php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73696 zend_mm_heap corrupted when enable opcache
Submitted: 2016-12-09 03:09 UTC Modified: 2016-12-09 03:24 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: tianfenghan@php.net Assigned:
Status: Open Package: opcache
PHP Version: 7.0.14 OS: Ubuntu 16.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-09 03:09 UTC] tianfenghan@php.net
Description:
------------
php.ini
----
zend_extension=opcache.so
opcache.enable_cli=on

No issues with opcache.enable_cli=0.

extension
----
opcache + swoole-1.9.1

php myprog.php
zend_mm_heap corrupted

disable zend mm
----
export USE_ZEND_ALLOC=0
php myprog.php
*** Error in `php': free(): invalid pointer: 0x00007fef61a98fb8 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fef6d4fb7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7fef6d503e0a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fef6d50798c]
php[0x7bcac5]
php(_zend_hash_str_update+0x1f0)[0x7bddb0]
php(add_assoc_bool_ex+0x4f)[0x7b2eef]
/opt/php/php-7/lib/php/extensions/no-debug-non-zts-20151012/swoole.so(+0x2f682)[0x7fef6581e682]
php[0x8355d2]
php(execute_ex+0x1b)[0x7f068b]
php(zend_execute+0x1a7)[0x844797]
php(zend_execute_scripts+0xc3)[0x7b0243]
php(php_execute_script+0x2d0)[0x74ff20]
php[0x846476]
php[0x441714]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fef6d4a4830]
php(_start+0x29)[0x441859]
======= Memory map: ========

gdb php core

(gdb) bt
#0  0x00007fef6d4b9428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007fef6d4bb02a in __GI_abort () at abort.c:89
#2  0x00007fef6d4fb7ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fef6d6142e0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007fef6d503e0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7fef6d6110b2 "free(): invalid pointer", action=3) at malloc.c:5004
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00007fef6d50798c in __GI___libc_free (mem=<optimized out>) at malloc.c:2966
#6  0x00000000007bcac5 in zend_hash_do_resize (ht=ht@entry=0x7fef61a98f80) at /home/htf/workspace/php-7.0.14/Zend/zend_hash.c:893
#7  0x00000000007bddb0 in _zend_hash_add_or_update_i (flag=1, pData=0x7ffc12895a30, key=<optimized out>, ht=0x7fef61a98f80) at /home/htf/workspace/php-7.0.14/Zend/zend_hash.c:604
#8  _zend_hash_str_update (ht=ht@entry=0x7fef61a98f80, str=str@entry=0x7fef65858347 "open_mqtt_protocol", len=len@entry=18, pData=pData@entry=0x7ffc12895a30)
    at /home/htf/workspace/php-7.0.14/Zend/zend_hash.c:667
#9  0x00000000007b2eef in zend_symtable_str_update (pData=0x7ffc12895a30, len=18, str=0x7fef65858347 "open_mqtt_protocol", ht=0x7fef61a98f80)
    at /home/htf/workspace/php-7.0.14/Zend/zend_hash.h:407
#10 add_assoc_bool_ex (arg=arg@entry=0x13e2f80, key=key@entry=0x7fef65858347 "open_mqtt_protocol", key_len=key_len@entry=18, b=b@entry=0)
    at /home/htf/workspace/php-7.0.14/Zend/zend_API.c:1349
#11 0x00007fef6581e682 in zim_swoole_http_server_start (execute_data=0x7fef6f13d0e0, return_value=0x7fef6f13d0c0) at /home/htf/workspace/swoole/swoole_http_server.c:1368
#12 0x00000000008355d2 in ZEND_DO_FCALL_SPEC_HANDLER () at /home/htf/workspace/php-7.0.14/Zend/zend_vm_execute.h:842
#13 0x00000000007f068b in execute_ex (ex=<optimized out>) at /home/htf/workspace/php-7.0.14/Zend/zend_vm_execute.h:414
#14 0x0000000000844797 in zend_execute (op_array=0x142cb60, op_array@entry=0x7fef61a992b8, return_value=return_value@entry=0x7fef6f13d040)
    at /home/htf/workspace/php-7.0.14/Zend/zend_vm_execute.h:458
#15 0x00000000007b0243 in zend_execute_scripts (type=type@entry=8, retval=0x7fef6f13d040, retval@entry=0x0, file_count=file_count@entry=3)
    at /home/htf/workspace/php-7.0.14/Zend/zend.c:1437
#16 0x000000000074ff20 in php_execute_script (primary_file=primary_file@entry=0x7ffc12898100) at /home/htf/workspace/php-7.0.14/main/main.c:2494
#17 0x0000000000846476 in do_cli (argc=2, argv=0x11f20c0) at /home/htf/workspace/php-7.0.14/sapi/cli/php_cli.c:974
#18 0x0000000000441714 in main (argc=2, argv=0x11f20c0) at /home/htf/workspace/php-7.0.14/sapi/cli/php_cli.c:1344




Test script:
---------------
<?php
$swConfig = array(
    'task_worker_num' => 0,
    'worker_num' => 1,
    'max_request' => 1000,
    'dispatch_mode' => 2,
    'debug_mode' => 1,
    'log_file' =>'swoole.log',
    //'daemonize' => 1 ,//是否作为守护进程
    'open_tcp_keepalive' => true,
);

$http = new swoole_http_server( '0.0.0.0', 9502, SWOOLE_BASE );
$http->set( $swConfig );

$http->on( 'request', function( swoole_http_request $request, swoole_http_response $response ) use ( $http ) {
    //请求过滤
    if( $request->server[ 'path_info' ] == '/favicon.ico' || $request->server[ 'request_uri' ] == '/favicon.ico' )
    {
        $response->end();
        return;
    }
});

$http->start();


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-09 03:24 UTC] laruence@php.net
this probably is an issue in swoole, not opcache
 [2016-12-09 03:35 UTC] tianfenghan@php.net
```c
    zval *zsetting = sw_zend_read_property(swoole_server_class_entry_ptr, getThis(), ZEND_STRL("setting"), 1 TSRMLS_CC);
    if (zsetting == NULL || ZVAL_IS_NULL(zsetting))
    {
        SW_MAKE_STD_ZVAL(zsetting);
        array_init(zsetting);
        zend_update_property(swoole_server_class_entry_ptr, getThis(), ZEND_STRL("setting"), zsetting TSRMLS_CC);
    }

    add_assoc_bool(zsetting, "open_http_protocol", 1); //##crash line
    add_assoc_bool(zsetting, "open_mqtt_protocol", 0);
    add_assoc_bool(zsetting, "open_eof_check", 0);
    add_assoc_bool(zsetting, "open_length_check", 0);
```
This code will cause to crash, the wrong operation?
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Sep 22 18:01:26 2019 UTC