php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73696 zend_mm_heap corrupted when enable opcache
Submitted: 2016-12-09 03:09 UTC Modified: 2020-12-20 04:22 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: tianfenghan@php.net Assigned: cmb (profile)
Status: No Feedback Package: opcache
PHP Version: 7.0.14 OS: Ubuntu 16.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-09 03:09 UTC] tianfenghan@php.net
Description:
------------
php.ini
----
zend_extension=opcache.so
opcache.enable_cli=on

No issues with opcache.enable_cli=0.

extension
----
opcache + swoole-1.9.1

php myprog.php
zend_mm_heap corrupted

disable zend mm
----
export USE_ZEND_ALLOC=0
php myprog.php
*** Error in `php': free(): invalid pointer: 0x00007fef61a98fb8 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fef6d4fb7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7fef6d503e0a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fef6d50798c]
php[0x7bcac5]
php(_zend_hash_str_update+0x1f0)[0x7bddb0]
php(add_assoc_bool_ex+0x4f)[0x7b2eef]
/opt/php/php-7/lib/php/extensions/no-debug-non-zts-20151012/swoole.so(+0x2f682)[0x7fef6581e682]
php[0x8355d2]
php(execute_ex+0x1b)[0x7f068b]
php(zend_execute+0x1a7)[0x844797]
php(zend_execute_scripts+0xc3)[0x7b0243]
php(php_execute_script+0x2d0)[0x74ff20]
php[0x846476]
php[0x441714]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fef6d4a4830]
php(_start+0x29)[0x441859]
======= Memory map: ========

gdb php core

(gdb) bt
#0  0x00007fef6d4b9428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007fef6d4bb02a in __GI_abort () at abort.c:89
#2  0x00007fef6d4fb7ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fef6d6142e0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007fef6d503e0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7fef6d6110b2 "free(): invalid pointer", action=3) at malloc.c:5004
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00007fef6d50798c in __GI___libc_free (mem=<optimized out>) at malloc.c:2966
#6  0x00000000007bcac5 in zend_hash_do_resize (ht=ht@entry=0x7fef61a98f80) at /home/htf/workspace/php-7.0.14/Zend/zend_hash.c:893
#7  0x00000000007bddb0 in _zend_hash_add_or_update_i (flag=1, pData=0x7ffc12895a30, key=<optimized out>, ht=0x7fef61a98f80) at /home/htf/workspace/php-7.0.14/Zend/zend_hash.c:604
#8  _zend_hash_str_update (ht=ht@entry=0x7fef61a98f80, str=str@entry=0x7fef65858347 "open_mqtt_protocol", len=len@entry=18, pData=pData@entry=0x7ffc12895a30)
    at /home/htf/workspace/php-7.0.14/Zend/zend_hash.c:667
#9  0x00000000007b2eef in zend_symtable_str_update (pData=0x7ffc12895a30, len=18, str=0x7fef65858347 "open_mqtt_protocol", ht=0x7fef61a98f80)
    at /home/htf/workspace/php-7.0.14/Zend/zend_hash.h:407
#10 add_assoc_bool_ex (arg=arg@entry=0x13e2f80, key=key@entry=0x7fef65858347 "open_mqtt_protocol", key_len=key_len@entry=18, b=b@entry=0)
    at /home/htf/workspace/php-7.0.14/Zend/zend_API.c:1349
#11 0x00007fef6581e682 in zim_swoole_http_server_start (execute_data=0x7fef6f13d0e0, return_value=0x7fef6f13d0c0) at /home/htf/workspace/swoole/swoole_http_server.c:1368
#12 0x00000000008355d2 in ZEND_DO_FCALL_SPEC_HANDLER () at /home/htf/workspace/php-7.0.14/Zend/zend_vm_execute.h:842
#13 0x00000000007f068b in execute_ex (ex=<optimized out>) at /home/htf/workspace/php-7.0.14/Zend/zend_vm_execute.h:414
#14 0x0000000000844797 in zend_execute (op_array=0x142cb60, op_array@entry=0x7fef61a992b8, return_value=return_value@entry=0x7fef6f13d040)
    at /home/htf/workspace/php-7.0.14/Zend/zend_vm_execute.h:458
#15 0x00000000007b0243 in zend_execute_scripts (type=type@entry=8, retval=0x7fef6f13d040, retval@entry=0x0, file_count=file_count@entry=3)
    at /home/htf/workspace/php-7.0.14/Zend/zend.c:1437
#16 0x000000000074ff20 in php_execute_script (primary_file=primary_file@entry=0x7ffc12898100) at /home/htf/workspace/php-7.0.14/main/main.c:2494
#17 0x0000000000846476 in do_cli (argc=2, argv=0x11f20c0) at /home/htf/workspace/php-7.0.14/sapi/cli/php_cli.c:974
#18 0x0000000000441714 in main (argc=2, argv=0x11f20c0) at /home/htf/workspace/php-7.0.14/sapi/cli/php_cli.c:1344




Test script:
---------------
<?php
$swConfig = array(
    'task_worker_num' => 0,
    'worker_num' => 1,
    'max_request' => 1000,
    'dispatch_mode' => 2,
    'debug_mode' => 1,
    'log_file' =>'swoole.log',
    //'daemonize' => 1 ,//是否作为守护进程
    'open_tcp_keepalive' => true,
);

$http = new swoole_http_server( '0.0.0.0', 9502, SWOOLE_BASE );
$http->set( $swConfig );

$http->on( 'request', function( swoole_http_request $request, swoole_http_response $response ) use ( $http ) {
    //请求过滤
    if( $request->server[ 'path_info' ] == '/favicon.ico' || $request->server[ 'request_uri' ] == '/favicon.ico' )
    {
        $response->end();
        return;
    }
});

$http->start();


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-09 03:24 UTC] laruence@php.net
this probably is an issue in swoole, not opcache
 [2016-12-09 03:35 UTC] tianfenghan@php.net
```c
    zval *zsetting = sw_zend_read_property(swoole_server_class_entry_ptr, getThis(), ZEND_STRL("setting"), 1 TSRMLS_CC);
    if (zsetting == NULL || ZVAL_IS_NULL(zsetting))
    {
        SW_MAKE_STD_ZVAL(zsetting);
        array_init(zsetting);
        zend_update_property(swoole_server_class_entry_ptr, getThis(), ZEND_STRL("setting"), zsetting TSRMLS_CC);
    }

    add_assoc_bool(zsetting, "open_http_protocol", 1); //##crash line
    add_assoc_bool(zsetting, "open_mqtt_protocol", 0);
    add_assoc_bool(zsetting, "open_eof_check", 0);
    add_assoc_bool(zsetting, "open_length_check", 0);
```
This code will cause to crash, the wrong operation?
 [2020-12-09 18:37 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-12-09 18:37 UTC] cmb@php.net
Is this still an issue with latest swoole?
 [2020-12-20 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 03:01:29 2024 UTC