php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70428 Opcache crashes with SIGSEGV
Submitted: 2015-09-04 12:19 UTC Modified: 2016-04-16 20:50 UTC
Votes:6
Avg. Score:4.7 ± 0.5
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:0 (0.0%)
From: christian at rishoj dot net Assigned:
Status: Re-Opened Package: opcache
PHP Version: 5.6.12 OS: Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: christian at rishoj dot net
New email:
PHP Version: OS:

 

 [2015-09-04 12:19 UTC] christian at rishoj dot net
Description:
------------
With the opcache enabled, a certain CLI-invoked operation in a large web application crashes with SIGSEGV.

Crash happens with 
 * opcache.interned_strings_buffer=16 and
 * opcache.interned_strings_buffer=8, 
but *not* with
 * opcache.interned_strings_buffer=0.

Test script:
---------------
I haven't isolated a minimal test case.

Actual result:
--------------
#0  0x00000000006b3016 in ?? ()  
#1  0x00000000006b31ac in ?? ()
#2  0x00007ffff50ba905 in ?? () from /usr/lib/php5/20131226/opcache.so
#3  0x00007ffff50c24b2 in ?? () from /usr/lib/php5/20131226/opcache.so
#4  0x00007ffff50c3ed6 in ?? () from /usr/lib/php5/20131226/opcache.so
#5  0x00007ffff50c415e in zend_accel_script_optimize () from /usr/lib/php5/20131226/opcache.so
#6  0x00007ffff50aee35 in ?? () from /usr/lib/php5/20131226/opcache.so
#7  0x00007ffff50af9e9 in persistent_compile_file () from /usr/lib/php5/20131226/opcache.so
#8  0x000000000077f2bd in ?? ()
#9  0x0000000000715b98 in execute_ex ()
#10 0x00000000006cab39 in dtrace_execute_ex ()
#11 0x000000000077e79c in ?? ()
#12 0x0000000000715b98 in execute_ex ()
#13 0x00000000006cab39 in dtrace_execute_ex ()
#14 0x0000000000780567 in ?? ()
#15 0x0000000000715b98 in execute_ex ()
#16 0x00000000006cab39 in dtrace_execute_ex ()
#17 0x00000000006cc863 in zend_call_function ()
#18 0x00000000006f26f5 in zend_call_method ()
#19 0x00000000005c7396 in zif_spl_autoload_call ()
#20 0x00000000006cac3b in dtrace_execute_internal ()
#21 0x00000000006cc945 in zend_call_function ()
#22 0x00000000006cd122 in zend_lookup_class_ex ()
#23 0x00000000006cd812 in zend_fetch_class_by_name ()
#24 0x0000000000724024 in ?? ()
#25 0x0000000000715b98 in execute_ex ()
#26 0x00000000006cab39 in dtrace_execute_ex ()
#27 0x0000000000780567 in ?? ()
#28 0x0000000000715b98 in execute_ex ()
#29 0x00000000006cab39 in dtrace_execute_ex ()
#30 0x0000000000780567 in ?? ()  
#31 0x0000000000715b98 in execute_ex ()  
#32 0x00000000006cab39 in dtrace_execute_ex ()
#33 0x00000000006cc863 in zend_call_function ()
#34 0x00000000005fd302 in zif_call_user_func_array ()  
#35 0x00000000006cac3b in dtrace_execute_internal ()
#36 0x0000000000780044 in ?? ()
#37 0x0000000000715b98 in execute_ex ()
#38 0x00000000006cab39 in dtrace_execute_ex ()
#39 0x00000000006dcee0 in zend_execute_scripts ()
#40 0x000000000067b142 in php_execute_script ()
#41 0x0000000000781ebe in ?? ()
#42 0x0000000000462a20 in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-01 22:26 UTC] steven dot hadfield at business dot com
I also encountered this issue (5.6.13 and 5.6.14, CentOS 6, x86_64)
I have a non-sharable repeatable test case, but it seems to be related to when there's a large number of strings (e.g. an array 10k strings is where it would die sometimes along with other values). I tried increasing the opcache.interned_strings_buffer value to > 1000, but still encountered the issue. PHP-FPM seemed to only segfault the first time it encountered the situation. Following requests would not trigger the fault until fpm was restarted.

The trace was not always the same, but here's an example:

#0  _zend_mm_alloc_int (heap=0x171c2d0, size=23) at /usr/src/debug/php-5.6.14/Zend/zend_alloc.c:1910
#1  0x00000000005b864a in _estrndup (s=0x1f11f84 "crawl/0.4 libcrawl/0.3", length=22) at /usr/src/debug/php-5.6.14/Zend/zend_alloc.c:2650
#2  0x00007f5ab94a5e10 in fetch_value (stmt=0x1c3a5e0, dest=0x225bdf0, colno=<value optimized out>, type_override=<value optimized out>) at /usr/src/debug/php-5.6.14/ext/pdo/pdo_stmt.c:641
#3  0x00007f5ab94a92a2 in do_fetch (stmt=0x1c3a5e0, return_value=0x225bbf0, how=<value optimized out>, ori=<value optimized out>, offset=<value optimized out>, return_all=0x0, do_bind=1)
    at /usr/src/debug/php-5.6.14/ext/pdo/pdo_stmt.c:1034
#4  0x00007f5ab94aa8e0 in zim_PDOStatement_fetchAll (ht=<value optimized out>, return_value=0x21e09e0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /usr/src/debug/php-5.6.14/ext/pdo/pdo_stmt.c:1536
#5  0x00000000005cf4d9 in dtrace_execute_internal (execute_data_ptr=<value optimized out>, fci=<value optimized out>, return_value_used=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:97
#6  0x000000000065e375 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:560
#7  0x000000000064de48 in execute_ex (execute_data=0x7f5acb70a080) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#8  0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb70a080) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#9  0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#10 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709f18) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#11 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709f18) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#12 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#13 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709da8) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#14 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709da8) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#15 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#16 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709c78) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#17 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709c78) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#18 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#19 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709b58) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#20 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709b58) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#21 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#22 0x000000000064de48 in execute_ex (execute_data=0x7f5acb7099e8) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#23 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb7099e8) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#24 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#25 0x000000000064de48 in execute_ex (execute_data=0x7f5acb7098a8) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#26 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb7098a8) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#27 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#28 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709718) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#29 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709718) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#30 0x00000000005d2073 in zend_call_function (fci=0x7fff2bfa5730, fci_cache=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_execute_API.c:829
#31 0x00000000005f7f07 in zend_call_method (object_pp=0x7fff2bfa5868, obj_ce=<value optimized out>, fn_proxy=0x1ba8e50, function_name=0x6f68c6 "__get", function_name_len=<value optimized out>, retval_ptr_ptr=0x7fff2bfa5878, 
    param_count=1, arg1=0x1b8b2c0, arg2=0x0) at /usr/src/debug/php-5.6.14/Zend/zend_interfaces.c:97
#32 0x000000000060725c in zend_std_call_getter (object=0x1d4b9c0, member=0x1b8b2c0) at /usr/src/debug/php-5.6.14/Zend/zend_object_handlers.c:190
#33 0x00000000006087ed in zend_std_read_property (object=0x1d4b9c0, member=0x7f5aa9546570, type=0, key=0x7f5aa9546570) at /usr/src/debug/php-5.6.14/Zend/zend_object_handlers.c:502
#34 0x000000000060ee9d in zend_fetch_property_address_read_helper_SPEC_VAR_CONST (execute_data=0x7f5acb7095d0) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:15322
#35 0x000000000064de48 in execute_ex (execute_data=0x7f5acb7095d0) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#36 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb7095d0) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#37 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#38 0x000000000064de48 in execute_ex (execute_data=0x7f5acb7093c0) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#39 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb7093c0) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#40 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#41 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709268) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#42 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709268) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#43 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#44 0x000000000064de48 in execute_ex (execute_data=0x7f5acb709108) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#45 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb709108) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#46 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#47 0x000000000064de48 in execute_ex (execute_data=0x7f5acb708fa0) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#48 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb708fa0) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#49 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#50 0x000000000064de48 in execute_ex (execute_data=0x7f5acb708e38) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#51 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb708e38) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#52 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#53 0x000000000064de48 in execute_ex (execute_data=0x7f5acb708cd8) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
#54 0x00000000005cf60e in dtrace_execute_ex (execute_data=0x7f5acb708cd8) at /usr/src/debug/php-5.6.14/Zend/zend_dtrace.c:73
#55 0x000000000065e9e4 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:592
#56 0x000000000064de48 in execute_ex (execute_data=0x7f5acb708b60) at /usr/src/debug/php-5.6.14/Zend/zend_vm_execute.h:363
 [2015-10-04 06:26 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-10-04 06:26 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2015-10-18 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-12-21 08:32 UTC] viking at xakep dot ru
i've isolated minimal test case.

<?php
spl_autoload_register(function($className){
	$fileName = $className . '.php';
	include $fileName;
	unlink($fileName);
});
$symbols = array_merge(range('a', 'z'), range('A', 'Z'), ['_']);
class baseClass {
	public $arr = [];
}
$oldClassName = 'baseClass';
for ($k=0; $k < 10000; ++$k) {
	$className = '';
	do {
		for ($len = rand(10, 22); $len > 0; --$len) {
			$className .= $symbols[rand(0, count($symbols) - 1)];
		}
	} while (class_exists($className, false));
	$className = trim($className, '_ ');
	$code = '<?php
	class ' . $className . ' extends ' . $oldClassName . '{}';
	file_put_contents($className . '.php', $code);
	$oldClassName = $className;
}
$class = new $className($class);

var_dump($class);
 [2015-12-21 08:33 UTC] requinix@php.net
-Status: No Feedback +Status: Re-Opened
 [2015-12-21 09:34 UTC] christian at rishoj dot net
Thanks, but are you sure this test case reproduces the opcache bug?

It causes the PHP CLI interpreter to crash with SIGSEGV regardless of whether opcache is enabled or not. 

Also, judging from a back trace, the crash does not not seem to involve the opcache.
 [2015-12-23 08:57 UTC] viking at xakep dot ru
No, it not that bug. So this is one, but floating reproduction. Always reproduce after first crash of php_fpm
TestClass.php >>
<?php
class TestClass {
	public function __get($field)
	{}

	public function someMethodName()
	{
		return $this->someMethodName;
	}
}
?>
-----------------------
baseClass.php >>
spl_autoload_register(function($className){
	$fileName = $className . '.php';
	include $fileName;
});
class baseClass extends TestClass{
	const TEST_CONST = 'testConst';
	private function testConst()
	{
		if ( true) {
			$this->{self::TEST_CONST}();

		}
	}
}
$class = new baseClass();
?>


php 5.6.12 on 3.10.0-229.7.2.el7.x86_64
 [2015-12-23 10:08 UTC] requinix@php.net
-Status: Re-Opened +Status: Feedback
 [2015-12-23 10:08 UTC] requinix@php.net
@viking:
> $this->{self::TEST_CONST}();
That will cause PHP to call testConst() repeatedly until the process eventually runs out of stack space and crashes. This is expected behavior.

Do you have a test case that is related to @christian's problem with opcache and the opcache.interned_strings_buffer setting?
 [2015-12-23 10:45 UTC] viking at xakep dot ru
you don't need to call any functions, just create new instance. This isolated code always crashes with configuration

opcache.use_cwd=1
opcache.validate_timestamps=1
opcache.memory_consumption=128
opcache.log_verbosity_level=2
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1


but only after first crash in non-sharable code

call stack

#0  0x000000000076058a in _zend_mm_alloc_int ()
#1  0x000000000077b7b6 in init_op_array ()
#2  0x00000000007713ad in zend_do_begin_function_declaration ()
#3  0x000000000074d654 in zendparse ()
#4  0x0000000000751228 in compile_file ()
#5  0x00000000006045f2 in phar_compile_file ()
#6  0x00007f2ebf01fa99 in compile_and_cache_file.constprop.17 () from /opt/aol/production/php56/ext/opcache.so
#7  0x00007f2ebf0207d2 in persistent_compile_file () from /opt/aol/production/php56/ext/opcache.so
#8  0x0000000000751397 in compile_filename ()
#9  0x000000000082baa3 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
#10 0x00000000007bdbe8 in execute_ex ()
#11 0x0000000000778e03 in zend_call_function ()
#12 0x000000000079ef35 in zend_call_method ()
#13 0x000000000067c10a in zif_spl_autoload_call ()
#14 0x0000000000778d66 in zend_call_function ()
#15 0x00000000007796b2 in zend_lookup_class_ex ()
#16 0x0000000000779d92 in zend_fetch_class_by_name ()
#17 0x00000000007d4209 in ZEND_FETCH_CLASS_SPEC_CONST_HANDLER ()
#18 0x00000000007bdbe8 in execute_ex ()
#19 0x00000000007897a0 in zend_execute_scripts ()
#20 0x0000000000728562 in php_execute_script ()
#21 0x00000000004350b0 in main ()
 [2015-12-23 10:56 UTC] viking at xakep dot ru
And no errors when
opcache.interned_strings_buffer=0
 [2015-12-23 18:54 UTC] requinix@php.net
-Status: Feedback +Status: Re-Opened
 [2016-04-16 20:50 UTC] mfischer@php.net
Does it also crash with opcache.fast_shutdown=0 ?
 [2016-04-22 08:49 UTC] viking at xakep dot ru
Yes, it also crash with
opcache.fast_shutdown=0
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 20:01:23 2020 UTC