php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70973 Segmentation fault when no huge pages available
Submitted: 2015-11-25 21:31 UTC Modified: 2015-11-27 16:30 UTC
From: cv at jet9 dot ru Assigned: laruence (profile)
Status: Closed Package: opcache
PHP Version: 7.0.0RC7 OS: CentOS 6
Private report: No CVE-ID: None
 [2015-11-25 21:31 UTC] cv at jet9 dot ru
Description:
------------
When opcache.huge_code_pages=1 and no huge pages available, php gots segfault:

jet9.ru$ strace /own/bin/php
...
mmap(0x400000, 2097152, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|0x40000, -1, 0) = -1 ENOMEM (Cannot allocate memory)
munmap(0x7fa18485f000, 2097152)         = 0
close(3)                                = 0
munmap(0x7fa1a0800000, 4096)            = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x5d72c0} ---
+++ killed by SIGSEGV +++
Segmentation fault

jet9.ru$ gdb /own/bin/php
...
Program received signal SIGSEGV, Segmentation fault.
zend_llist_del_element (l=0x9dc8e0, element=0x0, compare=0x7fffedf40590 <accelerator_remove_cb>) at /usr/src/debug/php-7.0.0RC8/Zend/zend_llist.c:91


I guess somewhere's lost mmap() returning value check when dealing with huge pages.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-26 04:10 UTC] laruence@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence
 [2015-11-26 04:10 UTC] laruence@php.net
I can not reproduce this simply, so could you please test with this patch?

diff --git a/ext/opcache/ZendAccelerator.c b/ext/opcache/ZendAccelerator.c
index e23e751..ae10d12 100644
--- a/ext/opcache/ZendAccelerator.c
+++ b/ext/opcache/ZendAccelerator.c
@@ -2531,7 +2531,7 @@ static int accel_remap_huge_pages(void *start, size_t size, const char *name, si
                        PROT_READ | PROT_WRITE | PROT_EXEC,
                        MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED,
                        -1, 0);
-           if (-1 == madvise(start, size, MADV_HUGEPAGE)) {
+         if (ret == MAP_FAILED || -1 == madvise(start, size, MADV_HUGEPAGE)) {
                        munmap(mem, size);
                        return -1;
                }
 [2015-11-26 15:51 UTC] cv at jet9 dot ru
No, the bug still exists. With the patch applied the function accel_move_code_to_huge_pages() returns and segfault raises later:

(gdb) br /usr/src/debug/php-7.0.0RC8/ext/opcache/ZendAccelerator.c:2620
(gdb) run
Breakpoint 1, accel_startup (extension=<value optimized out>) at /usr/src/debug/php-7.0.0RC8/ext/opcache/ZendAccelerator.c:2620
2620                    if (!ZCG(accel_directives).enable_cli &&
(gdb) n
2619                    accel_startup_ok = 0;
(gdb)
2620                    if (!ZCG(accel_directives).enable_cli &&
(gdb)
2621                        strcmp(sapi_module.name, "cli") == 0) {
(gdb)
2620                    if (!ZCG(accel_directives).enable_cli &&
(gdb)
2622                            zps_startup_failure("Opcode Caching is disabled for CLI", NULL, accelerator_remove_cb);
(gdb)

Program received signal SIGSEGV, Segmentation fault.
zend_llist_del_element (l=0x9dc8e0, element=0x0, compare=0x7fffedf40590 <accelerator_remove_cb>) at /usr/src/debug/php-7.0.0RC8/Zend/zend_llist.c:91
91      {
 [2015-11-27 11:53 UTC] laruence@php.net
how about this one? http://pastebin.com/sqXMzZLT

thanks
 [2015-11-27 15:32 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e9a8d7ff1d59cbcaf4b5cec728a94fb0d54dd993
Log: Fixed bug #70977, #70973 (Segmentation fault with opcache.huge_code_pages=1)
 [2015-11-27 16:30 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2015-11-27 16:30 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

it should be fixed  http://git.php.net/?p=php-src.git;a=commit;h=e9a8d7ff1d59cbcaf4b5cec728a94fb0d54dd993
 [2015-11-27 20:21 UTC] cv at jet9 dot ru
I've just checked on commit e9a8d7ff1d59cbcaf4b5cec728a94fb0d54dd993, it's all right. Got warning "Zend OPcachehuge_code_pages: mmap(HUGETLB) failed: Cannot allocate memory (12)" and than run continues fine.

Fix confirmed, thanks.
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e9a8d7ff1d59cbcaf4b5cec728a94fb0d54dd993
Log: Fixed bug #70977, #70973 (Segmentation fault with opcache.huge_code_pages=1)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 08 15:01:30 2024 UTC