|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72955 PHP periodically crashes
Submitted: 2016-08-28 18:17 UTC Modified: 2021-06-20 04:22 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nikolay at rockstonedev dot com Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 7.0.10 OS: Gentoo
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-08-28 18:17 UTC] nikolay at rockstonedev dot com
PHP periodically crashes if php_admin_value doc_root is set in Apache's VirtualHost

host ~ uname -a
Linux host 4.7.2-gentoo #1 SMP Sun Aug 21 23:13:05 MSK 2016 x86_64 Intel(R) Core(TM)2 Quad CPU Q9650 @ 3.00GHz GenuineIntel GNU/Linux

host ~ # php -v
PHP 7.0.10-pl0-gentoo (cli) (built: Aug 27 2016 00:43:02) ( ZTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.10-pl0-gentoo, Copyright (c) 1999-2016, by Zend Technologies

host ~ # apache2 -v
Server version: Apache/2.4.23 (Unix)
Server built:   Aug 27 2016 00:30:31

VirtualHost entry:
<VirtualHost *>
        php_admin_flag engine on
        php_admin_value doc_root /home/localhost/www/
        php_admin_value open_basedir /home/localhost/:/usr/sbin/sendmail
        php_admin_value sys_temp_dir /home/localhost/tmp/
        php_admin_value error_log /home/localhost/logs/php_errors.log

        ErrorLog /home/localhost/logs/apache_error_log
        ServerAdmin admin@localhost
        DocumentRoot "/home/localhost/www/"

PHP build with:
CFLAGS="-march=native -mtune=native -O0 -ggdb -pipe" CXXFLAGS="-march=native -mtune=native -O0 -ggdb -pipe" emerge -1 dev-lang/php

PHP configured as:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --docdir=/usr/share/doc/php-7.0.10 --htmldir=/usr/share/doc/php-7.0.10/html --prefix=/usr/lib64/php7.0 --mandir=/usr/lib64/php7.0/man --infodir=/usr/lib64/php7.0/info --libdir=/usr/lib64/php7.0/lib --with-libdir=lib64 --localstatedir=/var --without-pear --enable-maintainer-zts --disable-bcmath --with-bz2=/usr --disable-calendar --enable-ctype --with-curl=/usr --enable-dom --without-enchant --disable-exif --enable-fileinfo --enable-filter --disable-ftp --with-gettext=/usr --with-gmp=/usr --enable-hash --without-mhash --with-iconv --disable-intl --enable-ipv6 --enable-json --without-kerberos --enable-libxml --with-libxml-dir=/usr --enable-mbstring --with-mcrypt=/usr --with-onig=/usr --with-openssl=/usr --with-openssl-dir=/usr --disable-pcntl --enable-phar --disable-pdo --enable-opcache --without-pgsql --enable-posix --without-pspell --without-recode --enable-simplexml --disable-shmop --without-snmp --disable-soap --enable-sockets --without-sqlite3 --disable-sysvmsg --disable-sysvsem --disable-sysvshm --without-fpm-systemd --without-tidy --enable-tokenizer --disable-wddx --enable-xml --disable-xmlreader --disable-xmlwriter --without-xmlrpc --without-xsl --disable-zip --with-zlib=/usr --enable-debug --without-cdb --without-db4 --disable-flatfile --without-gdbm --disable-inifile --without-qdbm --with-freetype-dir=/usr --disable-gd-jis-conv --with-jpeg-dir=/usr --with-png-dir=/usr --without-xpm-dir --with-gd --without-interbase --with-mysqli=mysqlnd --with-mysql-sock=/var/run/mysqld/mysqld.sock --without-unixODBC --without-iodbc --without-oci8 --with-readline=/usr --without-libedit --without-mm --with-pic --with-pcre-regex=/usr --with-pcre-dir=/usr --with-config-file-path=/etc/php/cli-php7.0 --with-config-file-scan-dir=/etc/php/cli-php7.0/ext-active --disable-embed --enable-cli --disable-cgi --disable-fpm --without-apxs2 --disable-phpdbg

Expected result:
No segfaults

Actual result:
(gdb) bt
#0  0x00002af6ba703a9b in zend_mm_free_heap (heap=0x2af6f1400040, ptr=0x8dcd80, __zend_filename=0x2af6bad3a8a0 "/var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h", __zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_alloc.c:1406
#1  0x00002af6ba7065df in _efree (ptr=0x8dcd80, __zend_filename=0x2af6bad3a8a0 "/var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h", __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_alloc.c:2466
#2  0x00002af6ba75a765 in zend_string_release (s=0x8dcd80) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h:271
#3  0x00002af6ba75e382 in _zend_hash_del_el_ex (ht=0x2af6f1401000, idx=1, p=0x2af6f146ee60, prev=0x0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_hash.c:1020
#4  0x00002af6ba75e4c5 in _zend_hash_del_el (ht=0x2af6f1401000, idx=1, p=0x2af6f146ee60) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_hash.c:1050
#5  0x00002af6ba75f926 in zend_hash_apply (ht=0x2af6f1401000, apply_func=0x2af6ba76de23 <zend_restore_ini_entry_wrapper>) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_hash.c:1537
#6  0x00002af6ba76e0e6 in zend_ini_deactivate () at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_ini.c:142
#7  0x00002af6ba745466 in zend_deactivate () at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend.c:970
#8  0x00002af6ba67faf6 in php_request_shutdown (dummy=0x0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/main/main.c:1833
#9  0x00002af6ba81e7cf in php_apache_request_dtor (r=0x2af71c0e5508) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:518
#10 0x00002af6ba81f3e1 in php_handler (r=0x2af71c0e5508) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:690
#11 0x0000000000448102 in ap_run_handler (r=r@entry=0x2af71c0e5508) at config.c:170
#12 0x00000000004485bc in ap_invoke_handler (r=r@entry=0x2af71c0e5508) at config.c:434
#13 0x000000000045bc3b in ap_internal_redirect (new_uri=<optimized out>, r=r@entry=0x2af71c0e8660) at http_request.c:730
#14 0x00002af6b9b3d15b in handler_redirect (r=0x2af71c0e8660) at mod_rewrite.c:5209
#15 0x0000000000448102 in ap_run_handler (r=r@entry=0x2af71c0e8660) at config.c:170
#16 0x00000000004485bc in ap_invoke_handler (r=r@entry=0x2af71c0e8660) at config.c:434
#17 0x000000000045c433 in ap_process_async_request (r=r@entry=0x2af71c0e8660) at http_request.c:410
#18 0x0000000000458e20 in ap_process_http_async_connection (c=0x2af6c4039538) at http_core.c:154
#19 0x0000000000458fa8 in ap_process_http_connection (c=<optimized out>) at http_core.c:248
#20 0x0000000000450c2e in ap_run_process_connection (c=c@entry=0x2af6c4039538) at connection.c:42
#21 0x0000000000461a7e in process_socket (thd=thd@entry=0x8c2ba8, p=0x2af6c4039218, sock=0x2af6c40392a0, cs=0x2af6c40394a8, my_child_num=my_child_num@entry=1, my_thread_num=my_thread_num@entry=17) at event.c:1102
#22 0x0000000000462e8a in worker_thread (thd=0x8c2ba8, dummy=<optimized out>) at event.c:1963
#23 0x00002af6b7b46434 in start_thread () from /lib64/
#24 0x00002af6b8046aed in clone () from /lib64/

Some info about local vars:
(gdb) frame 0
#0  0x00002af6ba703a9b in zend_mm_free_heap (heap=0x2af6f1400040, ptr=0x8dcd80, __zend_filename=0x2af6bad3a8a0 "/var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h", __zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_alloc.c:1406
1406                    zend_mm_page_info info = chunk->map[page_num];
(gdb) p page_offset
$64 = 904576
(gdb) p page_num
$65 = 220
(gdb) p heap
$66 = (zend_mm_heap *) 0x2af6f1400040
(gdb) p ptr
$67 = (void *) 0x8dcd80
(gdb) p (char*) ((zend_string*)ptr)->val
$68 = 0x8dcd98 "doc_root"
(gdb) p chunk
$69 = (zend_mm_chunk *) 0x800000

Script issued 301 redirect:
(gdb) frame 10
#10 0x00002af6ba81f3e1 in php_handler (r=0x2af71c0e5508) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:690
690                     php_apache_request_dtor(r);
(gdb) p r->handler
$1 = 0x8e58b0 "application/x-httpd-php"
(gdb) p r->uri
$2 = 0x2af71c0e5850 "/user/index.php"
(gdb) p ctx->r->status
$3 = 301


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-29 03:47 UTC]
I can not reproduce this, maybe you could start httpd with

valgrind httpd -X  

then try to trigger the error, and see what is outputted by valgrind.

 [2016-08-29 11:46 UTC] nikolay at rockstonedev dot com
"Periodically" means about in 1 case from 100 000 requests.
I can't run it with valgrind because this is a production server.

But isn't local vars output help you to find the problem?

(gdb) p chunk
$69 = (zend_mm_chunk *) 0x800000

Address 0x800000 isn't valid for chunk and access to it gives us segfault.

But it calculates right from
(gdb) p (char*) ((zend_string*)ptr)->val
$68 = 0x8dcd98 "doc_root"

0x8dcd98 "doc_root" is fully valid allocated address.

#define ZEND_MM_ALIGNED_BASE(size, alignment) \
	(((size_t)(size)) & ~((alignment) - 1))

zend_mm_chunk *chunk = (zend_mm_chunk*)ZEND_MM_ALIGNED_BASE(ptr, ZEND_MM_CHUNK_SIZE);

0x8dcd98 & ~(0x200000 - 1) = 0x800000
 [2017-08-01 09:54 UTC] jerry at jmweb dot net
This may be related to

How sure are you that the crash is a result from 'php_admin_value doc_root'? In my case, the crash is from 'php_admin_value open_basedir' which you also set. I had to run Apache bench to trigger the crash since it too is periodic.
 [2017-09-05 03:11 UTC] jerry at jmweb dot net
I have been running my install with "php_admin_value open_basedir" removed and I am still seeing these crashes. So, perhaps it is a result from setting Document Root on VirtualHosts. The difference between my setup and nikolay's is that I set Document Root directly through Apache's DocumentRoot directive - I do not use php_admin_value doc_root for that.

This is a production server and I really need a fix for this. What information can I provide to help a developer troubleshoot this?

Nikolay, are you still seeing these crashes?
 [2021-06-09 14:44 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-09 14:44 UTC]
Is this still an issue with any of the actively supported PHP

[1] <>
 [2021-06-20 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun May 22 00:03:42 2022 UTC