php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68348 SIGSEGV in zend_hash_destroy at L558 p = p->pListNext;
Submitted: 2014-11-05 11:57 UTC Modified: 2021-10-11 13:31 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: php dot net at danslereseau dot com Assigned: cmb (profile)
Status: Closed Package: *General Issues
PHP Version: 5.5.18 OS: Amazon Linux 2014.09
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php dot net at danslereseau dot com
New email:
PHP Version: OS:

 

 [2014-11-05 11:57 UTC] php dot net at danslereseau dot com 
Description:
------------
nginx and PHP-FPM55 (5.5.18) installed using yum, on Amazon Linux x86_64, on an AWS EC2 server.
PHP-FPM crashes when I try to load one of the many websites I host; the other websites are OK. The website in question is a Gallery3 install.

/var/log/messages shows:
Nov  5 11:42:43 ip-172-30-0-123 kernel: [460777.618255] traps: php-fpm-5.5[28269] general protection ip:59fbf9 sp:7fffafda91b0 error:0 in php-fpm-5.5[400000+2fa000]

GDB Stack trace:
#0  zend_hash_destroy (ht=0x7f95e0225a70) at /usr/src/debug/php-5.5.18/Zend/zend_hash.c:558
#1  0x000000000059101b in _zval_dtor_func (zvalue=0x7f95e02340a8) at /usr/src/debug/php-5.5.18/Zend/zend_variables.c:45
#2  0x000000000063ec8d in _zval_dtor (zvalue=0x7f95e02340a8) at /usr/src/debug/php-5.5.18/Zend/zend_variables.h:35
#3  i_zval_ptr_dtor (zval_ptr=0x7f95e02340a8) at /usr/src/debug/php-5.5.18/Zend/zend_execute.h:81
#4  i_free_compiled_variables (execute_data=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_execute.c:1510
#5  zend_leave_helper_SPEC (execute_data=execute_data@entry=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:399
#6  0x000000000063f3bf in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (execute_data=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:1081
#7  0x00000000005bc088 in execute_ex (execute_data=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:363
#8  0x0000000000581c39 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:73
#9  0x0000000000583f71 in zend_call_function (fci=fci@entry=0x7fff0dd0c5c0, fci_cache=<optimized out>, fci_cache@entry=0x0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:937
#10 0x000000000058416e in call_user_function_ex (function_table=function_table@entry=0xf9fc40, object_pp=<optimized out>, function_name=<optimized out>, retval_ptr_ptr=retval_ptr_ptr@entry=0x7fff0dd0c658, param_count=<optimized out>, params=params@entry=0x7f95f86bb850, no_separation=no_separation@entry=1, symbol_table=symbol_table@entry=0x0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:725
#11 0x00000000005841c2 in call_user_function (function_table=0xf9fc40, object_pp=object_pp@entry=0x0, function_name=function_name@entry=0x130f5f8, retval_ptr=0x1303a98, param_count=param_count@entry=2, params=params@entry=0x7fff0dd0c6c0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:698
#12 0x000000000049bc7c in ps_call_handler (func=0x130f5f8, argc=argc@entry=2, argv=argv@entry=0x7fff0dd0c6c0) at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:53
#13 0x000000000049bf85 in ps_write_user (mod_data=<optimized out>, key=0x12e6cb8 "993g0n8iviv2rugd5rtdrucnt3", val=0x65b1ad "", vallen=0) at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:157
#14 0x0000000000493eb8 in php_session_save_current_state () at /usr/src/debug/php-5.5.18/ext/session/session.c:544
#15 0x00000000004944d6 in php_session_flush () at /usr/src/debug/php-5.5.18/ext/session/session.c:1619
#16 zm_deactivate_session (type=<optimized out>, module_number=<optimized out>) at /usr/src/debug/php-5.5.18/ext/session/session.c:2348
#17 0x0000000000599514 in zend_deactivate_modules () at /usr/src/debug/php-5.5.18/Zend/zend_API.c:2433
#18 0x0000000000532225 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-5.5.18/main/main.c:1777
#19 0x0000000000421934 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php-5.5.18/sapi/fpm/fpm/fpm_main.c:1977

Test script:
---------------
I have yet to find what code or extension would be triggering this.
It happens 100% of the time when loading my Gallery3 install, and sometimes on a Wordpress install (not often), but from I saw, not on any other (simpler) website I host, which also use PHP.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-11-06 05:34 UTC] php dot net at danslereseau dot com 
While trying to debug this, I found this code that crashes php (cli and php-fpm):

<?php

function crash() {
    @mysql_connect('127.0.0.2');
}

class Session_Handler_T {
	public function open($path, $name)
	{
		return TRUE;
	}

	public function close()
	{
		return TRUE;
	}

	public function read($id)
	{
        crash();
		return TRUE;
    }

	public function write($id, $data)
	{
        crash();
		return TRUE;
    }

	public function destroy($id)
	{
		return TRUE;
    }

	public function gc($maxlifetime)
	{
		return TRUE;
    }
}

class ExceptHandler extends Exception {
	public static function handle(Exception $e) {
        $handler = new Session_Handler_T();
		session_set_save_handler
		(
			array($handler, 'open'),
			array($handler, 'close'),
			array($handler, 'read'),
			array($handler, 'write'),
			array($handler, 'destroy'),
			array($handler, 'gc')
		);
    	session_start();
	}
}

set_exception_handler(array('ExceptHandler', 'handle'));
throw new Exception('test');

?>

But if gives a different stack trace (this one was obtained using php-cli instead of php-fpm, but php-fpm crashes on this code too):

#0  0x00007fffe3fd6b6f in php_mysql_do_connect (ht=<optimized out>, return_value=0x7ffff7fdb490, persistent=<optimized out>, 
    return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.5.18/ext/mysql/php_mysql.c:1023
#1  0x000000000058615b in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:97
#2  0x0000000000646795 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:552
#3  0x00000000005c04a8 in execute_ex (execute_data=0x7ffff7fa21a0) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:363
#4  0x0000000000586059 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:73
#5  0x0000000000646de0 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa2098) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:584
#6  0x00000000005c04a8 in execute_ex (execute_data=0x7ffff7fa2098) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:363
#7  0x0000000000586059 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:73
#8  0x0000000000588391 in zend_call_function (fci=fci@entry=0x7fffffffca60, fci_cache=<optimized out>, fci_cache@entry=0x0)
    at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:937
#9  0x000000000058858e in call_user_function_ex (function_table=function_table@entry=0x999a00, object_pp=<optimized out>, function_name=<optimized out>, 
    retval_ptr_ptr=retval_ptr_ptr@entry=0x7fffffffcaf8, param_count=<optimized out>, params=params@entry=0x7ffff7fd5a38, no_separation=no_separation@entry=1, 
    symbol_table=symbol_table@entry=0x0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:725
#10 0x00000000005885e2 in call_user_function (function_table=0x999a00, object_pp=object_pp@entry=0x0, function_name=function_name@entry=0x7ffff7fdaef8, 
    retval_ptr=0x7ffff7fd5fd0, param_count=param_count@entry=2, params=params@entry=0x7fffffffcb60) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:698
#11 0x000000000049ffec in ps_call_handler (func=0x7ffff7fdaef8, argc=argc@entry=2, argv=argv@entry=0x7fffffffcb60)
    at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:53
#12 0x00000000004a02f5 in ps_write_user (mod_data=<optimized out>, key=0x7ffff7fd6878 "lq1a5due6hkmutv0tnqg0m95s3", val=0x65844d "", vallen=0)
    at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:157
#13 0x0000000000498228 in php_session_save_current_state () at /usr/src/debug/php-5.5.18/ext/session/session.c:544
#14 0x0000000000498846 in php_session_flush () at /usr/src/debug/php-5.5.18/ext/session/session.c:1619
#15 zm_deactivate_session (type=<optimized out>, module_number=<optimized out>) at /usr/src/debug/php-5.5.18/ext/session/session.c:2348
#16 0x000000000059d934 in zend_deactivate_modules () at /usr/src/debug/php-5.5.18/Zend/zend_API.c:2433
#17 0x0000000000536645 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-5.5.18/main/main.c:1777
#18 0x000000000064792a in do_cli (argc=1, argv=0x998e30) at /usr/src/debug/php-5.5.18/sapi/cli/php_cli.c:1177
#19 0x0000000000421a60 in main (argc=1, argv=0x998e30) at /usr/src/debug/php-5.5.18/sapi/cli/php_cli.c:1378
 [2017-09-21 15:45 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2017-09-21 15:45 UTC] cmb@php.net 
Support for PHP 5.5 has ended quite a while ago. Can you still reproduce this
issue with a currently supported PHP version?
 [2017-09-21 15:52 UTC] php dot net at danslereseau dot com
-Status: Feedback +Status: Assigned
 [2017-09-21 15:52 UTC] php dot net at danslereseau dot com 
Yes, the code snippet posted on 2014-11-06 05:34 UTC still crashes PHP 5.6.31 from CLI.

$ php crash.php 
Segmentation fault

$ php -v
PHP 5.6.31 (cli) (built: Aug 14 2017 17:37:23) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
 [2017-09-21 16:11 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2017-09-21 16:11 UTC] cmb@php.net 
Thanks for the quick reply! I'm not accustomed to the MySQL extension, which
apparently causes the segfault, so I'm unassigning myself. Sorry.
 [2021-10-11 13:06 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-10-11 13:06 UTC] cmb@php.net 
On a closer look, this might not be related to the mysql extension
at all, but rather to the session extension and/or the shutdown
sequence.  Since mysql is unbundled as of PHP 7.0.0 (and unlikely
to receive bug fixes), I've tried with mysqli_real_connect() and
curl_init(), but there was no segfault for me.  Can you still
reproduce the segfault with any of the actively supported PHP
versions[1]?  Also if you call another extension in crash(), or is
this actually mysql related?

[1] <https://www.php.net/supported-versions.php>
 [2021-10-11 13:20 UTC] php dot net at danslereseau dot com
-Status: Feedback +Status: Assigned
 [2021-10-11 13:20 UTC] php dot net at danslereseau dot com 
No, I can't reproduce now.
I tried on PHP 7.2, 7.3, 7.4 and 8.0, using CLI.
 [2021-10-11 13:31 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2021-10-11 13:31 UTC] cmb@php.net 
Thanks for the swift reply!  I assume the issue has been fixed in
the meantime.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 13:01:28 2025 UTC