|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72955 PHP periodically crashes
Submitted: 2016-08-28 18:17 UTC Modified: 2016-08-29 03:47 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nikolay at rockstonedev dot com Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.0.10 OS: Gentoo
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-08-28 18:17 UTC] nikolay at rockstonedev dot com
PHP periodically crashes if php_admin_value doc_root is set in Apache's VirtualHost

host ~ uname -a
Linux host 4.7.2-gentoo #1 SMP Sun Aug 21 23:13:05 MSK 2016 x86_64 Intel(R) Core(TM)2 Quad CPU Q9650 @ 3.00GHz GenuineIntel GNU/Linux

host ~ # php -v
PHP 7.0.10-pl0-gentoo (cli) (built: Aug 27 2016 00:43:02) ( ZTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.10-pl0-gentoo, Copyright (c) 1999-2016, by Zend Technologies

host ~ # apache2 -v
Server version: Apache/2.4.23 (Unix)
Server built:   Aug 27 2016 00:30:31

VirtualHost entry:
<VirtualHost *>
        php_admin_flag engine on
        php_admin_value doc_root /home/localhost/www/
        php_admin_value open_basedir /home/localhost/:/usr/sbin/sendmail
        php_admin_value sys_temp_dir /home/localhost/tmp/
        php_admin_value error_log /home/localhost/logs/php_errors.log

        ErrorLog /home/localhost/logs/apache_error_log
        ServerAdmin admin@localhost
        DocumentRoot "/home/localhost/www/"

PHP build with:
CFLAGS="-march=native -mtune=native -O0 -ggdb -pipe" CXXFLAGS="-march=native -mtune=native -O0 -ggdb -pipe" emerge -1 dev-lang/php

PHP configured as:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --docdir=/usr/share/doc/php-7.0.10 --htmldir=/usr/share/doc/php-7.0.10/html --prefix=/usr/lib64/php7.0 --mandir=/usr/lib64/php7.0/man --infodir=/usr/lib64/php7.0/info --libdir=/usr/lib64/php7.0/lib --with-libdir=lib64 --localstatedir=/var --without-pear --enable-maintainer-zts --disable-bcmath --with-bz2=/usr --disable-calendar --enable-ctype --with-curl=/usr --enable-dom --without-enchant --disable-exif --enable-fileinfo --enable-filter --disable-ftp --with-gettext=/usr --with-gmp=/usr --enable-hash --without-mhash --with-iconv --disable-intl --enable-ipv6 --enable-json --without-kerberos --enable-libxml --with-libxml-dir=/usr --enable-mbstring --with-mcrypt=/usr --with-onig=/usr --with-openssl=/usr --with-openssl-dir=/usr --disable-pcntl --enable-phar --disable-pdo --enable-opcache --without-pgsql --enable-posix --without-pspell --without-recode --enable-simplexml --disable-shmop --without-snmp --disable-soap --enable-sockets --without-sqlite3 --disable-sysvmsg --disable-sysvsem --disable-sysvshm --without-fpm-systemd --without-tidy --enable-tokenizer --disable-wddx --enable-xml --disable-xmlreader --disable-xmlwriter --without-xmlrpc --without-xsl --disable-zip --with-zlib=/usr --enable-debug --without-cdb --without-db4 --disable-flatfile --without-gdbm --disable-inifile --without-qdbm --with-freetype-dir=/usr --disable-gd-jis-conv --with-jpeg-dir=/usr --with-png-dir=/usr --without-xpm-dir --with-gd --without-interbase --with-mysqli=mysqlnd --with-mysql-sock=/var/run/mysqld/mysqld.sock --without-unixODBC --without-iodbc --without-oci8 --with-readline=/usr --without-libedit --without-mm --with-pic --with-pcre-regex=/usr --with-pcre-dir=/usr --with-config-file-path=/etc/php/cli-php7.0 --with-config-file-scan-dir=/etc/php/cli-php7.0/ext-active --disable-embed --enable-cli --disable-cgi --disable-fpm --without-apxs2 --disable-phpdbg

Expected result:
No segfaults

Actual result:
(gdb) bt
#0  0x00002af6ba703a9b in zend_mm_free_heap (heap=0x2af6f1400040, ptr=0x8dcd80, __zend_filename=0x2af6bad3a8a0 "/var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h", __zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_alloc.c:1406
#1  0x00002af6ba7065df in _efree (ptr=0x8dcd80, __zend_filename=0x2af6bad3a8a0 "/var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h", __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_alloc.c:2466
#2  0x00002af6ba75a765 in zend_string_release (s=0x8dcd80) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h:271
#3  0x00002af6ba75e382 in _zend_hash_del_el_ex (ht=0x2af6f1401000, idx=1, p=0x2af6f146ee60, prev=0x0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_hash.c:1020
#4  0x00002af6ba75e4c5 in _zend_hash_del_el (ht=0x2af6f1401000, idx=1, p=0x2af6f146ee60) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_hash.c:1050
#5  0x00002af6ba75f926 in zend_hash_apply (ht=0x2af6f1401000, apply_func=0x2af6ba76de23 <zend_restore_ini_entry_wrapper>) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_hash.c:1537
#6  0x00002af6ba76e0e6 in zend_ini_deactivate () at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_ini.c:142
#7  0x00002af6ba745466 in zend_deactivate () at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend.c:970
#8  0x00002af6ba67faf6 in php_request_shutdown (dummy=0x0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/main/main.c:1833
#9  0x00002af6ba81e7cf in php_apache_request_dtor (r=0x2af71c0e5508) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:518
#10 0x00002af6ba81f3e1 in php_handler (r=0x2af71c0e5508) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:690
#11 0x0000000000448102 in ap_run_handler (r=r@entry=0x2af71c0e5508) at config.c:170
#12 0x00000000004485bc in ap_invoke_handler (r=r@entry=0x2af71c0e5508) at config.c:434
#13 0x000000000045bc3b in ap_internal_redirect (new_uri=<optimized out>, r=r@entry=0x2af71c0e8660) at http_request.c:730
#14 0x00002af6b9b3d15b in handler_redirect (r=0x2af71c0e8660) at mod_rewrite.c:5209
#15 0x0000000000448102 in ap_run_handler (r=r@entry=0x2af71c0e8660) at config.c:170
#16 0x00000000004485bc in ap_invoke_handler (r=r@entry=0x2af71c0e8660) at config.c:434
#17 0x000000000045c433 in ap_process_async_request (r=r@entry=0x2af71c0e8660) at http_request.c:410
#18 0x0000000000458e20 in ap_process_http_async_connection (c=0x2af6c4039538) at http_core.c:154
#19 0x0000000000458fa8 in ap_process_http_connection (c=<optimized out>) at http_core.c:248
#20 0x0000000000450c2e in ap_run_process_connection (c=c@entry=0x2af6c4039538) at connection.c:42
#21 0x0000000000461a7e in process_socket (thd=thd@entry=0x8c2ba8, p=0x2af6c4039218, sock=0x2af6c40392a0, cs=0x2af6c40394a8, my_child_num=my_child_num@entry=1, my_thread_num=my_thread_num@entry=17) at event.c:1102
#22 0x0000000000462e8a in worker_thread (thd=0x8c2ba8, dummy=<optimized out>) at event.c:1963
#23 0x00002af6b7b46434 in start_thread () from /lib64/
#24 0x00002af6b8046aed in clone () from /lib64/

Some info about local vars:
(gdb) frame 0
#0  0x00002af6ba703a9b in zend_mm_free_heap (heap=0x2af6f1400040, ptr=0x8dcd80, __zend_filename=0x2af6bad3a8a0 "/var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_string.h", __zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/Zend/zend_alloc.c:1406
1406                    zend_mm_page_info info = chunk->map[page_num];
(gdb) p page_offset
$64 = 904576
(gdb) p page_num
$65 = 220
(gdb) p heap
$66 = (zend_mm_heap *) 0x2af6f1400040
(gdb) p ptr
$67 = (void *) 0x8dcd80
(gdb) p (char*) ((zend_string*)ptr)->val
$68 = 0x8dcd98 "doc_root"
(gdb) p chunk
$69 = (zend_mm_chunk *) 0x800000

Script issued 301 redirect:
(gdb) frame 10
#10 0x00002af6ba81f3e1 in php_handler (r=0x2af71c0e5508) at /var/tmp/portage/dev-lang/php-7.0.10/work/sapis-build/apache2/sapi/apache2handler/sapi_apache2.c:690
690                     php_apache_request_dtor(r);
(gdb) p r->handler
$1 = 0x8e58b0 "application/x-httpd-php"
(gdb) p r->uri
$2 = 0x2af71c0e5850 "/user/index.php"
(gdb) p ctx->r->status
$3 = 301


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-29 03:47 UTC]
I can not reproduce this, maybe you could start httpd with

valgrind httpd -X  

then try to trigger the error, and see what is outputted by valgrind.

 [2016-08-29 11:46 UTC] nikolay at rockstonedev dot com
"Periodically" means about in 1 case from 100 000 requests.
I can't run it with valgrind because this is a production server.

But isn't local vars output help you to find the problem?

(gdb) p chunk
$69 = (zend_mm_chunk *) 0x800000

Address 0x800000 isn't valid for chunk and access to it gives us segfault.

But it calculates right from
(gdb) p (char*) ((zend_string*)ptr)->val
$68 = 0x8dcd98 "doc_root"

0x8dcd98 "doc_root" is fully valid allocated address.

#define ZEND_MM_ALIGNED_BASE(size, alignment) \
	(((size_t)(size)) & ~((alignment) - 1))

zend_mm_chunk *chunk = (zend_mm_chunk*)ZEND_MM_ALIGNED_BASE(ptr, ZEND_MM_CHUNK_SIZE);

0x8dcd98 & ~(0x200000 - 1) = 0x800000
 [2017-08-01 09:54 UTC] jerry at jmweb dot net
This may be related to

How sure are you that the crash is a result from 'php_admin_value doc_root'? In my case, the crash is from 'php_admin_value open_basedir' which you also set. I had to run Apache bench to trigger the crash since it too is periodic.
 [2017-09-05 03:11 UTC] jerry at jmweb dot net
I have been running my install with "php_admin_value open_basedir" removed and I am still seeing these crashes. So, perhaps it is a result from setting Document Root on VirtualHosts. The difference between my setup and nikolay's is that I set Document Root directly through Apache's DocumentRoot directive - I do not use php_admin_value doc_root for that.

This is a production server and I really need a fix for this. What information can I provide to help a developer troubleshoot this?

Nikolay, are you still seeing these crashes?
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat May 08 10:01:23 2021 UTC