php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68348 SIGSEGV in zend_hash_destroy at L558 p = p->pListNext;
Submitted: 2014-11-05 11:57 UTC Modified: 2021-10-11 13:31 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: php dot net at danslereseau dot com Assigned: cmb (profile)
Status: Closed Package: *General Issues
PHP Version: 5.5.18 OS: Amazon Linux 2014.09
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
27 + 49 = ?
Subscribe to this entry?

 
 [2014-11-05 11:57 UTC] php dot net at danslereseau dot com 
Description:
------------
nginx and PHP-FPM55 (5.5.18) installed using yum, on Amazon Linux x86_64, on an AWS EC2 server.
PHP-FPM crashes when I try to load one of the many websites I host; the other websites are OK. The website in question is a Gallery3 install.

/var/log/messages shows:
Nov  5 11:42:43 ip-172-30-0-123 kernel: [460777.618255] traps: php-fpm-5.5[28269] general protection ip:59fbf9 sp:7fffafda91b0 error:0 in php-fpm-5.5[400000+2fa000]

GDB Stack trace:
#0  zend_hash_destroy (ht=0x7f95e0225a70) at /usr/src/debug/php-5.5.18/Zend/zend_hash.c:558
#1  0x000000000059101b in _zval_dtor_func (zvalue=0x7f95e02340a8) at /usr/src/debug/php-5.5.18/Zend/zend_variables.c:45
#2  0x000000000063ec8d in _zval_dtor (zvalue=0x7f95e02340a8) at /usr/src/debug/php-5.5.18/Zend/zend_variables.h:35
#3  i_zval_ptr_dtor (zval_ptr=0x7f95e02340a8) at /usr/src/debug/php-5.5.18/Zend/zend_execute.h:81
#4  i_free_compiled_variables (execute_data=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_execute.c:1510
#5  zend_leave_helper_SPEC (execute_data=execute_data@entry=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:399
#6  0x000000000063f3bf in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (execute_data=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:1081
#7  0x00000000005bc088 in execute_ex (execute_data=0x7f95f8689cf8) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:363
#8  0x0000000000581c39 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:73
#9  0x0000000000583f71 in zend_call_function (fci=fci@entry=0x7fff0dd0c5c0, fci_cache=<optimized out>, fci_cache@entry=0x0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:937
#10 0x000000000058416e in call_user_function_ex (function_table=function_table@entry=0xf9fc40, object_pp=<optimized out>, function_name=<optimized out>, retval_ptr_ptr=retval_ptr_ptr@entry=0x7fff0dd0c658, param_count=<optimized out>, params=params@entry=0x7f95f86bb850, no_separation=no_separation@entry=1, symbol_table=symbol_table@entry=0x0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:725
#11 0x00000000005841c2 in call_user_function (function_table=0xf9fc40, object_pp=object_pp@entry=0x0, function_name=function_name@entry=0x130f5f8, retval_ptr=0x1303a98, param_count=param_count@entry=2, params=params@entry=0x7fff0dd0c6c0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:698
#12 0x000000000049bc7c in ps_call_handler (func=0x130f5f8, argc=argc@entry=2, argv=argv@entry=0x7fff0dd0c6c0) at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:53
#13 0x000000000049bf85 in ps_write_user (mod_data=<optimized out>, key=0x12e6cb8 "993g0n8iviv2rugd5rtdrucnt3", val=0x65b1ad "", vallen=0) at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:157
#14 0x0000000000493eb8 in php_session_save_current_state () at /usr/src/debug/php-5.5.18/ext/session/session.c:544
#15 0x00000000004944d6 in php_session_flush () at /usr/src/debug/php-5.5.18/ext/session/session.c:1619
#16 zm_deactivate_session (type=<optimized out>, module_number=<optimized out>) at /usr/src/debug/php-5.5.18/ext/session/session.c:2348
#17 0x0000000000599514 in zend_deactivate_modules () at /usr/src/debug/php-5.5.18/Zend/zend_API.c:2433
#18 0x0000000000532225 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-5.5.18/main/main.c:1777
#19 0x0000000000421934 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php-5.5.18/sapi/fpm/fpm/fpm_main.c:1977

Test script:
---------------
I have yet to find what code or extension would be triggering this.
It happens 100% of the time when loading my Gallery3 install, and sometimes on a Wordpress install (not often), but from I saw, not on any other (simpler) website I host, which also use PHP.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-11-06 05:34 UTC] php dot net at danslereseau dot com 
While trying to debug this, I found this code that crashes php (cli and php-fpm):

<?php

function crash() {
    @mysql_connect('127.0.0.2');
}

class Session_Handler_T {
	public function open($path, $name)
	{
		return TRUE;
	}

	public function close()
	{
		return TRUE;
	}

	public function read($id)
	{
        crash();
		return TRUE;
    }

	public function write($id, $data)
	{
        crash();
		return TRUE;
    }

	public function destroy($id)
	{
		return TRUE;
    }

	public function gc($maxlifetime)
	{
		return TRUE;
    }
}

class ExceptHandler extends Exception {
	public static function handle(Exception $e) {
        $handler = new Session_Handler_T();
		session_set_save_handler
		(
			array($handler, 'open'),
			array($handler, 'close'),
			array($handler, 'read'),
			array($handler, 'write'),
			array($handler, 'destroy'),
			array($handler, 'gc')
		);
    	session_start();
	}
}

set_exception_handler(array('ExceptHandler', 'handle'));
throw new Exception('test');

?>

But if gives a different stack trace (this one was obtained using php-cli instead of php-fpm, but php-fpm crashes on this code too):

#0  0x00007fffe3fd6b6f in php_mysql_do_connect (ht=<optimized out>, return_value=0x7ffff7fdb490, persistent=<optimized out>, 
    return_value_used=<optimized out>, this_ptr=<optimized out>, return_value_ptr=<optimized out>) at /usr/src/debug/php-5.5.18/ext/mysql/php_mysql.c:1023
#1  0x000000000058615b in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:97
#2  0x0000000000646795 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:552
#3  0x00000000005c04a8 in execute_ex (execute_data=0x7ffff7fa21a0) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:363
#4  0x0000000000586059 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:73
#5  0x0000000000646de0 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa2098) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:584
#6  0x00000000005c04a8 in execute_ex (execute_data=0x7ffff7fa2098) at /usr/src/debug/php-5.5.18/Zend/zend_vm_execute.h:363
#7  0x0000000000586059 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.18/Zend/zend_dtrace.c:73
#8  0x0000000000588391 in zend_call_function (fci=fci@entry=0x7fffffffca60, fci_cache=<optimized out>, fci_cache@entry=0x0)
    at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:937
#9  0x000000000058858e in call_user_function_ex (function_table=function_table@entry=0x999a00, object_pp=<optimized out>, function_name=<optimized out>, 
    retval_ptr_ptr=retval_ptr_ptr@entry=0x7fffffffcaf8, param_count=<optimized out>, params=params@entry=0x7ffff7fd5a38, no_separation=no_separation@entry=1, 
    symbol_table=symbol_table@entry=0x0) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:725
#10 0x00000000005885e2 in call_user_function (function_table=0x999a00, object_pp=object_pp@entry=0x0, function_name=function_name@entry=0x7ffff7fdaef8, 
    retval_ptr=0x7ffff7fd5fd0, param_count=param_count@entry=2, params=params@entry=0x7fffffffcb60) at /usr/src/debug/php-5.5.18/Zend/zend_execute_API.c:698
#11 0x000000000049ffec in ps_call_handler (func=0x7ffff7fdaef8, argc=argc@entry=2, argv=argv@entry=0x7fffffffcb60)
    at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:53
#12 0x00000000004a02f5 in ps_write_user (mod_data=<optimized out>, key=0x7ffff7fd6878 "lq1a5due6hkmutv0tnqg0m95s3", val=0x65844d "", vallen=0)
    at /usr/src/debug/php-5.5.18/ext/session/mod_user.c:157
#13 0x0000000000498228 in php_session_save_current_state () at /usr/src/debug/php-5.5.18/ext/session/session.c:544
#14 0x0000000000498846 in php_session_flush () at /usr/src/debug/php-5.5.18/ext/session/session.c:1619
#15 zm_deactivate_session (type=<optimized out>, module_number=<optimized out>) at /usr/src/debug/php-5.5.18/ext/session/session.c:2348
#16 0x000000000059d934 in zend_deactivate_modules () at /usr/src/debug/php-5.5.18/Zend/zend_API.c:2433
#17 0x0000000000536645 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-5.5.18/main/main.c:1777
#18 0x000000000064792a in do_cli (argc=1, argv=0x998e30) at /usr/src/debug/php-5.5.18/sapi/cli/php_cli.c:1177
#19 0x0000000000421a60 in main (argc=1, argv=0x998e30) at /usr/src/debug/php-5.5.18/sapi/cli/php_cli.c:1378
 [2017-09-21 15:45 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2017-09-21 15:45 UTC] cmb@php.net 
Support for PHP 5.5 has ended quite a while ago. Can you still reproduce this
issue with a currently supported PHP version?
 [2017-09-21 15:52 UTC] php dot net at danslereseau dot com
-Status: Feedback +Status: Assigned
 [2017-09-21 15:52 UTC] php dot net at danslereseau dot com 
Yes, the code snippet posted on 2014-11-06 05:34 UTC still crashes PHP 5.6.31 from CLI.

$ php crash.php 
Segmentation fault

$ php -v
PHP 5.6.31 (cli) (built: Aug 14 2017 17:37:23) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
 [2017-09-21 16:11 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2017-09-21 16:11 UTC] cmb@php.net 
Thanks for the quick reply! I'm not accustomed to the MySQL extension, which
apparently causes the segfault, so I'm unassigning myself. Sorry.
 [2021-10-11 13:06 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-10-11 13:06 UTC] cmb@php.net 
On a closer look, this might not be related to the mysql extension
at all, but rather to the session extension and/or the shutdown
sequence.  Since mysql is unbundled as of PHP 7.0.0 (and unlikely
to receive bug fixes), I've tried with mysqli_real_connect() and
curl_init(), but there was no segfault for me.  Can you still
reproduce the segfault with any of the actively supported PHP
versions[1]?  Also if you call another extension in crash(), or is
this actually mysql related?

[1] <https://www.php.net/supported-versions.php>
 [2021-10-11 13:20 UTC] php dot net at danslereseau dot com
-Status: Feedback +Status: Assigned
 [2021-10-11 13:20 UTC] php dot net at danslereseau dot com 
No, I can't reproduce now.
I tried on PHP 7.2, 7.3, 7.4 and 8.0, using CLI.
 [2021-10-11 13:31 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2021-10-11 13:31 UTC] cmb@php.net 
Thanks for the swift reply!  I assume the issue has been fixed in
the meantime.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 00:01:29 2024 UTC