PHP :: Bug #81607 :: Segmentation fault for opcache.enable

Bug #81607	Segmentation fault for opcache.enable_cli=1
Submitted:	2021-11-10 22:36 UTC	Modified:	2021-11-11 15:57 UTC
From:	mails at thomasbley dot de	Assigned:
Status:	Closed	Package:	opcache
PHP Version:	8.1.0RC5	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mails at thomasbley dot de
New email:
PHP Version:		OS:

New Comment:

[2021-11-10 22:36 UTC] mails at thomasbley dot de

Description:
------------
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8
Scanning files...
Segmentation fault

php -v
PHP 8.1.0RC5 (cli) (built: Nov  4 2021 14:57:53) (NTS)

php -r "echo implode(',', get_loaded_extensions());"
Core,date,libxml,openssl,pcre,zlib,filter,hash,json,pcntl,Reflection,SPL,session,standard,sodium,mysqlnd,PDO,xml,apcu,calendar,ctype,curl,dom,mbstring,FFI,fileinfo,ftp,gettext,iconv,intl,exif,mysqli,pcov,pdo_mysql,Phar,posix,readline,shmop,SimpleXML,soap,sockets,sysvmsg,sysvsem,sysvshm,tokenizer,xmlreader,xmlwriter,xsl,zip,Zend OPcache

Test script:
---------------
error case:

git clone --depth=1 git@github.com:vimeo/psalm.git
cd psalm/
composer install
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8
Scanning files...
Segmentation fault

ok case:
php -dopcache.enable_cli=0 psalm --config=psalm.xml.dist --no-cache --threads=8
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=1

Expected result:
----------------
no segfault

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-11-10 22:43 UTC] requinix@php.net

-Status: Open +Status: Feedback

[2021-11-10 22:43 UTC] requinix@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2021-11-11 11:46 UTC] mails at thomasbley dot de

-Status: Feedback +Status: Open

[2021-11-11 11:46 UTC] mails at thomasbley dot de

php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8
Scanning files...
Segmentation fault (core dumped)

I've uploaded the dumps to https://github.com/thomasbley/core-dumps

[2021-11-11 11:50 UTC] mails at thomasbley dot de

core-php.19213

#0  0x00005601a8052b67 in ?? ()
#1  0x00005601a80544fe in php_var_unserialize ()
#2  0x00005601a804320a in php_unserialize_with_options ()
#3  0x00005601a8043457 in ?? ()
#4  0x00005601a7ef1d1c in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef27a2 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef27a2 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a7ef24f0 in ?? ()
#23 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#24 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#25 0x00005601a7ef24f0 in ?? ()
#26 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#27 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#28 0x00005601a813824d in zend_execute ()
#29 0x00005601a80c9615 in zend_execute_scripts ()
#30 0x00005601a80668ca in php_execute_script ()
#31 0x00005601a81b0e1e in ?? ()
#32 0x00005601a7f0bea8 in ?? ()
#33 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#34 0x00005601a7f0c04e in _start ()

[2021-11-11 11:55 UTC] mails at thomasbley dot de

core-php.19219

#0  0x00005601a80bfcc4 in instanceof_function_slow ()
#1  0x00005601a80ebcfa in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef27a2 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef27a2 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef27a2 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a7ef27a2 in ?? ()
#23 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#24 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#25 0x00005601a7ef27a2 in ?? ()
#26 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#27 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#28 0x00005601a7ef27a2 in ?? ()
#29 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#30 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#31 0x00005601a7ef27a2 in ?? ()
#32 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#33 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#34 0x00005601a7ef24f0 in ?? ()
#35 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#36 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#37 0x00005601a7ef24f0 in ?? ()
#38 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#39 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#40 0x00005601a7ef24f0 in ?? ()
#41 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#42 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#43 0x00005601a7ef27a2 in ?? ()
#44 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#45 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#46 0x00005601a7ef24f0 in ?? ()
#47 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#48 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#49 0x00005601a7ef27a2 in ?? ()
#50 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#51 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#52 0x00005601a7ef27a2 in ?? ()
#53 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#54 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#55 0x00005601a7ef24f0 in ?? ()
#56 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#57 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#58 0x00005601a7ef24f0 in ?? ()
#59 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#60 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#61 0x00005601a7ef24f0 in ?? ()
#62 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#63 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#64 0x00005601a813824d in zend_execute ()
#65 0x00005601a80c9615 in zend_execute_scripts ()
#66 0x00005601a80668ca in php_execute_script ()
#67 0x00005601a81b0e1e in ?? ()
#68 0x00005601a7f0bea8 in ?? ()
#69 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#70 0x00005601a7f0c04e in _start ()

core-php.19220

#0  0x00005601a80cbc74 in object_init_ex ()
#1  0x00005601a8106495 in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef24f0 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef24f0 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a813824d in zend_execute ()
#23 0x00005601a80c9615 in zend_execute_scripts ()
#24 0x00005601a80668ca in php_execute_script ()
#25 0x00005601a81b0e1e in ?? ()
#26 0x00005601a7f0bea8 in ?? ()
#27 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#28 0x00005601a7f0c04e in _start ()

core-php.19221

#0  0x00005601a80cbc74 in object_init_ex ()
#1  0x00005601a8106495 in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef24f0 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef24f0 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a813824d in zend_execute ()
#23 0x00005601a80c9615 in zend_execute_scripts ()
#24 0x00005601a80668ca in php_execute_script ()
#25 0x00005601a81b0e1e in ?? ()
#26 0x00005601a7f0bea8 in ?? ()
#27 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#28 0x00005601a7f0c04e in _start ()

core-php.19222

#0  0x00005601a80cbc74 in object_init_ex ()
#1  0x00005601a8106495 in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef24f0 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef24f0 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a813824d in zend_execute ()
#23 0x00005601a80c9615 in zend_execute_scripts ()
#24 0x00005601a80668ca in php_execute_script ()
#25 0x00005601a81b0e1e in ?? ()
#26 0x00005601a7f0bea8 in ?? ()
#27 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#28 0x00005601a7f0c04e in _start ()

[2021-11-11 12:05 UTC] cmb@php.net

-Status: Open +Status: Feedback

[2021-11-11 12:05 UTC] cmb@php.net

Thank you for the backtraces (although backtraces with debug
symbols might be more helpful).  Anyhow, does it also segfault
when pcov is disabled?

[2021-11-11 12:54 UTC] mails at thomasbley dot de

-Status: Feedback +Status: Open

[2021-11-11 12:54 UTC] mails at thomasbley dot de

yes

core-php.27635

#0  0x0000557656c14b67 in ?? ()
#1  0x0000557656c164fe in php_var_unserialize ()
#2  0x0000557656c0520a in php_unserialize_with_options ()
#3  0x0000557656c05457 in ?? ()
#4  0x0000557656cf4081 in execute_ex ()
#5  0x0000557656cfa24d in zend_execute ()
#6  0x0000557656c8b615 in zend_execute_scripts ()
#7  0x0000557656c288ca in php_execute_script ()
#8  0x0000557656d72e1e in ?? ()
#9  0x0000557656acdea8 in ?? ()
#10 0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#11 0x0000557656ace04e in _start ()

core-php.27636

#0  0x0000557656c81cc4 in instanceof_function_slow ()
#1  0x0000557656cadcfa in ?? ()
#2  0x0000557656cf29f6 in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

core-php.27637

#0  0x0000557656c8dc74 in object_init_ex ()
#1  0x0000557656cc8495 in ?? ()
#2  0x0000557656cf147d in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

core-php.27638

#0  0x0000557656c8dc74 in object_init_ex ()
#1  0x0000557656cc8495 in ?? ()
#2  0x0000557656cf147d in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

core-php.27639

#0  0x0000557656c8dc74 in object_init_ex ()
#1  0x0000557656cc8495 in ?? ()
#2  0x0000557656cf147d in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

[2021-11-11 13:17 UTC] mails at thomasbley dot de

seems this code causes the segfault:

./src/Psalm/Internal/Fork/Pool.php:352
$message = unserialize(base64_decode($serialized_message, true));

data is:

O:39:"Psalm\Internal\Fork\ForkTaskDoneMessage":1:{s:4:"data";N;}

interface ForkMessage
{
}

class ForkTaskDoneMessage implements ForkMessage
{
    /** @var mixed */
    public $data;

    /**
     * @param mixed $data
     */
    public function __construct($data)
    {
        $this->data = $data;
    }
}

[2021-11-11 15:44 UTC] nikic@php.net

-Status: Open +Status: Verified

[2021-11-11 15:44 UTC] nikic@php.net

Can at least confirm the segfault. The class entry read from CE cache is corrupted.

[2021-11-11 15:51 UTC] nikic@php.net

I believe this is a suspected issue where one process allocates a new map ptr slot on an existing shm interned string and another tries to use it with a too small map ptr segment.

At least the ce cache slot seems to be one past the end of the map ptr segment.

[2021-11-11 15:57 UTC] nikic@php.net

Here's a small reproducer:

<?php

// Create a SHM interned string for FooBar.
var_dump("FooBar");

$pid = pcntl_fork();
if ($pid == 0) {
    // Child: Declare class FooBar {} to allocate CE cache slot.
    require __DIR__ . '/t480_2.php';
} else if ($pid > 0) {
    pcntl_wait($status);
    var_dump(new FooBar); // Crash.
} else {
    echo "pcntl_fork() failed\n";
}

t480_2.php:
<?php
class FooBar {}

[2021-11-12 18:23 UTC] mails at thomasbley dot de

Here is an update with 8.1.0RC6 and more debugging information:

git clone --branch=php-8.1.0RC6 --depth=1 git@github.com:php/php-src.git
cd php-src
./buildconf --force
./configure --enable-debug --without-sqlite3 --without-pdo-sqlite --enable-pcntl --enable-opcache --enable-mbstring
make


/home/***/code/php-src/sapi/cli/php -dextension_dir=/home/***/code/php-src/modules -dzend_extension=opcache.so -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8

#0  0x00005640d022ee2d in php_var_unserialize_internal (rval=0x7fa1d8214940, p=0x7ffcb9318390, max=0x7fa1d5aab2d8 "", var_hash=0x7ffcb9318398)
    at ext/standard/var_unserializer.re:1271
#1  0x00005640d022d01a in php_var_unserialize (rval=0x7fa1d8214940, p=0x7ffcb9318390, max=0x7fa1d5aab2d8 "", var_hash=0x7ffcb9318398)
    at ext/standard/var_unserializer.re:831
#2  0x00005640d0218637 in php_unserialize_with_options (return_value=0x7fa1d8214940, 
    buf=0x7fa1d5aab298 "O:39:\"Psalm\\Internal\\Fork\\ForkTaskDoneMessage\":1:{s:4:\"data\";N;}", buf_len=64, options=0x0, 
    function_name=0x5640d0cd8091 "unserialize") at /home/***/code/php-src/ext/standard/var.c:1397
#3  0x00005640d0218af5 in zif_unserialize (execute_data=0x7fa1d8214960, return_value=0x7fa1d8214940)
    at /home/***/code/php-src/ext/standard/var.c:1447
#4  0x00005640d0349faa in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:1297
#5  0x00005640d03bcea8 in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:54509
#6  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#7  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#8  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#9  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#10 0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  0x00005640d031556c in _object_and_properties_init (arg=0x7fa1d8214890, class_type=0x657270707573006f, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1618
#1  0x00005640d03157c1 in object_init_ex (arg=0x7fa1d8214890, class_type=0x657270707573006f) at /home/***/code/php-src/Zend/zend_API.c:1665
#2  0x00005640d035eccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#3  0x00005640d03be2ef in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#4  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#5  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#6  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#7  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#8  0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  0x00005640d031556c in _object_and_properties_init (arg=0x7fa1d8214890, class_type=0x657270707573006f, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1618
#1  0x00005640d03157c1 in object_init_ex (arg=0x7fa1d8214890, class_type=0x657270707573006f) at /home/***/code/php-src/Zend/zend_API.c:1665
#2  0x00005640d035eccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#3  0x00005640d03be2ef in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#4  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#5  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#6  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#7  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#8  0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  0x00005640d031556c in _object_and_properties_init (arg=0x7fa1d8214890, class_type=0x657270707573006f, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1618
#1  0x00005640d03157c1 in object_init_ex (arg=0x7fa1d8214890, class_type=0x657270707573006f) at /home/***/code/php-src/Zend/zend_API.c:1665
#2  0x00005640d035eccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#3  0x00005640d03be2ef in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#4  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#5  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#6  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#7  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#8  0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367



/home/***/code/php-src/sapi/cli/php -e -dextension_dir=/home/***/code/php-src/modules -dzend_extension=opcache.so -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14940, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14940, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a48e09b in php_var_unserialize_internal (rval=0x7f82a8a14940, p=0x7ffd7e5b1a60, max=0x7f82a62d52d8 "", var_hash=0x7ffd7e5b1a68)
    at ext/standard/var_unserializer.re:1316
#4  0x000055597a48c01a in php_var_unserialize (rval=0x7f82a8a14940, p=0x7ffd7e5b1a60, max=0x7f82a62d52d8 "", var_hash=0x7ffd7e5b1a68)
    at ext/standard/var_unserializer.re:831
#5  0x000055597a477637 in php_unserialize_with_options (return_value=0x7f82a8a14940, 
    buf=0x7f82a62d5298 "O:39:\"Psalm\\Internal\\Fork\\ForkTaskDoneMessage\":1:{s:4:\"data\";N;}", buf_len=64, options=0x0, 
    function_name=0x55597af37091 "unserialize") at /home/***/code/php-src/ext/standard/var.c:1397
#6  0x000055597a477af5 in zif_unserialize (execute_data=0x7f82a8a14960, return_value=0x7f82a8a14940)
    at /home/***/code/php-src/ext/standard/var.c:1447
#7  0x000055597a5a8faa in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:1297
#8  0x000055597a61bea8 in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:54509
#9  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#10 0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#11 0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#12 0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#13 0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14890, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14890, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14890, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14890, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14890, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14890, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c89a730) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a151f0, class_type=0x55597c89a730, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a151f0, class_type=0x55597c89a730) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

[2021-11-17 15:25 UTC] git@php.net

Automatic comment on behalf of dstogov
Revision: https://github.com/php/php-src/commit/76548e509346383468439c3bdce0c290eb1aa3af
Log: Fixed bug #81607 (CE_CACHE allocation with concurrent access)

[2021-11-17 15:25 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC