php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70007 Segmentation fault in gc_remove_zval_from_buffer
Submitted: 2015-07-07 09:29 UTC Modified: 2018-01-13 14:18 UTC
Votes:14
Avg. Score:4.8 ± 0.6
Reproduced:14 of 14 (100.0%)
Same Version:9 (64.3%)
Same OS:11 (78.6%)
From: pdecat at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 5.6.10 OS: Debian GNU/Linux 7.8
Private report: No CVE-ID: None
 [2015-07-07 09:29 UTC] pdecat at gmail dot com
Description:
------------
Under heavy load, we eventually get a SIGSEGV on a single PHP script.
Other scripts continue to work.
The same script will always segfault until the php5-fpm service is restarted.

This is with php5 packages version 5.6.10-1~dotdeb+7.3 from http://packages.dotdeb.org/dists/wheezy-php56/php5/binary-amd64/

Looks similar to https://bugs.php.net/bug.php?id=67314


Test script:
---------------
<?php

// Here is a suspicious code snippet that results to segfaults under heavy load

final class Test {
    const IDS = [
        1,
        2,
        3,
        4,
        ];

        public static function is($id) {
            return in_array($id, self::IDS);
        }
}


for($i = 0; $i <= 1000000; $i++) {
    Test::is($i%10);
}

Expected result:
----------------
Never segfault.

Possible workaround:

@@ -1,7 +1,7 @@
 <?php
 
 final class Test {
-    const IDS = [
+    public static $IDS = [
         1,
         2,
         3,
@@ -9,7 +9,7 @@ final class Test {
         ];
 
         public static function is($id) {
-            return in_array($id, self::IDS);
+            return in_array($id, self::$IDS);
         }
 }


Actual result:
--------------
[05-Jul-2015 19:05:16] NOTICE: fpm is running, pid 12824
[05-Jul-2015 19:05:16] NOTICE: ready to handle connections
[06-Jul-2015 09:23:35] WARNING: [pool mypool] child 18436 exited on signal 11 (SIGSEGV - core dumped) after 5408.796888 seconds from start
[06-Jul-2015 09:23:35] NOTICE: [pool mypool] child 19100 started
[06-Jul-2015 09:23:35] WARNING: [pool mypool] child 19031 exited on signal 11 (SIGSEGV - core dumped) after 523.790290 seconds from start
[06-Jul-2015 09:23:35] NOTICE: [pool mypool] child 19101 started
[06-Jul-2015 09:23:35] WARNING: [pool mypool] child 17563 exited on signal 11 (SIGSEGV - core dumped) after 11632.329569 seconds from start
[06-Jul-2015 09:23:35] NOTICE: [pool mypool] child 19103 started
[06-Jul-2015 09:23:35] NOTICE: Finishing ...
[06-Jul-2015 09:24:05] NOTICE: Terminating ...
[06-Jul-2015 09:24:07] NOTICE: exiting, bye-bye!
[06-Jul-2015 09:24:07] NOTICE: fpm is running, pid 19129

Here is the backtrace:

(gdb) bt
#0  gc_remove_from_buffer (root=0x4) at /usr/src/builddir/Zend/zend_gc.h:189
#1  gc_remove_zval_from_buffer (zv=zv@entry=0x7f405dedb490) at /usr/src/builddir/Zend/zend_gc.c:260
#2  0x00000000007306b8 in i_zval_ptr_dtor (zval_ptr=0x7f405dedb490) at /usr/src/builddir/Zend/zend_execute.h:78
#3  _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/builddir/Zend/zend_execute_API.c:424
#4  0x000000000074f578 in zend_hash_destroy (ht=0x3bdf738) at /usr/src/builddir/Zend/zend_hash.c:548
#5  0x0000000000740393 in _zval_dtor_func (zvalue=0x3ed5458) at /usr/src/builddir/Zend/zend_variables.c:45
#6  0x00000000007e56f0 in _zval_dtor (zvalue=0x3ed5458) at /usr/src/builddir/Zend/zend_variables.h:35
#7  i_zval_ptr_dtor (zval_ptr=0x3ed5458) at /usr/src/builddir/Zend/zend_execute.h:79
#8  zend_vm_stack_clear_multiple (nested=0) at /usr/src/builddir/Zend/zend_execute.h:308
#9  zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a44b0) at /usr/src/builddir/Zend/zend_vm_execute.h:650
#10 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a44b0) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#11 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#12 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#13 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#14 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a4388) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#15 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a4388) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#16 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#17 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#18 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#19 0x0000000000732106 in zend_call_function (fci=fci@entry=0x7fff5732c490, fci_cache=0x33c6c60, fci_cache@entry=0x7fff5732c460) at /usr/src/builddir/Zend/zend_execute_API.c:829
#20 0x000000000066022f in zif_call_user_func_array (ht=<optimized out>, return_value=0x3ed4f78, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/builddir/ext/standard/basic_functions.c:4784
#21 0x00000000007304f9 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:97
#22 0x00000000007e56d1 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a4190) at /usr/src/builddir/Zend/zend_vm_execute.h:560
#23 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a4190) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#24 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#25 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#26 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#27 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a4030) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#28 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a4030) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#29 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#30 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#31 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#32 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a3eb8) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#33 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a3eb8) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#34 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#35 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#36 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#37 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a3d80) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#38 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a3d80) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#39 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#40 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#41 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#42 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a3c48) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#43 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a3c48) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#44 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#45 0x00007f408c2655f2 in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:899
#46 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#47 0x0000000000742d28 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#48 0x00000000006de3c2 in php_execute_script (primary_file=primary_file@entry=0x7fff5732f510) at /usr/src/builddir/main/main.c:2597
#49 0x0000000000474b12 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/builddir/sapi/fpm/fpm/fpm_main.c:1964

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-19 15:52 UTC] crahobzy at ukr dot net
In addition I would say that if const array is empty the bug is not reproducible as well
 [2018-01-13 14:18 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2018-01-13 14:18 UTC] nikic@php.net
Based on code and backtrace I'm pretty sure that this is the same as bug #70601, which was fixed in 5.6.15.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Jan 24 06:01:25 2020 UTC