php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70977 Segmentation fault (core dumped) with opcache.huge_code_pages=1
Submitted: 2015-11-26 14:42 UTC Modified: 2015-11-27 11:40 UTC
From: reynierpm at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC8 OS: CentOS 6.7
Private report: No CVE-ID:
 [2015-11-26 14:42 UTC] reynierpm at gmail dot com
Description:
------------
I tried to run "composer update" in a Symfony2 project and got the following error: "Segmentation fault (core dumped)". By setting opcache.huge_code_pages=0 at /etc/php.d/10-opcache.ini the issue gets fixed

Actual result:
--------------
(gdb) run /usr/local/bin/composer
Starting program: /usr/bin/php /usr/local/bin/composer
[Thread debugging using libthread_db enabled]
 
Program received signal SIGSEGV, Segmentation fault.
zend_llist_del_element (l=0x9dc8e0, element=0x0, compare=0x7ffff1b40590 <accelerator_remove_cb>) at /usr/src/debug/php-7.0.0RC8/Zend/zend_llist.c:91
91      {


(gdb) bt
#0  zend_llist_del_element (l=0x9dc8e0, element=0x0, compare=0x7ffff1b40590 <accelerator_remove_cb>) at /usr/src/debug/php-7.0.0RC8/Zend/zend_llist.c:91
#1  0x00007ffff1b425b1 in zps_startup_failure (extension=<value optimized out>) at /usr/src/debug/php-7.0.0RC8/ext/opcache/ZendAccelerator.c:2336
#2  accel_startup (extension=<value optimized out>) at /usr/src/debug/php-7.0.0RC8/ext/opcache/ZendAccelerator.c:2621
#3  0x00000000005edbb1 in zend_extension_startup (extension=0xa26c80) at /usr/src/debug/php-7.0.0RC8/Zend/zend_extensions.c:176
#4  0x00000000005d7123 in zend_llist_apply_with_del (l=0x9dc8e0, func=0x5edba0 <zend_extension_startup>) at /usr/src/debug/php-7.0.0RC8/Zend/zend_llist.c:171
#5  0x00000000005edb97 in zend_startup_extensions () at /usr/src/debug/php-7.0.0RC8/Zend/zend_extensions.c:197
#6  0x0000000000585815 in php_module_startup (sf=<value optimized out>, additional_modules=<value optimized out>, num_additional_modules=<value optimized out>) at /usr/src/debug/php-7.0.0RC8/main/main.c:2197
#7  0x00000000006761bd in php_cli_startup (sapi_module=<value optimized out>) at /usr/src/debug/php-7.0.0RC8/sapi/cli/php_cli.c:423
#8  0x00000000006778e1 in main (argc=2, argv=0x9dfad0) at /usr/src/debug/php-7.0.0RC8/sapi/cli/php_cli.c:1325

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-26 14:48 UTC] remi@php.net
-Summary: Segmentation fault (core dumped) +Summary: Segmentation fault (core dumped) with opcache.huge_code_pages=1
 [2015-11-26 14:48 UTC] remi@php.net
-Package: PHP Language Specification +Package: Reproducible crash
 [2015-11-26 15:21 UTC] laruence@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence
 [2015-11-26 15:21 UTC] laruence@php.net
from the description, it probably a duplictated to #70973 , could you please try the patch I commentted there?

thanks
 [2015-11-26 16:01 UTC] remi@php.net
@laruence: I'm giving first a try to http://git.php.net/?p=php-src.git;a=commitdiff;h=eb59dd7d8137c6567afcd579bcb3bd0298f5bbc4 which is not part of RC8
 [2015-11-26 16:10 UTC] nikic@php.net
@remi: That commit looks suspicious. If I get the code right, this means that we'll skip memcpy'ing the text segment back into the newly mapped memory if the madvise fails. This means that when control flow returns to the PHP text segment we're executing uninitialized memory.

Btw, is it possible to map these as PROT_READ | PROT_WRITE only? I know it's only temporary, but it doesn't seem necessary to have this as w+x memory.
 [2015-11-26 16:43 UTC] remi@php.net
With patch proposed on 70973, same segfault.
 [2015-11-27 11:01 UTC] laruence@php.net
could you please try the patch here? : http://pastebin.com/Xg2eVzYq

thanks
 [2015-11-27 11:40 UTC] laruence@php.net
sorry, wrong paste, use this instead: http://pastebin.com/sqXMzZLT
 [2015-11-27 14:42 UTC] remi@php.net
With latest laruence's patch, segfault disappear.
 [2015-11-27 15:32 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e9a8d7ff1d59cbcaf4b5cec728a94fb0d54dd993
Log: Fixed bug #70977, #70973 (Segmentation fault with opcache.huge_code_pages=1)
 [2015-11-27 15:32 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e9a8d7ff1d59cbcaf4b5cec728a94fb0d54dd993
Log: Fixed bug #70977, #70973 (Segmentation fault with opcache.huge_code_pages=1)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC