php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68921 segfault
Submitted: 2015-01-27 14:37 UTC Modified: 2017-11-05 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: public at grik dot net Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.6.6 OS: Cent OS 6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: public at grik dot net
New email:
PHP Version: OS:

 

 [2015-01-27 14:37 UTC] public at grik dot net 
Description:
------------
Segfault after upgrade from 5.5.5 to 5.6.5

Test script:
---------------
I don't have an exact reproducable script atm, can create it if required.

Actual result:
--------------
Core was generated by `php-fpm: pool www                                                             '.
Program terminated with signal 11, Segmentation fault.
#0  0x0844e25d in _zval_dtor_func (zvalue=0xb771b098,
    __zend_filename=0x89136cc "/usr/src/php-5.6.5/Zend/zend_execute.h", __zend_lineno=79)
    at /usr/src/php-5.6.5/Zend/zend_variables.c:36
36                              CHECK_ZVAL_STRING_REL(zvalue);
Missing separate debuginfos, use: debuginfo-install ImageMagick-6.5.4.7-7.el6_5.i686 bzip2-libs-1.0.5-7.el6_0.i686 cyrus                                 -sasl-lib-2.1.23-15.el6_6.1.i686 expat-2.0.1-11.el6_2.i686 fontconfig-2.8.0-5.el6.i686 freetype-2.3.11-14.el6_3.1.i686 g                                 libc-2.12-1.149.el6_6.4.i686 keyutils-libs-1.4-5.el6.i686 krb5-libs-1.10.3-33.el6.i686 lcms-libs-1.19-1.el6.i686 libICE-                                 1.0.6-1.el6.i686 libSM-1.2.1-2.el6.i686 libX11-1.6.0-2.2.el6.i686 libXau-1.0.6-4.el6.i686 libXext-1.3.2-2.1.el6.i686 lib                                 Xt-1.1.4-6.1.el6.i686 libcom_err-1.41.12-21.el6.i686 libcurl-7.19.7-40.el6_6.3.i686 libgcc-4.4.7-11.el6.i686 libgomp-4.4                                 .7-11.el6.i686 libidn-1.18-2.el6.i686 libjpeg-turbo-1.2.1-3.el6_5.i686 libpng-1.2.49-1.el6_2.i686 libselinux-2.0.94-5.8.                                 el6.i686 libssh2-1.4.2-1.el6.i686 libtiff-3.9.4-10.el6_5.i686 libtool-ltdl-2.2.6-15.5.el6.i686 libuuid-2.17.2-12.18.el6.                                 i686 libxcb-1.9.1-2.el6.i686 libxml2-2.7.6-17.el6_6.1.i686 nspr-4.10.6-1.el6_5.i686 nss-3.16.2.3-3.el6_6.i686 nss-softok                                 n-freebl-3.14.3-18.el6_6.i686 nss-util-3.16.2.3-2.el6_6.i686 openldap-2.4.39-8.el6.i686 openssl-1.0.1e-30.el6_6.4.i686 p                                 ostgresql93-libs-9.3.5-1PGDG.rhel6.i686 zlib-1.2.3-29.el6.i686


(gdb) bt
#0  0x0844e25d in _zval_dtor_func (zvalue=0xb771b098,
    __zend_filename=0x89136cc "/usr/src/php-5.6.5/Zend/zend_execute.h", __zend_lineno=79)
    at /usr/src/php-5.6.5/Zend/zend_variables.c:36
#1  0x0843daeb in _zval_dtor (zvalue=0xb771b098, __zend_filename=0x89136cc "/usr/src/php-5.6.5/Zend/zend_execute.h",
    __zend_lineno=79) at /usr/src/php-5.6.5/Zend/zend_variables.h:35
#2  0x0843db98 in i_zval_ptr_dtor (zval_ptr=0xb771b098,
    __zend_filename=0x89157fc "/usr/src/php-5.6.5/Zend/zend_variables.c", __zend_lineno=188)
    at /usr/src/php-5.6.5/Zend/zend_execute.h:79
#3  0x0843e863 in _zval_ptr_dtor (zval_ptr=0xb771b210,
    __zend_filename=0x89157fc "/usr/src/php-5.6.5/Zend/zend_variables.c", __zend_lineno=188)
    at /usr/src/php-5.6.5/Zend/zend_execute_API.c:424
#4  0x0844e6e7 in _zval_ptr_dtor_wrapper (zval_ptr=0xb771b210) at /usr/src/php-5.6.5/Zend/zend_variables.c:188
#5  0x0845e96f in i_zend_hash_bucket_delete (ht=0x8b3673c, p=0xb771b204) at /usr/src/php-5.6.5/Zend/zend_hash.c:182
#6  0x0845ea35 in zend_hash_bucket_delete (ht=0x8b3673c, p=0xb771b204) at /usr/src/php-5.6.5/Zend/zend_hash.c:192
#7  0x08460447 in zend_hash_graceful_reverse_destroy (ht=0x8b3673c) at /usr/src/php-5.6.5/Zend/zend_hash.c:613
#8  0x0843e34b in shutdown_executor () at /usr/src/php-5.6.5/Zend/zend_execute_API.c:244
#9  0x08450451 in zend_deactivate () at /usr/src/php-5.6.5/Zend/zend.c:960
#10 0x083d3240 in php_request_shutdown (dummy=0x0) at /usr/src/php-5.6.5/main/main.c:1884
#11 0x084f9dc8 in main (argc=6, argv=0xbfdbf114) at /usr/src/php-5.6.5/sapi/fpm/fpm/fpm_main.c:1988

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-27 15:04 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-01-27 15:04 UTC] laruence@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2015-02-08 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-03-03 16:59 UTC] public at grik dot net
-Status: No Feedback +Status: Closed
 [2015-03-03 16:59 UTC] public at grik dot net 
segfault is reproduced when an empty Content-Type header and when no data is provided with POST request,
the content of the script does not matter, php file can be empty

$ curl -d '' -H 'Content-Type:' http://testsite.local/t.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>

$ sudo tail  /var/log/messages
Mar  3 16:53:30 hotelfm kernel: php-fpm[15374]: segfault at 0 ip 0844e25d sp bfb09f80 error 4 in php-fpm[8048000+ace000]
 [2015-03-03 17:02 UTC] public at grik dot net
-Status: Closed +Status: Assigned
 [2015-03-03 17:02 UTC] public at grik dot net 
Trying to reopen the ticket
 [2015-03-03 17:39 UTC] public at grik dot net
-PHP Version: 5.6.5 +PHP Version: 5.6.6
 [2015-03-03 17:39 UTC] public at grik dot net 
I updated php to 5.6.6 and reproduce the crash.
No 3rd party extensions.
 [2015-03-03 20:23 UTC] aharvey@php.net
-Status: Assigned +Status: Feedback
 [2015-03-03 20:23 UTC] aharvey@php.net 
I can't reproduce this with 5.6.6 or the current PHP-5.6. Can you pastebin your phpinfo() somewhere, please?
 [2015-03-03 21:06 UTC] public at grik dot net
-Status: Feedback +Status: Open
 [2015-03-03 21:06 UTC] public at grik dot net 
The problem is related to always_populate_raw_post_data option

When I edited php.ini and set always_populate_raw_post_data = -1 the segfault  does not repeat.
Setting "always_populate_raw_post_data = off" as php.ini offers does not help, though.

Here is an `php-fpm -i` output when segfault occurs:
http://pastebin.com/z4uvtErx


here's the valgrind log 
http://pastebin.com/RdNJZRX5

While I was making the valgrind log I saw errors:

[root@hotelfm hotelfm.ru]# valgrind --tool=memcheck --num-callers=30 --log-file=php.log /usr/local/sbin/php-fpm -F -e
[03-Mar-2015 20:48:29] WARNING: [pool www] child 21793 said into stderr: "NOTICE: PHP message: PHP Deprecated:  Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0"
[03-Mar-2015 20:48:29] WARNING: [pool www] child 21793 said into stderr: "Unknown(0) : Deprecated - Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead."
[03-Mar-2015 20:48:29] WARNING: [pool www] child 21793 said into stderr: ""
[03-Mar-2015 20:48:29] WARNING: [pool www] child 21793 said into stderr: "NOTICE: PHP message: PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0"
[03-Mar-2015 20:48:29] WARNING: [pool www] child 21793 said into stderr: "Unknown(0) : Warning - Cannot modify header information - headers already sent"
[03-Mar-2015 20:48:29] WARNING: [pool www] child 21793 said into stderr: ""
[03-Mar-2015 20:48:30] WARNING: [pool www] child 21793 exited on signal 11 (SIGSEGV) after 18.506098 seconds from start
 [2015-03-06 14:41 UTC] laruence@php.net 
please show us what the t.php 's contents is
 [2015-03-06 15:27 UTC] public at grik dot net 
The t.php file is empty. The issue is not relevant to the content of a script.

I compiled 5.6 over 5.5 and did not update php.ini. In 5.5 the value for always_populate_raw_post_data was "no", for in 5.6 it has to be "-1"
 [2015-06-03 21:59 UTC] andrey at kostin dot email 
I experience the same problem with PHP 5.6.9 under Ubuntu 14.04 with no 3rd-party libraries installed. Test script contains the following code:
<?php
echo 'ok';
?>

Request: curl --data "param1=value1" http://example.com/script.php
Response: ok

Request: curl --data "" http://example.com/script.php
Response:
  <html>
  <head><title>502 Bad Gateway</title></head>
  <body bgcolor="white">
  <center><h1>502 Bad Gateway</h1></center>
  <hr><center>nginx/1.8.0</center>
  </body>
  </html>

PHP log contains the following:
[04-Jun-2015 00:54:07] WARNING: [pool www] child 16781 exited on signal 11 (SIGSEGV - core dumped) after 45.570352 seconds from start

Setting always_populate_raw_post_data to -1 solves the problem.
 [2015-06-12 09:47 UTC] andrey at kostin dot email 
Not fixed in 5.6.10:

curl -X POST http://example.com/script.php

WARNING: [pool www] child 12008 exited on signal 11 (SIGSEGV - core dumped) after 1166.718710 seconds from start
 [2016-01-09 14:21 UTC] der at internethering dot de 
Yet not fixed in 5.6.16:

curl -d '' -H 'Content-Type:' https://le-h.de/t.php

-> Error 503

#0  0x0000000000adcc79 in _zval_dtor_func (zvalue=0x7f03c5b5d268, __zend_filename=0x10cb078 "/tmp/distccd_ghnfGr/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_execute.h", __zend_lineno=79)
    at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);
(gdb) bt
#0  0x0000000000adcc79 in _zval_dtor_func (zvalue=0x7f03c5b5d268, __zend_filename=0x10cb078 "/tmp/distccd_ghnfGr/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_execute.h", __zend_lineno=79)
    at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_variables.c:36
#1  0x0000000000ac4769 in _zval_dtor (zvalue=0x7f03c5b5d268, __zend_filename=0x10cb078 "/tmp/distccd_ghnfGr/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_execute.h", __zend_lineno=79)
    at /tmp/distccd_ghnfGr/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_variables.h:35
#2  0x0000000000ac4861 in i_zval_ptr_dtor (zval_ptr=0x7f03c5b5d268, __zend_filename=0x10cd470 "/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_variables.c", __zend_lineno=188, tsrm_ls=0x2baf0c0)
    at /tmp/distccd_ghnfGr/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_execute.h:79
#3  0x0000000000ac6aa5 in _zval_ptr_dtor (zval_ptr=0x7f03c5b5d560, __zend_filename=0x10cd470 "/var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_variables.c", __zend_lineno=188)
    at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_execute_API.c:424
#4  0x0000000000add256 in _zval_ptr_dtor_wrapper (zval_ptr=0x7f03c5b5d560) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_variables.c:188
#5  0x0000000000af589c in i_zend_hash_bucket_delete (ht=0x2bb2928, p=0x7f03c5b5d548) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_hash.c:182
#6  0x0000000000af5976 in zend_hash_bucket_delete (ht=0x2bb2928, p=0x7f03c5b5d548) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_hash.c:192
#7  0x0000000000af783a in zend_hash_graceful_reverse_destroy (ht=0x2bb2928) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_hash.c:613
#8  0x0000000000ac5b27 in shutdown_executor (tsrm_ls=0x2baf0c0) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend_execute_API.c:244
#9  0x0000000000ae0893 in zend_deactivate (tsrm_ls=0x2baf0c0) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/Zend/zend.c:960
#10 0x0000000000a19882 in php_request_shutdown (dummy=0x0) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/main/main.c:1883
#11 0x0000000000bcdba6 in main (argc=4, argv=0x7ffddd839a68) at /var/phpbuild/portage/dev-lang/php-5.6.16/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1992
 [2017-04-04 07:39 UTC] jboffel at gmail dot com 
Confirmed still on 5.6.21

The content-type header criteria is not relevant.

You just need a post request with an empty body using php-fpm.
It does not happen with Apache php mod.
 [2017-09-10 15:01 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2017-09-10 15:01 UTC] cmb@php.net 
PHP 5 does not have active support anymore (only security issues
would be adressed). So, can anybody reproduce this issue with PHP
7?
 [2017-09-10 16:39 UTC] public at grik dot net
-Status: Feedback +Status: Assigned
 [2017-09-10 16:39 UTC] public at grik dot net 
Not reproduced in 7.1,9

Nice way to handle errors - just wait till version gets out of support cycle ;)
 [2017-09-10 20:52 UTC] cmb@php.net
-Status: Assigned +Status: Feedback
 [2017-09-10 20:52 UTC] cmb@php.net 
> Not reproduced in 7.1,9

Thanks.  Anybody else?

> Nice way to handle errors - just wait till version gets out of
> support cycle ;)

Busted. ;)
 [2017-11-05 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 21:01:30 2024 UTC