php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71982 Segmentation fault
Submitted: 2016-04-07 09:28 UTC Modified: 2019-03-18 16:47 UTC
Votes:4
Avg. Score:3.5 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: s dot chernomor at gmail dot com Assigned:
Status: Feedback Package: PCRE related
PHP Version: 7.0.5 OS: centos7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-04-07 09:28 UTC] s dot chernomor at gmail dot com
Description:
------------
I see many segmentation faults in apache's error_log. They come periodically one after one. But no errors in logs on proxy (nginx) which pass requests to apache. It's seems segfault occur when apache process is shutting down.
 
# gdb   /usr/sbin/httpd  /tmp/core.8181
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
This GDB was configured as "x86_64-redhat-linux-gnu".
Reading symbols from /usr/sbin/httpd...Reading symbols from /usr/lib/debug/usr/sbin/httpd.debug...done.
done.
[New LWP 8181]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/httpd -DFOREGROUND'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f5abf812d93 in sljit_remove_free_block (free_block=0x7f5abfabc580, free_block=0x7f5abfabc580) at sljit/sljitExecAllocator.c:165
165                     free_block->next->prev = free_block->prev;
Missing separate debuginfos, use: debuginfo-install apr-1.4.8-3.el7.x86_64 apr-util-1.5.2-6.el7.x86_64 aspell-0.60.6.1-9.el7.x86_64 bzip2-libs-1.0.6-13.el7.x86_64 cyrus-sasl-lib-2.1.26-20.el7_2.x86_64 elfutils-libelf-0.163-3.el7.x86_64 elfutils-libs-0.163-3.el7.x86_64 enchant-1.6.0-8.el7.x86_64 expat-2.1.0-8.el7.x86_64 fontconfig-2.10.95-7.el7.x86_64 freetype-2.4.11-11.el7.x86_64 gd-sj-2.1.0-1.el7.centos.x86_64 glib2-2.42.2-5.el7.x86_64 glibc-2.17-106.el7_2.4.x86_64 jbigkit-libs-2.0-11.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.13.2-10.el7.x86_64 libX11-1.6.3-2.el7.x86_64 libXau-1.0.8-2.1.el7.x86_64 libXpm-3.5.11-3.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libcap-2.22-8.el7.x86_64 libcom_err-1.42.9-7.el7.x86_64 libcurl-7.29.0-25.el7.centos.x86_64 libdb-5.3.21-19.el7.x86_64 libgcc-4.8.5-4.el7.x86_64 libgcrypt-1.5.3-12.el7_1.1.x86_64 libgpg-error-1.12-3.el7.x86_64 libicu-50.1.2-15.el7.x86_64 libidn-1.28-4.el7.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 libpng-1.5.13-7.el7_2.x86_64 libselinux-2.2.2-6.el7.x86_64 libssh2-1.4.3-10.el7_2.1.x86_64 libstdc++-4.8.5-4.el7.x86_64 libtiff-4.0.3-14.el7.x86_64 libuuid-2.23.2-26.el7.x86_64 libxcb-1.11-4.el7.x86_64 libxml2-2.9.1-6.el7_2.2.x86_64 libxslt-1.1.28-5.el7.x86_64 mod_realdoc-0.0-20141020.1f9cbed.3.el7.centos.x86_64 nspr-4.10.8-2.el7_1.x86_64 nss-3.19.1-19.el7_2.x86_64 nss-softokn-freebl-3.16.2.3-13.el7_1.x86_64 nss-util-3.19.1-9.el7_2.x86_64 openldap-2.4.40-8.el7.x86_64 openssl-libs-1.0.1e-51.el7_2.4.x86_64 systemd-libs-219-19.el7_2.4.x86_64 xz-libs-5.1.2-12alpha.el7.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) 
(gdb) 
(gdb) 
(gdb) where 
#0  0x00007f5abf812d93 in sljit_remove_free_block (free_block=0x7f5abfabc580, free_block=0x7f5abfabc580) at sljit/sljitExecAllocator.c:165
#1  sljit_free_exec (ptr=0x7f5abfabb010) at sljit/sljitExecAllocator.c:273
#2  0x00007f5abf82fd2a in sljit_free_code (code=<optimized out>) at sljit/sljitLir.c:397
#3  _pcre_jit_free (executable_funcs=0x7f5ac0a7f370) at pcre_jit_compile.c:8419
#4  0x00007f5abf83188c in pcre_free_study (extra=0x7f5ac0a7e9f0) at pcre_study.c:1557
#5  0x00007f5ab94b7e53 in php_free_pcre_cache (data=<optimized out>) at /usr/src/debug/php-7.0.5/ext/pcre/php_pcre.c:108
#6  0x00007f5ab97f4881 in zend_hash_destroy (ht=0x7f5aba115920 <pcre_globals>) at /usr/src/debug/php-7.0.5/Zend/zend_hash.c:1284
#7  0x00007f5ab97eaa49 in module_destructor (module=module@entry=0x7f5ac07c0b00) at /usr/src/debug/php-7.0.5/Zend/zend_API.c:2516
#8  0x00007f5ab97e35fc in module_destructor_zval (zv=<optimized out>) at /usr/src/debug/php-7.0.5/Zend/zend.c:615
#9  0x00007f5ab97f53a8 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=<optimized out>, ht=<optimized out>) at /usr/src/debug/php-7.0.5/Zend/zend_hash.c:1026
#10 _zend_hash_del_el (p=0x7f5ac07db830, idx=4, ht=0x7f5aba11c620 <module_registry>) at /usr/src/debug/php-7.0.5/Zend/zend_hash.c:1050
#11 zend_hash_graceful_reverse_destroy (ht=ht@entry=0x7f5aba11c620 <module_registry>) at /usr/src/debug/php-7.0.5/Zend/zend_hash.c:1502
#12 0x00007f5ab97e8e8c in zend_destroy_modules () at /usr/src/debug/php-7.0.5/Zend/zend_API.c:1984
#13 0x00007f5ab97e4565 in zend_shutdown () at /usr/src/debug/php-7.0.5/Zend/zend.c:840
#14 0x00007f5ab97893fb in php_module_shutdown () at /usr/src/debug/php-7.0.5/main/main.c:2355
#15 0x00007f5ab97894b9 in php_module_shutdown_wrapper (sapi_globals=<optimized out>) at /usr/src/debug/php-7.0.5/main/main.c:2323
#16 0x00007f5ab986a1b1 in php_apache_child_shutdown (tmp=<optimized out>) at /usr/src/debug/php-7.0.5/sapi/apache2handler/sapi_apache2.c:399
#17 0x00007f5abe9691ae in apr_pool_destroy () from /lib64/libapr-1.so.0
#18 0x00007f5abb6d223c in clean_child_exit (code=code@entry=0) at prefork.c:221
#19 0x00007f5abb6d26e7 in child_main (child_num_arg=child_num_arg@entry=35) at prefork.c:728
#20 0x00007f5abb6d2a55 in make_child (s=0x7f5ac060d320, slot=35) at prefork.c:810
#21 0x00007f5abb6d36ee in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:912
#22 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1100
#23 0x00007f5abfc965ae in ap_run_mpm (pconf=pconf@entry=0x7f5ac05e4138, plog=0x7f5ac0611358, s=0x7f5ac060d320) at mpm_common.c:96
#24 0x00007f5abfc8fb36 in main (argc=2, argv=0x7ffdeb58b828) at main.c:777
(gdb)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-08 07:38 UTC] s dot chernomorets at gmail dot com
pcre.jit=0 is solving this problem
 [2016-08-20 13:26 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2016-08-20 13:26 UTC] cmb@php.net
What's your PCRE_VERSION?
 [2016-08-20 17:50 UTC] s dot chernomorets at gmail dot com
pcre

PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.38 2015-11-23
PCRE JIT Support => enabled

Directive => Local Value => Master Value
pcre.backtrack_limit => 1000000 => 1000000
pcre.jit => 0 => 0
pcre.recursion_limit => 100000 => 100000


pcre-8.32-15.el7.x86_64
 [2016-08-21 10:28 UTC] cmb@php.net
> PCRE Library Version => 8.38 2015-11-23

Thanks.  That version should be fine.

I assume that the segfault caused by sljit_remove_free_block ()
occurred due to the JIT stack being too small. That has been
corrected as of PHP 7.0.6[1], so please try with a a newer version
and pcre.jit=1.

[1] <https://github.com/php/php-src/commit/e23a4122>
 [2016-08-22 08:03 UTC] s dot chernomorets at gmail dot com
httpd-2.4.6-40.el7.centos.4.x86_64
pcre-8.32-15.el7_2.1.x86_64

php-7.0.10


# gdb   /usr/sbin/httpd  /tmp/core.31035 
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/httpd...Reading symbols from /usr/lib/debug/usr/sbin/httpd.debug...done.
done.
[New LWP 31035]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/httpd -DFOREGROUND'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f02e0d53f23 in sljit_remove_free_block (free_block=0x7f02d178ad38, free_block=0x7f02d178ad38) at sljit/sljitExecAllocator.c:165
165                     free_block->next->prev = free_block->prev;
(gdb) 
(gdb) 
(gdb) 
(gdb) where
#0  0x00007f02e0d53f23 in sljit_remove_free_block (free_block=0x7f02d178ad38, free_block=0x7f02d178ad38) at sljit/sljitExecAllocator.c:165
#1  sljit_free_exec (ptr=0x7f02d178ab10) at sljit/sljitExecAllocator.c:273
#2  0x00007f02e0d70eba in sljit_free_code (code=<optimized out>) at sljit/sljitLir.c:397
#3  _pcre_jit_free (executable_funcs=0x7f02e1dcff50) at pcre_jit_compile.c:8419
#4  0x00007f02e0d72a1c in pcre_free_study (extra=0x7f02e205e9b0) at pcre_study.c:1557
#5  0x00007f02da9ecfc3 in php_free_pcre_cache (data=<optimized out>) at /usr/src/debug/php-7.0.10/ext/pcre/php_pcre.c:113
#6  0x00007f02dad312e1 in zend_hash_destroy (ht=0x7f02db655720 <pcre_globals>) at /usr/src/debug/php-7.0.10/Zend/zend_hash.c:1284
#7  0x00007f02da9ecf49 in zm_globals_dtor_pcre (pcre_globals=<optimized out>) at /usr/src/debug/php-7.0.10/ext/pcre/php_pcre.c:136
#8  0x00007f02dad274a9 in module_destructor (module=module@entry=0x7f02e1cfae30) at /usr/src/debug/php-7.0.10/Zend/zend_API.c:2516
#9  0x00007f02dad1fffc in module_destructor_zval (zv=<optimized out>) at /usr/src/debug/php-7.0.10/Zend/zend.c:615
#10 0x00007f02dad31e08 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=<optimized out>, ht=<optimized out>)
    at /usr/src/debug/php-7.0.10/Zend/zend_hash.c:1026
#11 _zend_hash_del_el (p=0x7f02e1d15c00, idx=4, ht=0x7f02db65c440 <module_registry>) at /usr/src/debug/php-7.0.10/Zend/zend_hash.c:1050
#12 zend_hash_graceful_reverse_destroy (ht=ht@entry=0x7f02db65c440 <module_registry>) at /usr/src/debug/php-7.0.10/Zend/zend_hash.c:1502
#13 0x00007f02dad258cc in zend_destroy_modules () at /usr/src/debug/php-7.0.10/Zend/zend_API.c:1984
#14 0x00007f02dad20f65 in zend_shutdown () at /usr/src/debug/php-7.0.10/Zend/zend.c:840
#15 0x00007f02dacc5a6b in php_module_shutdown () at /usr/src/debug/php-7.0.10/main/main.c:2362
#16 0x00007f02dacc5b29 in php_module_shutdown_wrapper (sapi_globals=<optimized out>) at /usr/src/debug/php-7.0.10/main/main.c:2330
#17 0x00007f02dada7681 in php_apache_child_shutdown (tmp=<optimized out>) at /usr/src/debug/php-7.0.10/sapi/apache2handler/sapi_apache2.c:399
#18 0x00007f02dfeaa1ae in apr_pool_destroy () from /lib64/libapr-1.so.0
#19 0x00007f02dcc1223c in clean_child_exit (code=code@entry=0) at prefork.c:221
#20 0x00007f02dcc126e7 in child_main (child_num_arg=child_num_arg@entry=17) at prefork.c:728
#21 0x00007f02dcc12a55 in make_child (s=0x7f02e1b40320, slot=slot@entry=17) at prefork.c:810
#22 0x00007f02dcc12ab6 in startup_children (number_to_start=83) at prefork.c:828
#23 0x00007f02dcc137c0 in prefork_run (_pconf=<optimized out>, plog=0x7f02e1b44358, s=0x7f02e1b40320) at prefork.c:986
#24 0x00007f02e11d75be in ap_run_mpm (pconf=pconf@entry=0x7f02e1b17138, plog=0x7f02e1b44358, s=0x7f02e1b40320) at mpm_common.c:96
#25 0x00007f02e11d0b46 in main (argc=2, argv=0x7ffcd95b0788) at main.c:777
 [2016-08-22 08:10 UTC] s dot chernomorets at gmail dot com
Max stack size = 10240000
 [2016-08-22 08:13 UTC] cmb@php.net
-Status: Feedback +Status: Open -Assigned To: cmb +Assigned To:
 [2016-08-22 08:13 UTC] cmb@php.net
> pcre-8.32-15.el7_2.1.x86_64

Hm, PCRE 8.32 has been released 2012-11-30. I don't know which
fixed have been applied to -15.el7_2.1, but those fixes may not
have been sufficient.
 [2016-08-22 09:49 UTC] s dot chernomorets at gmail dot com
I upgrade pcre to last version 8.39 - no changes:



gdb   /usr/sbin/httpd  /tmp/core.18488      
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
This GDB was configured as "x86_64-redhat-linux-gnu".
Reading symbols from /usr/sbin/httpd...Reading symbols from /usr/lib/debug/usr/sbin/httpd.debug...done.
done.
[New LWP 18488]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/httpd -DFOREGROUND'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa8f979bc03 in sljit_remove_free_block (free_block=0x7fa8f9a50d38, free_block=0x7fa8f9a50d38) at sljit/sljitExecAllocator.c:165
165                     free_block->next->prev = free_block->prev;
Missing separate debuginfos, use: ..........
(gdb) 
(gdb) where
#0  0x00007fa8f979bc03 in sljit_remove_free_block (free_block=0x7fa8f9a50d38, free_block=0x7fa8f9a50d38) at sljit/sljitExecAllocator.c:165
#1  sljit_free_exec (ptr=0x7fa8f9a50538) at sljit/sljitExecAllocator.c:273
#2  0x00007fa8f97c3796 in sljit_free_code (code=<optimized out>) at sljit/sljitLir.c:460
#3  _pcre_jit_free (executable_funcs=0x7fa8fadba040) at pcre_jit_compile.c:11567
#4  0x00007fa8f97c55cc in pcre_free_study (extra=0x7fa8fabd6f90) at pcre_study.c:1681
#5  0x00007fa8f3433fc3 in php_free_pcre_cache (data=<optimized out>) at /usr/src/debug/php-7.0.10/ext/pcre/php_pcre.c:113
#6  0x00007fa8f37782e1 in zend_hash_destroy (ht=0x7fa8f409c720 <pcre_globals>) at /usr/src/debug/php-7.0.10/Zend/zend_hash.c:1284
#7  0x00007fa8f3433f49 in zm_globals_dtor_pcre (pcre_globals=<optimized out>) at /usr/src/debug/php-7.0.10/ext/pcre/php_pcre.c:136
#8  0x00007fa8f376e4a9 in module_destructor (module=module@entry=0x7fa8fab038c0) at /usr/src/debug/php-7.0.10/Zend/zend_API.c:2516
.............
 [2019-03-18 16:47 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2019-03-18 16:47 UTC] nikic@php.net
PCRE bug triage: Are you still experiencing this problem? The stack trace doesn't look familiar to me, but this might have been fixed in the meantime.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Mar 26 22:01:26 2019 UTC