go to bug id or search bugs for
Zend Opcache caches the current working directory in ZCG(cwd) and therefore overrides chdir() in order to update the cached directory name when a script switches directories. The hook on chdir() is set in accel_startup() if opcache.enable is true. ZCG(cwd) is free'd in accel_deactivate(), but only if opcache.enable *still* is true. Since Zend extension shutdown functions are called before resetting INI configuration state, a script (or, for example, php_admin_flag in fpm SAPI) may disable Opcache at runtime by setting opcache.enable to false. In this case, the pointer is not correctly free'd and will be reused in the next request, although it became invalid due to being free'd by the Zend allocator. This leads to a use-after-free error and may cause a segmentation fault.
I am going to attach two pull requests that fix the problem by freeing ZCG(cwd) in accel_deactivate() even if Opcache is disabled.
Due to the nature of this bug, it's impossible to create a test script that will *always* crash. For testing, I've set opcache.enable=1 in php.ini and php_admin_flag[opcache_enable]=off in my FPM pool. Afterwards, I've made requests to two scripts that simply chdir() to different directories. At some point of time, the FPM workers segfaulted.
Add a Patch
Add a Pull Request
The fix for this bug has been committed.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.