php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66799 Subsequent requests after opcache_reset() causes php5-fpm segfault
Submitted: 2014-02-28 16:08 UTC Modified: -
Votes:7
Avg. Score:3.6 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:4 (66.7%)
Same OS:3 (50.0%)
From: ptr dot wang at gmail dot com Assigned:
Status: Open Package: opcache
PHP Version: 5.5.9 OS: Linux - Ubuntu Precise
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ptr dot wang at gmail dot com
New email:
PHP Version: OS:

 

 [2014-02-28 16:08 UTC] ptr dot wang at gmail dot com
Description:
------------
PHP Packages used.

ii  php-apc                                     4.0.2-2+debphp.org~precise+1        APC User Cache for PHP 5 (transitional package)
ii  php-pear                                    5.5.9+dfsg-1+sury.org~precise+1     PEAR - PHP Extension and Application Repository
ii  php5                                        5.5.9+dfsg-1+sury.org~precise+1     server-side, HTML-embedded scripting language (metapackage)
ii  php5-apcu                                   4.0.2-2+debphp.org~precise+1        APC User Cache for PHP 5
ii  php5-cli                                    5.5.9+dfsg-1+sury.org~precise+1     command-line interpreter for the php5 scripting language
ii  php5-common                                 5.5.9+dfsg-1+sury.org~precise+1     Common files for packages built from the php5 source
ii  php5-curl                                   5.5.9+dfsg-1+sury.org~precise+1     CURL module for php5
ii  php5-dbg                                    5.5.9+dfsg-1+sury.org~precise+1     Debug symbols for PHP5
ii  php5-dev                                    5.5.9+dfsg-1+sury.org~precise+1     Files for PHP5 module development
ii  php5-fpm                                    5.5.9+dfsg-1+sury.org~precise+1     server-side, HTML-embedded scripting language (FPM-CGI binary)
ii  php5-gd                                     5.5.9+dfsg-1+sury.org~precise+1     GD module for php5
ii  php5-intl                                   5.5.9+dfsg-1+sury.org~precise+1     internationalisation module for php5
ii  php5-json                                   1.3.2-3+debphp.org~precise+1        JSON module for php5
ii  php5-pgsql                                  5.5.9+dfsg-1+sury.org~precise+1     PostgreSQL module for php5
ii  php5-readline                               5.5.9+dfsg-1+sury.org~precise+1     Readline module for php5


Opcache configs:

[opcache]
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1


PHP Modules installed:
[PHP Modules]
amqp
apc
apcu
bcmath
bz2
calendar
Core
ctype
curl
date
dba
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
intl
json
libxml
mbstring
mhash
OAuth
openssl
pcntl
pcre
PDO
pdo_pgsql
pgsql
Phar
posix
readline
Reflection
session
shmop
SimpleXML
soap
sockets
sphinx
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xhprof
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache





GDB backtrace:

# gdb -q /usr/sbin/php5-fpm /tmp/core-php5-fpm.33858
Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/usr/sbin/php5-fpm...done.
done.
[New LWP 33858]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  zend_mm_add_to_free_list (heap=<optimized out>, mm_block=0x7ffe95410288) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_alloc.c:752
752	/build/buildd/php5-5.5.9+dfsg/Zend/zend_alloc.c: No such file or directory.
(gdb) bt full
#0  zend_mm_add_to_free_list (heap=<optimized out>, mm_block=0x7ffe95410288) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_alloc.c:752
        prev = 0x350b8e800
        m = 9223372036854775808
        p = 0x2f6102f
        size = 616
        index = 9
#1  0x00000000006b84b0 in _zend_mm_free_int (heap=0x2aeb300, p=0x7ffe954102b8) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_alloc.c:2118
        mm_block = 0x7ffe95410288
        next_block = 0x7ffe954103a8
        size = 616
#2  0x00000000006ee78e in zend_hash_destroy (ht=0xe62550) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_hash.c:565
        p = 0x7ffe9533a048
        q = 0x7ffe954102b8
#3  0x00000000006d0a43 in shutdown_executor () at /build/buildd/php5-5.5.9+dfsg/Zend/zend_execute_API.c:322
        __orig_bailout = 0x7fffc7bcadd0
        __bailout = {{__jmpbuf = {15082400, -9155287571838426016, 140731913859384, 0, 140731913856248, 48345344, 9155375864448656480, -9155287578921425824}, __mask_was_saved = 0, __saved_mask = {__val = {9291456000123053152, 0, 7268954, 15059776, 0, 140731914091208,
                140728898420736, 140731914091256, 48389136, 140731408564984, 15082136, 1, 140731913859384, 0, 7204654, 15082048}}}}
#4  0x00000000006e0385 in zend_deactivate () at /build/buildd/php5-5.5.9+dfsg/Zend/zend.c:935
No locals.
#5  0x000000000067e5e7 in php_request_shutdown (dummy=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/main/main.c:1808
        report_memleaks = 1 '\001'
#6  0x00000000004665c6 in main (argc=<optimized out>, argv=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/sapi/fpm/fpm/fpm_main.c:1961
        primary_script = <optimized out>
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 9155375865309537376, 3, 140736544434492, 0, 4294967295, 9155375864291370080, -9155287927588150176}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        exit_status = 0
        c = <optimized out>
        use_extended_info = 0
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7ffeb3bbf618 "\370\370\276\263\376\177", opened_path = 0x0, handle = {fd = -1279319376, fp = 0x7ffeb3bf22b0, stream = {handle = 0x7ffeb3bf22b0, isatty = 0, mmap = {len = 1806, pos = 0, map = 0x0,
                buf = 0x7ffeb3a57000 <Address 0x7ffeb3a57000 out of bounds>, old_handle = 0x0, old_closer = 0}, reader = 0x695e30 <_php_stream_read>, fsizer = 0x67c640 <php_zend_stream_fsizer>, closer = 0x67c630 <php_zend_stream_mmap_closer>}},
          free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <optimized out>
        max_requests = 100
        requests = 0
        fcgi_fd = 15081056
        request = {listen_socket = 0, fd = 6, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 3, out_hdr = 0x7fffc7bcb220, out_pos = 0x7fffc7bcb55e "",
          out_buf = "\000\006\000\000\000\000\000\000Cache-Control: max-age=0, private, no-cache, no-store, must-revalidate, no-transform\r\nX-XXXXXXXX-Localized: false\r\nVary: Accept-Encoding\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Allow-H"...,
          reserved = '\000' <repeats 15 times>, env = 0x7ffeb3bbe2f0}
        fpm_config = 0x7fffc7bce93c ""
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = <optimized out>
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"
(gdb) quit











Test script:
---------------
<?php

/*
PHP Script used
Put this under docroot, then: curl http://mydomain/test.php,
In order to get the coredump file more quickly, 
try to ab some other scripts in the meanwhile: 
ab -c9 -n99999 http://mydomain/other.php), 
Note: you need to make the OS generate the coredump files, do things like:

1. in the shell: ulimit -c unlimited
2. in php-fpm configs, add a line:  rlimit_core = unlimited

*/
var_dump(opcache_reset());



Expected result:
----------------
PHP-FPM process should not segfault

Actual result:
--------------
PHP-FPM process segfault in the Subsequent requests after the opcache_reset() is called.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-28 19:02 UTC] gabe at tumblr dot com
We can reproduce this at will on 5.5.19 and 5.5.21. If you throw traffic at php-fpm while opcache.fast_shutdown=1 is in opcache.ini, each call to opcache_reset() segfaults. When disabling fast_shutdown, fpm stops segfaulting. 

(gdb) bt full
#0  zend_mm_add_to_free_list (heap=<value optimized out>, mm_block=0x1813530) at /usr/src/debug/php-5.5.21/Zend/zend_alloc.c:752
        m = <value optimized out>
        p = <value optimized out>
        size = 600
        index = <value optimized out>
#1  0x00000000005946f2 in _zend_mm_free_int (heap=0x11ad330, p=0x1813570) at /usr/src/debug/php-5.5.21/Zend/zend_alloc.c:2118
        mm_block = 0x1813530
        next_block = 0x18135f8
        size = 600
#2  0x00000000005c9521 in zend_hash_destroy (ht=0x9d1290) at /usr/src/debug/php-5.5.21/Zend/zend_hash.c:565
        p = 0x17f4f88
        q = 0x1813570
#3  0x00000000005ae113 in shutdown_executor () at /usr/src/debug/php-5.5.21/Zend/zend_execute_API.c:319
        __orig_bailout = 0x7fffadd01b10
        __bailout = {{__jmpbuf = {10293472, 4937089388971144863, 140393336324944, 0, 0, 0, -4937269333167851873, 4937089399494522527}, __mask_was_saved = 0, __saved_mask = {__val = {4937089253390923423, 13509474739399163904, 206845602437, 40, 5850866, 192, 5850866, 140393336564752, 44279120, 112, 10293208, 1, 140393336324944, 0, 6005774, 10293120}}}}
#4  0x00000000005bc2a2 in zend_deactivate () at /usr/src/debug/php-5.5.21/Zend/zend.c:946
No locals.
#5  0x000000000055c11c in php_request_shutdown (dummy=<value optimized out>) at /usr/src/debug/php-5.5.21/main/main.c:1808
        report_memleaks = 1 '\001'
#6  0x0000000000675159 in main (argc=<value optimized out>, argv=<value optimized out>) at /usr/src/debug/php-5.5.21/sapi/fpm/fpm/fpm_main.c:1977
        primary_script = <value optimized out>
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -4937269333980498273, 3, 0, 10271136, 0, -4937269332796655969, 4937089637171181215}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 14 times>, 206840036063, 0}}}}
        exit_status = 0
        c = <value optimized out>
        use_extended_info = 0
        file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x7fafdef0c170 "Ƞ\342\002", opened_path = 0x0, handle = {fd = -554436664, fp = 0x7fafdef3f7c8, stream = {handle = 0x7fafdef3f7c8, isatty = 0, mmap = {len = 3966, pos = 0, map = 0x0, buf = 0x7fafbd41a000 <Address 0x7fafbd41a000 out of bounds>, old_handle = 0x0, old_closer = 0},
              reader = 0x5749b0 <_php_stream_read>, fsizer = 0x55c9a0 <php_zend_stream_fsizer>, closer = 0x55c990 <php_zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <value optimized out>
        max_requests = 800
        requests = 188
        fcgi_fd = 10292128
        request = {listen_socket = 0, fd = -1, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 6, out_hdr = 0x0, out_pos = 0x7fffadd01ca0 "\001\006",
          out_buf = "<tumblr request here>..., reserved = '\000' <repeats 15 times>, env = 0x7fafdef0c040}
        fpm_config = 0x0
        fpm_prefix = 0x0
        fpm_pid = 0x7fffadd056c9 "ol POOLNAME"
        test_conf = 0
        force_daemon = -1
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 20:01:23 2020 UTC