1316
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize"
#9  0x00007f272ac5f971 in zend_file_cache_script_load (file_handle=0x7ffda6f8caf0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1481
        __orig_bailout = 0x7ffda6f8dd90
        __bailout = {{__jmpbuf = {0, -5264032381661365544, 4517600, 140727404786640, 139806306812896, 139806196720552, -5264032381611033896, -5240081058967340328}, __mask_was_saved = 0, __saved_mask = {__val = {18065752,
                139806052760384, 0, 140727404775760, 4517600, 140727404786640, 139806306812896, 139806196720552, 10328386, 140727404775712, 140727404775888, 38654705665, 139806043249216, 5, 139806052760829, 140727404775888}}}}
        full_path = 0x7f27221cbc80
        fd = 7
        filename = 0x7f27221e0c00 "/home/asle/.opcache/f2eec51e0cb18f52ff29dc2739fb55f0/home/asle/domains/hadeland.41.no/public_html/wp-content/plugins/revslider/includes/tinybox.class.php.bin"
        script = 0x7f2721ab3fc0
        info = {magic = "OPCACHE", system_id = "f2eec51e0cb18f52ff29dc2739fb55f0", mem_size = 32336, str_size = 16176, script_offset = 0, timestamp = 1524150100, checksum = 2661638409}
        bucket = 0x7f27221cbc98
        mem = 0x7f2721ab3fc0
        checkpoint = 0x7f2721ab3f88
        buf = 0x7f2721ab3fc0
        cache_it = 0
        ok = 1
#10 0x00007f272ac465e8 in persistent_compile_file (file_handle=0x7ffda6f8caf0, type=8) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/ZendAccelerator.c:1873
        persistent_script = 0x0
        key = 0x0
        key_length = 32551
        from_shared_memory = 572308608
#11 0x0000000000aa2c68 in zend_include_or_eval (inc_filename=0x7f2731414520, type=16) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_execute.c:2816
        op_array = 0x7ffda6f8cbb8
        file_handle = {handle = {fd = 562797120, fp = 0x7f27218b9a40, stream = {handle = 0x7f27218b9a40, isatty = 0, mmap = {len = 17102, pos = 0, map = 0x0, buf = 0x7f2739dce000 <Address 0x7f2739dce000 out of bounds>,
                old_handle = 0x0, old_closer = 0x0}, reader = 0x9d05b5 <_php_stream_read>, fsizer = 0x9b0f17 <php_zend_stream_fsizer>, closer = 0x9b0ef1 <php_zend_stream_mmap_closer>}},
          filename = 0x7f27221cbbf8 "/home/asle/domains/hadeland.41.no/public_html/wp-content/plugins/revslider/includes/tinybox.class.php", opened_path = 0x7f27221cbc80, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        resolved_path = 0x7f27221cbbe0
        new_op_array = 0x0
        tmp_inc_filename = {value = {lval = 140727404776336, dval = 6.952857612838297e-310, counted = 0x7ffda6f8cb90, str = 0x7ffda6f8cb90, arr = 0x7ffda6f8cb90, obj = 0x7ffda6f8cb90, res = 0x7ffda6f8cb90, ref = 0x7ffda6f8cb90,
            ast = 0x7ffda6f8cb90, zv = 0x7ffda6f8cb90, ptr = 0x7ffda6f8cb90, ce = 0x7ffda6f8cb90, func = 0x7ffda6f8cb90, ww = {w1 = 2801322896, w2 = 32765}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000',
              reserved = 0 '\000'}, type_info = 0}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
        __PRETTY_FUNCTION__ = "zend_include_or_eval"
#12 0x0000000000b10c01 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_vm_execute.h:51657
        new_op_array = 0x7f2731464700
        free_op1 = 0x7f2731414520
        inc_filename = 0x7f2731414520
#13 0x0000000000aa2f70 in execute_ex (ex=0x7f2731414030) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_vm_execute.h:429
        orig_opline = 0x0
        orig_execute_data = 0x0
#14 0x0000000000aa3082 in zend_execute (op_array=0x7f2731472000, return_value=0x0) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_vm_execute.h:474
        execute_data = 0x7f2731414030
#15 0x0000000000a44199 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend.c:1482
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffda6f8cd70, reg_save_area = 0x7ffda6f8ccb0}}
        i = 1
        file_handle = 0x7ffda6f8f1b0
---Type <return> to continue, or q <return> to quit---
        op_array = 0x7f2731472000
#16 0x00000000009b34f8 in php_execute_script (primary_file=0x7ffda6f8f1b0) at /usr/local/directadmin/custombuild/php-7.1.16/main/main.c:2577
        realfile = '\000' <repeats 2336 times>...
        __orig_bailout = 0x7ffda6f8efe0
        __bailout = {{__jmpbuf = {16, -5264032382951114024, 4517600, 140727404786640, 0, 0, -5264032381783000360, 5262784607927646936}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0,
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0,
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7ffda6f8cd70 "/"
        use_heap = 0 '\000'
        retval = 0
#17 0x0000000000b33275 in main (argc=2, argv=0x7ffda6f8f3d8) at /usr/local/directadmin/custombuild/php-7.1.16/sapi/fpm/fpm/fpm_main.c:1966
        primary_script = 0x7f2731402300 "/home/asle/domains/hadeland.41.no/public_html/index.php"
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -5264032382504420648, 4517600, 140727404786640, 0, 0, -5264032382949016872, 5262784813647772376}, __mask_was_saved = 0, __saved_mask = {__val = {12206512, 139806450276720, 31632276063478121,
                7018986666877744431, 7809632559044715890, 0, 281470681751424, 0, 0, 7383780706149492083, 7363230881234747507, 0, 0, 0, 0, 0}}}}
        exit_status = 0
        cgi = 0
        c = -1
        use_extended_info = 0
        file_handle = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 418, pos = 0, map = 0x0, buf = 0x7f2739eee000 "", old_handle = 0x0, old_closer = 0x0}, reader = 0x9d05b5 <_php_stream_read>,
              fsizer = 0x9b0f17 <php_zend_stream_fsizer>, closer = 0x9b0ef1 <php_zend_stream_mmap_closer>}}, filename = 0x7f2731402000 "/home/asle/domains/hadeland.41.no/public_html/index.php", opened_path = 0x0,
          type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 2000
        requests = 4
        fcgi_fd = 0
        request = 0x36e3520
        fpm_config = 0x0
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = 0
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"
(gdb)

# Output of /tmp/core-php-fpm71.7936:

gdb /usr/local/php71/sbin/php-fpm71 /tmp/core-php-fpm71.7936

[root@dns2 ~]# gdb /usr/local/php71/sbin/php-fpm71 /tmp/core-php-fpm71.7936
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php71/sbin/php-fpm71...done.
[New LWP 7936]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `php-fpm: pool asle                           '.
Program terminated with signal 6, Aborted.
#0  0x00007f2732feb1f7 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-13.el7.x86_64 elfutils-libelf-0.168-8.el7.x86_64 elfutils-libs-0.168-8.el7.x86_64 glibc-2.17-196.el7_4.2.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-8.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libcap-2.22-9.el7.x86_64 libcom_err-1.42.9-10.el7.x86_64 libgcc-4.8.5-16.el7_4.2.x86_64 libgcrypt-1.5.3-14.el7.x86_64 libgpg-error-1.12-3.el7.x86_64 libselinux-2.5-11.el7.x86_64 libstdc++-4.8.5-16.el7_4.2.x86_64 nss-softokn-freebl-3.28.3-8.el7_4.x86_64 openssl-libs-1.0.2k-8.el7.x86_64 systemd-libs-219-42.el7_4.10.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb)

(gdb) bt full
#0  0x00007f2732feb1f7 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f2732fec8e8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f2732fe4266 in __assert_fail_base () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007f2732fe4312 in __assert_fail () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007f272ac5d490 in zend_file_cache_unserialize_prop_info (zv=0x7f2721abbd40, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1149
        prop = 0x7f2721ab4b48
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_prop_info"
#5  0x00007f272ac5b524 in zend_file_cache_unserialize_hash (ht=0x7f2721ab4be0, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0, func=0x7f272ac5d198 <zend_file_cache_unserialize_prop_info>, dtor=0x0)
    at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:912
        p = 0x7f2721abbd40
        end = 0x7f2721abbd60
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_hash"
#6  0x00007f272ac5e020 in zend_file_cache_unserialize_class (zv=0x7f2721ab4e00, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1215
        ce = 0x7f2721ab4b68
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_class"
#7  0x00007f272ac5b524 in zend_file_cache_unserialize_hash (ht=0x7f2721ab40d0, script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0, func=0x7f272ac5da43 <zend_file_cache_unserialize_class>, dtor=0xa2efe4 <destroy_zend_class>)
    at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:912
        p = 0x7f2721ab4e00
        end = 0x7f2721ab4e20
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize_hash"
#8  0x00007f272ac5f174 in zend_file_cache_unserialize (script=0x7f2721ab3fc0, buf=0x7f2721ab3fc0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1316
        __PRETTY_FUNCTION__ = "zend_file_cache_unserialize"
#9  0x00007f272ac5f971 in zend_file_cache_script_load (file_handle=0x7ffda6f8caf0) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/zend_file_cache.c:1481
        __orig_bailout = 0x7ffda6f8dd90
        __bailout = {{__jmpbuf = {0, -5264032381661365544, 4517600, 140727404786640, 139806306812896, 139806196720552, -5264032381611033896, -5240081058967340328}, __mask_was_saved = 0, __saved_mask = {__val = {18065752,
                139806044327520, 0, 140727404775760, 4517600, 140727404786640, 139806306812896, 139806196720552, 10328386, 140727404775712, 140727404775888, 38654705665, 139806054422464, 5, 139806054436989, 140727404775888}}}}
        full_path = 0x7f2722365000
        fd = 7
        filename = 0x7f27219b0300 "/home/asle/.opcache/f2eec51e0cb18f52ff29dc2739fb55f0/home/asle/domains/hadeland.41.no/public_html/wp-content/plugins/revslider/includes/tinybox.class.php.bin"
        script = 0x7f2721ab3fc0
        info = {magic = "OPCACHE", system_id = "f2eec51e0cb18f52ff29dc2739fb55f0", mem_size = 32336, str_size = 16176, script_offset = 0, timestamp = 1524150100, checksum = 2661638409}
        bucket = 0x7f2722365018
        mem = 0x7f2721ab3fc0
        checkpoint = 0x7f2721ab3f88
        buf = 0x7f2721ab3fc0
        cache_it = 0
        ok = 1
#10 0x00007f272ac465e8 in persistent_compile_file (file_handle=0x7ffda6f8caf0, type=8) at /usr/local/directadmin/custombuild/php-7.1.16/ext/opcache/ZendAccelerator.c:1873
        persistent_script = 0x0
        key = 0x0
        key_length = 32551
        from_shared_memory = 573984768
#11 0x0000000000aa2c68 in zend_include_or_eval (inc_filename=0x7f2731414520, type=16) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_execute.c:2816
        op_array = 0x7ffda6f8cbb8
        file_handle = {handle = {fd = 573970368, fp = 0x7f27223617c0, stream = {handle = 0x7f27223617c0, isatty = 0, mmap = {len = 17102, pos = 0, map = 0x0, buf = 0x7f2739dce000 <Address 0x7f2739dce000 out of bounds>,
                old_handle = 0x0, old_closer = 0x0}, reader = 0x9d05b5 <_php_stream_read>, fsizer = 0x9b0f17 <php_zend_stream_fsizer>, closer = 0x9b0ef1 <php_zend_stream_mmap_closer>}},
          filename = 0x7f27219c0f18 "/home/asle/domains/hadeland.41.no/public_html/wp-content/plugins/revslider/includes/tinybox.class.php", opened_path = 0x7f2722365000, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        resolved_path = 0x7f27219c0f00
        new_op_array = 0x0
        tmp_inc_filename = {value = {lval = 140727404776336, dval = 6.952857612838297e-310, counted = 0x7ffda6f8cb90, str = 0x7ffda6f8cb90, arr = 0x7ffda6f8cb90, obj = 0x7ffda6f8cb90, res = 0x7ffda6f8cb90, ref = 0x7ffda6f8cb90,
            ast = 0x7ffda6f8cb90, zv = 0x7ffda6f8cb90, ptr = 0x7ffda6f8cb90, ce = 0x7ffda6f8cb90, func = 0x7ffda6f8cb90, ww = {w1 = 2801322896, w2 = 32765}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000',
              reserved = 0 '\000'}, type_info = 0}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
        __PRETTY_FUNCTION__ = "zend_include_or_eval"
#12 0x0000000000b10c01 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_vm_execute.h:51657
        new_op_array = 0x7f2731464700
        free_op1 = 0x7f2731414520
        inc_filename = 0x7f2731414520
#13 0x0000000000aa2f70 in execute_ex (ex=0x7f2731414030) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_vm_execute.h:429
        orig_opline = 0x0
        orig_execute_data = 0x0
#14 0x0000000000aa3082 in zend_execute (op_array=0x7f2731471000, return_value=0x0) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend_vm_execute.h:474
        execute_data = 0x7f2731414030
#15 0x0000000000a44199 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/directadmin/custombuild/php-7.1.16/Zend/zend.c:1482
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffda6f8cd70, reg_save_area = 0x7ffda6f8ccb0}}
        i = 1
        file_handle = 0x7ffda6f8f1b0
---Type <return> to continue, or q <return> to quit---
        op_array = 0x7f2731471000
#16 0x00000000009b34f8 in php_execute_script (primary_file=0x7ffda6f8f1b0) at /usr/local/directadmin/custombuild/php-7.1.16/main/main.c:2577
        realfile = '\000' <repeats 2336 times>...
        __orig_bailout = 0x7ffda6f8efe0
        __bailout = {{__jmpbuf = {16, -5264032382951114024, 4517600, 140727404786640, 0, 0, -5264032381783000360, 5262784607927646936}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0,
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0,
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7ffda6f8cd70 "/home/asle/domains/fjell-bfk4k.41.no/public_html"
        use_heap = 0 '\000'
        retval = 0
#17 0x0000000000b33275 in main (argc=2, argv=0x7ffda6f8f3d8) at /usr/local/directadmin/custombuild/php-7.1.16/sapi/fpm/fpm/fpm_main.c:1966
        primary_script = 0x7f2731402300 "/home/asle/domains/hadeland.41.no/public_html/index.php"
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -5264032382504420648, 4517600, 140727404786640, 0, 0, -5264032382949016872, 5262784813647772376}, __mask_was_saved = 0, __saved_mask = {__val = {12206512, 139806450276720, 31632276063478121,
                7018986666877744431, 7809632559044715890, 0, 281470681751424, 0, 0, 7383780706149492083, 7363230881234747507, 0, 0, 0, 0, 0}}}}
        exit_status = 0
        cgi = 0
        c = -1
        use_extended_info = 0
        file_handle = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 418, pos = 0, map = 0x0, buf = 0x7f2739eee000 "", old_handle = 0x0, old_closer = 0x0}, reader = 0x9d05b5 <_php_stream_read>,
              fsizer = 0x9b0f17 <php_zend_stream_fsizer>, closer = 0x9b0ef1 <php_zend_stream_mmap_closer>}}, filename = 0x7f2731402000 "/home/asle/domains/hadeland.41.no/public_html/index.php", opened_path = 0x0,
          type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 2000
        requests = 4
        fcgi_fd = 0
        request = 0x36e3620
        fpm_config = 0x0
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = 0
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"
(gdb)
 [2018-04-24 07:17 UTC] post at minhost dot no
Related bug: https://bugs.php.net/bug.php?id=76258
 [2018-04-26 17:37 UTC] post at minhost dot no
@nikic@php.net, you said in your comment that this commit https://github.com/php/php-src/commit/b6a41ad5ba2f853d44e6184375968a86c8167f1e "missed the 7.1.16 cut". Now that PHP 7.1.17 is released, I do not find any entry in the changelog regarding opcache: http://www.php.net/ChangeLog-7.php#7.1.17

Please confirm if the commit is added in 7.1.17 or not?

Also I am hoping someone soon will work on the bugs I reported, wich has bactrace in the comment above. And also this bug wich could be related: https://bugs.php.net/bug.php?id=76258
 [2018-04-26 19:01 UTC] nikic@php.net
> Please confirm if the commit is added in 7.1.17 or not?

The commit is indeed part of the 7.1.17 release.

> Also I am hoping someone soon will work on the bugs I reported, wich has bactrace in the comment above. And also this bug wich could be related: https://bugs.php.net/bug.php?id=76258

Thanks for providing the backtrace. An assertion failure occurs on line https://github.com/php/php-src/blob/PHP-7.1/ext/opcache/zend_file_cache.c#L1149, with the assertion presumably being https://github.com/php/php-src/blob/PHP-7.1/ext/opcache/zend_file_cache.c#L136. I'll have to think further on the circumstances that could cause this.
 [2018-04-26 20:20 UTC] nikic@php.net
The issue here is that the IS_UNSERIALIZED() macro checks for the pointer being either in script->mem or being an accel interned string. This does not account for the third possibility, where the string is in the arena allocated string memory region (when unserializing into non-shm).
 [2018-04-26 20:28 UTC] post at minhost dot no
Thank you for looking into this! All I can say is that we have never yet seen it crash right after a php-fpm reload, so right after opcache is emptied, it does not seem to happen.

Also the bactrace on the test server, when the crash happen on test server, opcache memory limit whas all used. However that does not make sence on produtction servers wich never reaches opcache memory limit. If my guess is right, you might be able to trigger the bug of you set opcache memory limit to for example 1 MB (or 0 if that is possible), and visit a WordPress site? But remember you need to have file cache as secondary fallback cache in place.

Also, did you look at the bactrace on the similar bug report I created for Drupal?: https://bugs.php.net/bug.php?id=76258 - I was wondering if it seems to be the same bug or a different one?
 [2018-04-26 20:37 UTC] nikic@php.net
I can reproduce this issue using the following test file:

<?php
class Foo {
    public $prop;
}
class Bar extends Foo {}

and then running PHP twice as follows:

$ sapi/cli/php -c php.ini -d opcache.file_cache=/tmp/opcache t171.php
$ sapi/cli/php -c php.ini -d opcache.file_cache=/tmp/opcache -d opcache.file_cache_only=1 t171.php

Yielding:

php: /home/nikic/php-src/ext/opcache/zend_file_cache.c:1184: zend_file_cache_unserialize_prop_info: Assertion `((char*)(prop->name) < (char*)script->size)' failed.
Aborted (core dumped)

The important bit is that we run first with file_cache_only=0 (so interned strings are used) and then with file_cache_only=1 (so they aren't).

This isn't quite your situation, but the root cause should be the same. The second bug report also has the assertion failure in the same place, so it's very likely that it's also the same issue.
 [2018-04-26 20:42 UTC] nikic@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2018-04-27 21:28 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c6ce03e45e09087de8fc65f8a0a3345fea163ba2
Log: Fixed bug #76205 (PHP-FPM sporadic crash when running Infinitewp).
 [2018-04-27 21:28 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2018-04-27 21:34 UTC] post at minhost dot no
Thanks. Can I use this patch directly on PHP 7.1.17?: http://git.php.net/?p=php-src.git;a=patch;h=c6ce03e45e09087de8fc65f8a0a3345fea163ba2
 [2018-04-27 22:15 UTC] nikic@php.net
Running tests with file cache I'm getting a segfault in Zend/tests/assert/expect_015.php while trying to access a string at address 0xa81. Looks like something didn't get unserialized there.
 [2018-04-27 22:34 UTC] dmitry@php.net
sorry, I can't reproduce.
 [2018-04-28 10:29 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=df4d0a73d241f24f5afe81584361b53ea9bc2a99
Log: Revert &quot;Fixed bug #76205 (PHP-FPM sporadic crash when running Infinitewp).&quot;
 [2018-04-28 10:31 UTC] dmitry@php.net
-Status: Closed +Status: Assigned
 [2018-04-28 10:31 UTC] dmitry@php.net
I got the failures. Patch reverted, bug re-opened.
 [2018-04-28 12:28 UTC] nikic@php.net
I think we should tag all serialized pointers (like we already do for the serialized interned strings, we still have another free bit) to avoid these kinds of fragile range based checks.
 [2018-05-02 13:02 UTC] post at minhost dot no
@dmitry, Is there any update on the progress working on this bug? Our shared hosting servers is severely impacted, particular our Drupal customers wich also is impacted by this bug (also reported here https://bugs.php.net/bug.php?id=76258 )
 [2018-05-03 09:12 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5b3e1ded356dc877aa246d28e71e69286b8829b5
Log: Fixed bug #76205 (PHP-FPM sporadic crash when running Infinitewp)
 [2018-05-03 09:12 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2018-05-03 09:24 UTC] post at minhost dot no
@dmitry, Thank you for the fix. Can you please confirm that I can use the patch http://git.php.net/?p=php-src.git;a=patch;h=5b3e1ded356dc877aa246d28e71e69286b8829b5 directly in PHP 7.1.17?
 [2018-05-03 10:55 UTC] dmitry@php.net
yes, it can be merged.
 [2018-05-03 17:41 UTC] post at minhost dot no
Thanks. I just hope I am getting it correct. I am manually removing and copy/paste line by line from this patch http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/opcache/zend_file_cache.c;h=c66e5aeeca78e2c39cca19d9b4b59cf7e2709978;hp=23f2f9d0cb6d53dfbc12fdedafd33f6bccfee7f4;hb=5b3e1ded356dc877aa246d28e71e69286b8829b5;hpb=7ba70a5fedaba1f6085c8325b1fc4db54e8c8727 into the official PHP 7.1.17 release file: ext/opcache/zend_file_cache.c
 [2018-05-03 18:07 UTC] post at minhost dot no
when I download the current snapshot I see that zend_file_cache.c line number 100 changed from
((char*)(ptr) < (char*)script->size)

to
((char*)(ptr) <= (char*)script->size)
	
should I add that change to? Or is it safe to use your commit without above change?
 [2018-05-03 18:22 UTC] spam2 at rhsoft dot net
do yourself a favor and look at "man patcz" - nobody is applying patches line by line and by hand
 [2018-05-03 18:40 UTC] post at minhost dot no
@spam2, you are wrong. _I_ am applying this patch manually. And I have not asked what other people think about that. So please don't make noise in the comment field.
 [2018-05-03 19:08 UTC] spam2 at rhsoft dot net
the only one making noise here is you because you could have saved at least 4 comments by just deal with patches like the rest of the world

smart people carry their patches in build scripts / rpm specs over years without touch the tarball ever - mine for httpd to not send any server header is untouched since httpd 2.4 was released 

why? 

because they are agnostic to other changes in different areas of the same file and if they needs to be rebased patch simply fails and you take notice
 [2018-05-03 19:13 UTC] post at minhost dot no
@spam2, Not one of my comment here is about how to apply the current patch. I have only asked if I can use the patch directly at PHP 7.1.17, and also asked about a committ that is not included in the patch. You are not contributing with your comments, and I will ignore any future comments from you.
 [2018-05-03 21:45 UTC] spam2 at rhsoft dot net
even if you ar enot worth an answer by your bloody ignorance, maybe others can learn - "Thanks. I just hope I am getting it correct. I am manually removing and copy/paste line by line from this patch" is insane - "patch1.patch" belo w is just the patch downloaded and apllied as every sane person does

the few actions from the script below would have answered "Can you please confirm that I can use the patch http://git.php.net/?p=php-src.git;a=patch;h=5b3e1ded356dc877aa246d28e71e69286b8829b5 directly in PHP 7.1.17" and just started compile PHP

[harry@srv-rhsoft:/downloads/build-php]$ ls
insgesamt 12M
-rw-r----- 1 harry verwaltung 2,9K 2018-05-03 23:38 patch1.patch
-rwx------ 1 harry verwaltung  202 2018-05-03 23:40 build.sh
-rw-r----- 1 harry verwaltung  12M 2018-05-03 23:17 php-7.1.17.tar.xz

[harry@srv-rhsoft:/downloads/build-php]$ cat build.sh
#!/bin/bash
PHP_VERSION="7.1.17"
rm -rf ./php-$PHP_VERSION
tar xfJ ./php-$PHP_VERSION.tar.xz -C ./
cp patch1.patch ./php-$PHP_VERSION
cd ./php-$PHP_VERSION
patch -p1 --fuzz=0 < patch1.patch
./configure

[harry@srv-rhsoft:/downloads/build-php]$ ./build.sh
patching file ext/opcache/zend_file_cache.c
Hunk #1 succeeded at 524 (offset -2 lines).
Hunk #2 succeeded at 547 (offset -2 lines).
Hunk #3 succeeded at 1144 (offset -2 lines).
Hunk #4 succeeded at 1165 (offset -2 lines).
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for a sed that does not truncate output... /usr/bin/sed
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC