php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75294 Piwik login SIGSEV [zend_mm_alloc_small via Zend_Db_Statement_Mysqli->_execute]
Submitted: 2017-09-30 05:07 UTC Modified: 2017-11-05 04:22 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: greenreaper at hotmail dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 7.2.0RC3 OS: Debian Stretch (w/Linux 4.12.6)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: greenreaper at hotmail dot com
New email:
PHP Version: OS:

 

 [2017-09-30 05:07 UTC] greenreaper at hotmail dot com 
Description:
------------
Attempting to access the UI/login page (index.php) of the Piwik web analytics system leads to a PHP-FPM worker SIGSEV in PHP 7.2.0RC3 - not occuring with PHP 7.2.0RC1 - during small memory allocation while executing a just-prepared MySQL query.

Installed PHP packages:
php-apcu php-apcu-bc php-common php-geoip php-igbinary php7.2-cli php7.2-common php7.2-curl php7.2-fpm php7.2-gd php7.2-intl php7.2-json php7.2-mbstring php7.2-mysql php7.2-opcache php7.2-pgsql php7.2-readline php7.2-xml 

The crash occurs 100% repeatably for me, at what I think is (from bt address):
  heap->free_slot[bin_num] = p->next_free_slot;
in zend_mm_alloc_small(), when called from ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER():

if (EXPECTED((value_type & Z_TYPE_MASK) != IS_REFERENCE)) {
	zend_refcounted *gc = Z_COUNTED_P(value);
	zval *ref;
>	ZVAL_NEW_EMPTY_REF(value);
	ref = Z_REFVAL_P(value);
	ZVAL_COPY_VALUE_EX(ref, value, gc, value_type);
}

At this point Mysqli is being used to execute a default login command (for the user "anonymous", password "anonymous"). I imagine the crash might be due to earlier corruption, though.

Piwik's *tracking* code appears to still be working, judging by MySQL traffic.

The crash occurred consistently when I ran the UI alone with a separate master process of php-fpm via a separate Unix socket and a copy of your production ini:
php-fpm7.2 --nodaemonize --fpm-config /etc/php/7.2/fpmtest/php-fpm.conf -c /etc/php/7.2/fpmtest/php.ini.production

...as well as when it was sharing a pool and socket with the tracking code and the website it was tracking.

With USE_ZEND_ALLOC=0 it also crashes, around mysqlnd_mysqlnd_object_factory_get_prepared_statement_pub (see backtrace).

Test script:
---------------
I am using Piwik 3.1.2-b2, which was working with PHP 7.2.0RC1:
https://poser.pugx.org/piwik/piwik/v/unstable
https://packagist.org/packages/piwik/piwik

To run PHP I am currently using Sury's packages for Debian Stretch (x86_64, dual-CPU, 8 cores each):

https://packages.sury.org/php/pool/main/p/php7.2/
https://packages.sury.org/php/README.txt


Actual result:
--------------
(gdb) bt
#0  zend_mm_alloc_small (bin_num=2, size=<optimized out>, heap=0x7f3a6b400040) at ./Zend/zend_alloc.c:1261
#1  _emalloc_24 () at ./Zend/zend_alloc.c:2336
#2  0x00005569188438e0 in ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER () at ./Zend/zend_vm_execute.h:17139
#3  0x00005569188630bb in execute_ex (ex=0x7f3a6b400040) at ./Zend/zend_vm_execute.h:60823
#4  0x000055691886a87e in zend_execute (op_array=op_array@entry=0x7f3a6b4740e0, return_value=return_value@entry=0x7f3a59393c98) at ./Zend/zend_vm_execute.h:63763
#5  0x00005569187b8f73 in zend_execute_scripts (type=1799489152, type@entry=8, retval=0x7f3a59393c98, retval@entry=0x0, file_count=file_count@entry=3)
    at ./Zend/zend.c:1496
#6  0x0000556918754048 in php_execute_script (primary_file=0x7ffddc6bd320) at ./main/main.c:2590
#7  0x000055691860c50a in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966

(gdb) zbacktrace
[0x7f3a6b420680] Zend_Db_Statement_Mysqli->_execute(reference) /[censored]/piwik/libs/Zend/Db/Statement/Mysqli.php:246
[0x7f3a6b4205d0] Zend_Db_Statement->execute(array(1)[0x7f3a6b420620]) /[censored]/piwik/libs/Zend/Db/Statement.php:300
[0x7f3a6b420540] Zend_Db_Adapter_Abstract->query("SELECT * FROM piwik_user WHERE login = ?", array(1)[0x7f3a6b4205a0]) /[censored]/piwik/libs/Zend/Db/Adapter/Abstract.php:479
[0x7f3a6b420490] Zend_Db_Adapter_Abstract->fetchAll("SELECT * FROM piwik_user WHERE login = ?", "anonymous") /[censored]/piwik/libs/Zend/Db/Adapter/Abstract.php:736
[0x7f3a6b4203d0] Piwik\Plugins\UsersManager\Model->getUser("anonymous") /[censored]/piwik/plugins/UsersManager/Model.php:167
[0x7f3a6b420330] Piwik\Plugins\Login\Auth->authenticateWithTokenOrHashToken("anonymous", "anonymous") /[censored]/piwik/plugins/Login/Auth.php:101
[0x7f3a6b4202c0] Piwik\Plugins\Login\Auth->authenticate() /[censored]/piwik/plugins/Login/Auth.php:61
[0x7f3a6b420240] Piwik\Access->reloadAccess(object[0x7f3a6b420290]) /[censored]/piwik/core/Access.php:154
[0x7f3a6b420140] Piwik\FrontController->init() /[censored]/piwik/core/FrontController.php:374
[0x7f3a6b4200a0] (main) /[censored]/piwik/core/dispatch.php:33
[0x7f3a6b420030] (main) /[censored]/piwik/index.php:27

---

With USE_ZEND_ALLOC=0

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=av@entry=0x7f9a1a507b00 <main_arena>) at malloc.c:4213
4213    malloc.c: No such file or directory.
(gdb) bt
#0  malloc_consolidate (av=av@entry=0x7f9a1a507b00 <main_arena>) at malloc.c:4213
#1  0x00007f9a1a1e6dca in _int_malloc (av=av@entry=0x7f9a1a507b00 <main_arena>, bytes=bytes@entry=4104) at malloc.c:3488
#2  0x00007f9a1a1e8f34 in __GI___libc_malloc (bytes=4104) at malloc.c:2928
#3  0x000055dd52d39499 in __zend_malloc (len=len@entry=4104) at ./Zend/zend_alloc.c:2811
#4  0x00007f9a1655a631 in _mysqlnd_pemalloc (size=4096, persistent=<optimized out>) at ./ext/mysqlnd/mysqlnd_alloc.c:139
#5  0x00007f9a165640a8 in mysqlnd_mysqlnd_object_factory_get_prepared_statement_pub (conn=0x55dd53bad6e8, persistent=<optimized out>)
    at ./ext/mysqlnd/mysqlnd_driver.c:219
#6  0x00007f9a0d076514 in zif_mysqli_prepare (execute_data=<optimized out>, return_value=0x7f9a1c48c770) at ./ext/mysqli/mysqli_api.c:1862
#7  0x000055dd52e16406 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at ./Zend/zend_vm_execute.h:1032
#8  execute_ex (ex=0x7f9a1a507b00 <main_arena>) at ./Zend/zend_vm_execute.h:59755
#9  0x000055dd52e1687e in zend_execute (op_array=0x55dd53a1eb30, return_value=<optimized out>) at ./Zend/zend_vm_execute.h:63763
#10 0x000055dd52d64f73 in zend_execute_scripts (type=474531584, retval=0x7f9a01487020, file_count=3) at ./Zend/zend.c:1496
#11 0x000055dd52d00048 in php_execute_script (primary_file=0x7fff8d6dd930) at ./main/main.c:2590
#12 0x000055dd52bb850a in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966

(gdb) info locals
fb = 0x7f9a1a507b08 <main_arena+8>
maxfb = 0x7f9a1a507b50 <main_arena+80>
p = 0xd1b00cadee4bc14c
nextp = 0x55dd53be785000
unsorted_bin = 0x7f9a1a507b58 <main_arena+88>
first_unsorted = <optimized out>
nextchunk = 0x55dd53be521f
size = 3337247791795835091
nextsize = 7074365763643912960
prevsize = 3337247791795826531
nextinuse = <optimized out>
bck = <optimized out>
fwd = <optimized out>

(gdb) frame 1
#1  0x00007f9a1a1e6dca in _int_malloc (av=av@entry=0x7f9a1a507b00 <main_arena>, bytes=bytes@entry=4104) at malloc.c:3488
3488    in malloc.c
(gdb) info locals
nb = 4112
idx = 99
[others optimized out]

(gdb) frame 5
(gdb) frame 5
#5  0x00007f9a165640a8 in mysqlnd_mysqlnd_object_factory_get_prepared_statement_pub (conn=0x55dd53bad6e8, persistent=<optimized out>)
    at ./ext/mysqlnd/mysqlnd_driver.c:219
219     ./ext/mysqlnd/mysqlnd_driver.c: No such file or directory.
(gdb) info locals
alloc_size = <optimized out>
ret = 0x55dd53ba2eb8
stmt = 0x55dd53ba2b98

(gdb) frame 6
#6  0x00007f9a0d076514 in zif_mysqli_prepare (execute_data=<optimized out>, return_value=0x7f9a1c48c770) at ./ext/mysqli/mysqli_api.c:1862
1862    ./ext/mysqli/mysqli_api.c: No such file or directory.
(gdb) info locals
mysql = 0x55dd53b8f9e0
stmt = 0x55dd53ba41f0
query = 0x55dd53be2638 "SELECT * FROM piwik_user WHERE login = ?"
query_len = 40
mysql_link = 0x7f9a1c48c7c0
mysqli_resource = <optimized out>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-03 06:30 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2017-10-03 06:30 UTC] laruence@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2017-10-29 17:15 UTC] greenreaper at hotmail dot com 
To be honest, it'd be tricky to do that, not being the developer of Piwik or skilled with PHP debugging. It's why I linked the script. :-)

That said, I've tried again with 7.2.0RC5 from the same repository (built Oct 27) and the problem no longer reproduces. Possibly was solved along with bug #75357 (segfault loading WordPress wp-admin)?
 [2017-11-05 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC