php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60383 Segmentation Fault hard to reproduce
Submitted: 2011-11-25 10:58 UTC Modified: 2013-09-20 08:05 UTC
Votes:13
Avg. Score:4.9 ± 0.3
Reproduced:13 of 13 (100.0%)
Same Version:9 (69.2%)
Same OS:6 (46.2%)
From: julien at palard dot fr Assigned: pajoye (profile)
Status: Closed Package: APC (PECL)
PHP Version: 5.3.8 OS: Debian
Private report: No CVE-ID: None
 [2011-11-25 10:58 UTC] julien at palard dot fr
Description:
------------
When running php-fpm 5.3.8 with APC-3.1.9 for several random days, it start to 
systematically segfault, we can't 
reproduce it for now without waiting it to happen.

Here is some gdb informations :
The segfault in zend_compile.c line 2972 :

Program received signal SIGSEGV, Segmentation fault.
0x0000000000628c8d in do_bind_function (opline=0x7fe50eeb1398, 
function_table=0x215ac30, compile_time=0 '\000') at 
/usr/src/php-5.3.8/Zend/zend_compile.c:2972
2972                    (*function->op_array.refcount)++;

A stacktrace :

(gdb) bt
#0  0x0000000000628c8d in do_bind_function (opline=0x7fe50eeb1398, 
function_table=0x215ac30, compile_time=0 '\000')
    at /usr/src/php-5.3.8/Zend/zend_compile.c:2972
#1  0x00000000006665a5 in ZEND_DECLARE_FUNCTION_SPEC_HANDLER 
(execute_data=0x2590548) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:586
#2  0x0000000000666378 in execute (op_array=0x267bf98) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:107
#3  0x0000000000637d2a in zend_call_function (fci=0x7fff3aa53fa0, fci_cache=
<value optimized out>) at /usr/src/php-
5.3.8/Zend/zend_execute_API.c:968
#4  0x00000000005275f0 in zim_reflection_method_invokeArgs (ht=<value optimized 
out>, return_value=0x233f5c0, 
return_value_ptr=<value optimized out>,
    this_ptr=<value optimized out>, return_value_used=<value optimized out>) at 
/usr/src/php-
5.3.8/ext/reflection/php_reflection.c:2750
#5  0x000000000068de5c in zend_do_fcall_common_helper_SPEC 
(execute_data=0x258a778) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:320
#6  0x0000000000666378 in execute (op_array=0x2522480) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:107
#7  0x00000000006411ea in zend_execute_scripts (type=8, retval=<value optimized 
out>, file_count=3) at /usr/src/php-
5.3.8/Zend/zend.c:1236
#8  0x00000000005effee in php_execute_script (primary_file=<value optimized 
out>) at /usr/src/php-
5.3.8/main/main.c:2284
#9  0x00000000006cf132 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /usr/src/php-
5.3.8/sapi/fpm/fpm/fpm_main.c:1902

Some information about what caused the segfault :

function seems a valid pointer :
(gdb) p function
$1 = (zend_function *) 0x6821d0

But refcount seems to point to an invalid address garbage ...
(gdb) p function->op_array.refcount
$2 = (zend_uint *) 0x6697eb0824748b48

That is out of memory :
(gdb) p *function->op_array.refcount
Cannot access memory at address 0x6697eb0824748b48

function also contains a lot of garbage :
(gdb) p *function
$3 = {type = 72 'H', common = {type = 72 'H', function_name = 0x1f0fc35d5bc031 
<Address 0x1f0fc35d5bc031 out of 
bounds>, scope = 0x102444c748,
    fn_flags = 360611840, prototype = 0x1446b60f2c7401f8, num_args = 1006954627, 
required_num_args = 1219458817, 
arg_info = 0xe80824748948f789,
    pass_rest_by_reference = 52 '4', return_reference = 197 '\305'}, op_array = 
{type = 72 'H',
    function_name = 0x1f0fc35d5bc031 <Address 0x1f0fc35d5bc031 out of bounds>, 
scope = 0x102444c748, fn_flags = 
360611840, prototype = 0x1446b60f2c7401f8,
    num_args = 1006954627, required_num_args = 1219458817, arg_info = 
0xe80824748948f789, pass_rest_by_reference = 52 
'4', return_reference = 197 '\305',
    done_pass_two = 253 '\375', refcount = 0x6697eb0824748b48, opcodes = 
0x841f0f, last = 1394374, size = 2370359019, 
vars = 0x481024548d482845,
    last_var = -1991717239, size_var = 564586695, T = 2336817151, brk_cont_array 
= 0x2e66ffffff68e9c6, last_brk_cont = 
8658703, current_brk_cont = 0,
    try_catch_array = 0x6c8948e8245c8948, last_try_catch = -1991708636, 
static_variables = 0x8b4838ec8348f824, start_op 
= 0x50458b38778b482f,
    backpatch_count = 106203976, this_var = 3531950088, filename = 
0x428b000000b8840f <Address 0x428b000000b8840f out 
of bounds>, line_start = 32015120,
    line_end = 1116323973, doc_comment = 0xc7001542c6657510 <Address 
0xc7001542c6657510 out of bounds>, doc_comment_len 
= 69698, early_binding = 2303197184,
    reserved = {0x8b30658b44102454, 0x8d4826248d4e107d, 0x84eee8e6894c3e3c, 
0x314247c8041fffb}}, internal_function = 
{type = 72 'H',
    function_name = 0x1f0fc35d5bc031 <Address 0x1f0fc35d5bc031 out of bounds>, 
scope = 0x102444c748, fn_flags = 
360611840, prototype = 0x1446b60f2c7401f8,
    num_args = 1006954627, required_num_args = 1219458817, arg_info = 
0xe80824748948f789, pass_rest_by_reference = 52 
'4', return_reference = 197 '\305',
    handler = 0x6697eb0824748b48, module = 0x841f0f}}

I found that function is from a function_table so i search for the name of the 
searched function :
(gdb) p opline->op1.u.constant.value
$6 = {lval = 140621774571448, dval = 6.9476387872984637e-310, str = {val = 
0x7fe50eebc7b8 "", len = 78}, ht = 
0x7fe50eebc7b8, obj = {handle = 250333112,
    handlers = 0x4e}}

Seems space too ...

You can query for more information (value of pointers, etc...) but I may take 
some days to provide them waiting for php 
to enter this state again.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-25 11:33 UTC] felipe@php.net
-Package: Scripting Engine problem +Package: APC
 [2011-11-29 12:23 UTC] majkiel at heliox dot homeunix dot net
Same here...
 [2011-11-29 17:46 UTC] julien at palard dot fr
Try to increase shm_size, I'm not sure but it can be the source of the bug... As 
I just seen my server at 99% of the shm size :P
 [2011-11-30 21:46 UTC] cveilleux at neopeak dot com
Same here, php 5.3.6 and APC 3.1.9

Problem occurs on a Joomla! site. There are many sites on the same server and it 
is so far only this one that produce the crash, happened twice within 1 month..
 [2011-12-01 17:33 UTC] wojjie at gmail dot com
Similar problem here, when running apc.php I saw severe memory fragmentation. 
Increasing shm_size appears to have fixed my issue.
 [2011-12-04 23:26 UTC] michal dot palma at gmail dot com
Same problem, in my case it behave much better with apc.stat="1"
 [2012-02-02 11:11 UTC] vytenis dot darulis at gmail dot com
Can reproduce the same bug in a different application, with vanilla PHP 5.3.9 and 
APC from trunk. Increasing shm size does not help.
 [2012-02-22 11:00 UTC] tietew at gmail dot com
Same problem here.
PHP 5.3.5 and APC 3.1.3p1 (Scientific Linux release 6.0)
 [2012-03-18 13:45 UTC] pajoye@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2012-03-18 13:45 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2012-03-23 15:10 UTC] vytenis dot darulis at gmail dot com
No more random massive segfaults or segfaults on restart with php 5.4 and 5.3 
trunk snapshots.
 [2012-03-25 15:00 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-03-25 15:00 UTC] pajoye@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: pajoye
 [2012-08-30 09:08 UTC] to dot my dot trociny at gmail dot com
Hi,

Is this problem is believed to be fixed? I see only information for about it being fixed in svn. There have been several releases since then but I have failed to found any notes about this bug in the ChangeLog. Also there is no any info about the root cause.

With php 5.3.16 and older versions we are observing crashes in do_bind_function() too, but in somewhat different place, so I am not sure how much they are related to this issue.

(gdb) bt
#0  0x284a35de in memcpy () from /lib/libc.so.7
#1  0x288b73a6 in _zend_hash_add_or_update (ht=0x285b2070, arKey=0x2c4200d0 "handleerror", nKeyLength=12, pData=0x0, nDataSize=144, pDest=0x0, flag=2, 
    __zend_filename=0x28a0f8ac "/usr/ports/lang/php53/work/php-5.3.16/Zend/zend_compile.c", __zend_lineno=2962) at /usr/ports/lang/php53/work/php-5.3.16/Zend/zend_hash.c:452
#2  0x2888ef07 in do_bind_function (opline=0x2c41f714, function_table=0x285b2070, compile_time=0 '\0') at /usr/ports/lang/php53/work/php-5.3.16/Zend/zend_compile.c:2962
#3  0x288dd738 in ZEND_DECLARE_FUNCTION_SPEC_HANDLER (execute_data=0x2bc9c20c) at zend_vm_execute.h:586
#4  0x288db06b in execute (op_array=0x29e2f274) at zend_vm_execute.h:107
#5  0x288a9c07 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/lang/php53/work/php-5.3.16/Zend/zend.c:1308
#6  0x2883968d in php_execute_script (primary_file=0xbfbfe764) at /usr/ports/lang/php53/work/php-5.3.16/main/main.c:2323
#7  0x2897a453 in php_handler (r=0x2bc86058) at /usr/ports/lang/php53/work/php-5.3.16/sapi/apache2handler/sapi_apache2.c:673
#8  0x0807c796 in ap_run_handler (r=0x2bc86058) at config.c:157
#9  0x0807cf7d in ap_invoke_handler (r=0x2bc86058) at config.c:376
#10 0x0808d0f3 in ap_process_request (r=0x2bc86058) at http_request.c:282
#11 0x08089c31 in ap_process_http_connection (c=0x2bc7e1f0) at http_core.c:190
#12 0x080851f6 in ap_run_process_connection (c=0x2bc7e1f0) at connection.c:43
#13 0x08085678 in ap_process_connection (c=0x2bc7e1f0, csd=0x2bc7e058) at connection.c:190
#14 0x0809404f in child_main (child_num_arg=0) at prefork.c:667
#15 0x0809424c in make_child (s=0x28510f10, slot=0) at prefork.c:768
#16 0x080944a4 in perform_idle_server_maintenance (p=0x2850f018) at prefork.c:903
#17 0x080949c8 in ap_mpm_run (_pconf=0x2850f018, plog=0x2853d018, s=0x28510f10) at prefork.c:1107
#18 0x080649ff in main (argc=Cannot access memory at address 0x24
) at main.c:753
 [2013-05-13 16:37 UTC] igor-php at grinchenko dot org
the problem is still there for 5.3.25. (could it be a php on freebsd thing?)

#0  0x00000008018d5816 in memcpy () from /lib/libc.so.7
#1  0x0000000802402681 in _zend_hash_add_or_update (ht=0x801dc83d0, arKey=0x80d577740 "__diagram_parse_callback", nKeyLength=25, pData=0x1, nDataSize=232, pDest=0x0, flag=2)
    at /root/src/php-5.3.25/Zend/zend_hash.c:256
#2  0x00000008023d993c in do_bind_function (opline=0x80d573f48, function_table=0x801dc83d0, compile_time=0 '\0') at /root/src/php-5.3.25/Zend/zend_compile.c:2957
#3  0x000000080241746c in ZEND_DECLARE_FUNCTION_SPEC_HANDLER (execute_data=0x80a16e1a0) at zend_vm_execute.h:589
#4  0x000000080241ad01 in execute (op_array=0x820753700) at zend_vm_execute.h:107
#5  0x00000008023e9283 in zend_call_function (fci=0x7fffffffb7d0, fci_cache=0x7fffffffb820) at /root/src/php-5.3.25/Zend/zend_execute_API.c:969
#6  0x000000080233087f in zif_call_user_func (ht=Variable "ht" is not available.
) at /root/src/php-5.3.25/ext/standard/basic_functions.c:4789
#7  0x00000008024444d1 in zend_do_fcall_common_helper_SPEC (execute_data=0x80a16d840) at zend_vm_execute.h:322
#8  0x000000080241ad01 in execute (op_array=0x8206fb5d0) at zend_vm_execute.h:107
#9  0x00000008023e9283 in zend_call_function (fci=0x7fffffffbae0, fci_cache=0x7fffffffbb30) at /root/src/php-5.3.25/Zend/zend_execute_API.c:969
#10 0x000000080233087f in zif_call_user_func (ht=Variable "ht" is not available.
) at /root/src/php-5.3.25/ext/standard/basic_functions.c:4789
#11 0x00000008024444d1 in zend_do_fcall_common_helper_SPEC (execute_data=0x80a16d650) at zend_vm_execute.h:322
#12 0x000000080241ad01 in execute (op_array=0x80a3d0200) at zend_vm_execute.h:107
#13 0x00000008023f3c61 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/src/php-5.3.25/Zend/zend.c:1259
#14 0x000000080239f357 in php_execute_script (primary_file=0x7fffffffd3e0) at /root/src/php-5.3.25/main/main.c:2316
#15 0x000000080247ceae in php_handler (r=0x801dbe028) at /root/src/php-5.3.25/sapi/apache2handler/sapi_apache2.c:669
#16 0x000000000043639a in ap_run_handler (r=0x801dbe028) at config.c:157
#17 0x00000000004395b2 in ap_invoke_handler (r=0x801dbe028) at config.c:376
#18 0x000000000044699a in ap_internal_redirect (new_uri=Variable "new_uri" is not available.
) at http_request.c:554
#19 0x000000000045168a in handler_redirect (r=0x801db60a0) at mod_rewrite.c:4843
#20 0x000000000043639a in ap_run_handler (r=0x801db60a0) at config.c:157
#21 0x00000000004395b2 in ap_invoke_handler (r=0x801db60a0) at config.c:376
#22 0x0000000000446b0e in ap_process_request (r=0x801db60a0) at http_request.c:282
#23 0x0000000000443e18 in ap_process_http_connection (c=0x801db0290) at http_core.c:190
#24 0x000000000043d252 in ap_run_process_connection (c=0x801db0290) at connection.c:43
#25 0x00000000004552f8 in child_main (child_num_arg=Variable "child_num_arg" is not available.
) at prefork.c:667
#26 0x0000000000455594 in make_child (s=0x801c68278, slot=0) at prefork.c:768
#27 0x0000000000455e24 in ap_mpm_run (_pconf=Variable "_pconf" is not available.
) at prefork.c:903
#28 0x0000000000423bbf in main (argc=3, argv=0x7fffffffd9b8) at main.c:753
 [2013-05-13 18:10 UTC] gopalv@php.net
That doesn't seem to be the same bug 

 pData=0x1, nDataSize=232

in the bt, suggests something went wrong with the functions declared conditionally.

Could you check if __diagram_parse_callback is within an if() block & open a new bug?
 [2013-09-19 13:18 UTC] m dot vanduren at rootnet dot nl
I just encountered this bug on one of our production servers with PHP (modphp) 5.3.26, APC 3.1.13 and apache 2.2.24.
It is a CentOS release 6.4 (Final) system with cpanel 11.38.2.7 system.
Backtrace below. I don't have the extra traces as presented below, because I got this backtrace through someone else.

I hope someone can help me with this problem.

Program received signal SIGSEGV, Segmentation fault.
0x00007f852f8cea8d in do_bind_function (opline=0x7f84efb81fa0, function_table=0x2e05ff0, compile_time=0 '\000')
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_compile.c:2973
2973                    (*function->op_array.refcount)++;
(gdb) bt
#0  0x00007f852f8cea8d in do_bind_function (opline=0x7f84efb81fa0, function_table=0x2e05ff0, compile_time=0 '\000')
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_compile.c:2973
#1  0x00007f852f90e8bc in ZEND_DECLARE_FUNCTION_SPEC_HANDLER (execute_data=0x3670500)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:589
#2  0x00007f852f90e660 in execute (op_array=0x449cd98)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#3  0x00007f852f914d63 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x366f020)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:22571
#4  0x00007f852f90e660 in execute (op_array=0x44a49c0)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#5  0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#6  0x00007f852f90e660 in execute (op_array=0x44ca710)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#7  0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#8  0x00007f852f90e660 in execute (op_array=0x44ca808)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#9  0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#10 0x00007f852f90e660 in execute (op_array=0x32d7a80)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#11 0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#12 0x00007f852f90e660 in execute (op_array=0x32e1458)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#13 0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#14 0x00007f852f90e660 in execute (op_array=0x32dca38)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#15 0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#16 0x00007f852f90e660 in execute (op_array=0x375f620)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#17 0x00007f852f936956 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:347
#18 0x00007f852f90e660 in execute (op_array=0x2d74908)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend_vm_execute.h:107
#19 0x00007f852f8e816f in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/cpeasyapache/src/php-5.3.26/Zend/zend.c:1259
#20 0x00007f852f8952f7 in php_execute_script (primary_file=0x7ffff5005110)
    at /home/cpeasyapache/src/php-5.3.26/main/main.c:2316
#21 0x00007f852f971c65 in php_handler (r=0x31961a0)
    at /home/cpeasyapache/src/php-5.3.26/sapi/apache2handler/sapi_apache2.c:669
#22 0x0000000000449176 in ap_run_handler ()
#23 0x0000000000449a83 in ap_invoke_handler ()
#24 0x00000000004b1d59 in ap_process_request ()
#25 0x00000000004ae9ae in ap_process_http_connection ()
#26 0x0000000000452c43 in ap_run_process_connection ()
#27 0x00000000004530f4 in ap_process_connection ()
#28 0x00000000004da8d9 in child_main ()
#29 0x00000000004daabe in make_child ()
#30 0x00000000004dad63 in perform_idle_server_maintenance ()
#31 0x00000000004db2c0 in ap_mpm_run ()
#32 0x000000000042eb39 in main ()
 [2013-09-20 08:05 UTC] gopalv@php.net
I think that's APC not playing nice with Suhosin
 [2015-07-01 05:35 UTC] ralf at futurelab dot co dot nz
Got exactly the same issue on:
PHP 5.4.42-1~dotdeb+6.4
APC Version	3.1.13

We're getting randomly this:

Program terminated with signal 11, Segmentation fault.
#0  0xb6f59471 in do_bind_function (op_array=0xb86b7994, opline=0xb4d7b9e8, function_table=0xb846fe48, compile_time=0 '\000') at /usr/src/builddir/Zend/zend_compile.c:4266
4266    /usr/src/builddir/Zend/zend_compile.c: No such file or directory.
        in /usr/src/builddir/Zend/zend_compile.c

Switching off APC helps but that's not the solution.
It helps reproducing when we narrow down Apache2 start servers to 1. Then from randomly once per few days it dies 2-3 times a day.

It seems like a long time bug between PHP and ACP it should really be fixed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 06:01:31 2024 UTC