php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73699 AddressSanitizer found a memory error on PHP7 with opcache
Submitted: 2016-12-09 10:13 UTC Modified: 2020-06-12 04:34 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: naoki-kawamukai at cybozu dot co dot jp Assigned: cmb (profile)
Status: Closed Package: opcache
PHP Version: 7.0.14 OS: Ubuntu 16.04.1(64bit)
Private report: No CVE-ID: None
 [2016-12-09 10:13 UTC] naoki-kawamukai at cybozu dot co dot jp
Description:
------------
PHP 7.0.14 compiled with "-fsanitize=address" option with opcache
reports a memory error("free(): invalid size: 0x00006040000165d0").
If I set "opcache.enable_cli=0" on php.ini, this bug does not occur.
PHP 7.1.0 has same issue.
But PHP 5.6.29 does not.

https://bugs.php.net/bug.php?id=68121 is a similar bug.

Test script:
---------------
Environment: Ubuntu 16.04.1(64bit) + gcc version 5.4.0

$ wget http://jp2.php.net/get/php-7.0.14.tar.gz/from/this/mirror -O php-7.0.14.tar.gz
$ tar xzf php-7.0.14.tar.gz
$ cd php-7.0.14
$ ./configure
$ vi Makefile
  ------------
  CC = cc
  ↓
  CC = cc -fsanitize=address
  ------------
$ make -j2
$ echo "zend_extension=$(pwd)/modules/opcache.so" >> php.ini
$ echo "opcache.enable_cli=1" >> php.ini


Expected result:
----------------
$ gdb --args sapi/cli/php -c php.ini -v
(...snip...)
(gdb) run
Starting program: /home/vagrant/php-7.0.14/sapi/cli/php -c php.ini -v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
PHP 7.0.14 (cli) (built: Dec  9 2016 10:02:37) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.14, Copyright (c) 1999-2016, by Zend Technologies
[Inferior 1 (process 31746) exited normally]

Actual result:
--------------
$ gdb --args sapi/cli/php -c php.ini -v
(...snip...)
(gdb) run
Starting program: /home/vagrant/php-7.0.14/sapi/cli/php -c php.ini -v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
*** Error in `/home/vagrant/php-7.0.14/sapi/cli/php': free(): invalid size: 0x0000604000016590 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff60367e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7ffff603ee0a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff604298c]
/home/vagrant/php-7.0.14/modules/opcache.so(+0x11df4)[0x7ffff069fdf4]
/home/vagrant/php-7.0.14/modules/opcache.so(+0x1250a)[0x7ffff06a050a]
/home/vagrant/php-7.0.14/modules/opcache.so(+0x13fe5)[0x7ffff06a1fe5]
/home/vagrant/php-7.0.14/sapi/cli/php[0xbc3c7c]
/home/vagrant/php-7.0.14/sapi/cli/php(zend_llist_apply_with_del+0xb0)[0xb7d380]
/home/vagrant/php-7.0.14/sapi/cli/php[0xbc3d77]
/home/vagrant/php-7.0.14/sapi/cli/php(php_module_startup+0x9f8)[0xaaabb8]
/home/vagrant/php-7.0.14/sapi/cli/php[0xda3b0d]
/home/vagrant/php-7.0.14/sapi/cli/php[0x43a4df]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff5fdf830]
/home/vagrant/php-7.0.14/sapi/cli/php(_start+0x29)[0x43ab99]
======= Memory map: ========
00400000-013aa000 r-xp 00000000 fc:00 1853893                            /home/vagrant/php-7.0.14/sapi/cli/php
(...snip...)
Program received signal SIGABRT, Aborted.
0x00007ffff5ff4428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff5ff4428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff5ff602a in __GI_abort () at abort.c:89
#2  0x00007ffff60367ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff614f2e0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff603ee0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff614c0ca "free(): invalid size", action=3) at malloc.c:5004
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00007ffff604298c in __GI___libc_free (mem=<optimized out>) at malloc.c:2966
#6  0x00007ffff069fdf4 in zend_string_release (s=0x604000016590) at /home/vagrant/php-7.0.14/Zend/zend_string.h:271
#7  accel_new_interned_string (str=0x604000016590) at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:504
#8  0x00007ffff06a050a in accel_use_shm_interned_strings () at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:564
#9  0x00007ffff06a1fe5 in zend_accel_init_shm () at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:2517
#10 accel_startup (extension=<optimized out>) at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:2754
#11 0x0000000000bc3c7c in zend_extension_startup (extension=0x611000009dd0) at /home/vagrant/php-7.0.14/Zend/zend_extensions.c:184
#12 0x0000000000b7d380 in zend_llist_apply_with_del (l=l@entry=0x17c5dc0 <zend_extensions>, func=func@entry=0xbc3c50 <zend_extension_startup>) at /home/vagrant/php-7.0.14/Zend/zend_llist.c:171
#13 0x0000000000bc3d77 in zend_startup_extensions () at /home/vagrant/php-7.0.14/Zend/zend_extensions.c:205
#14 0x0000000000aaabb8 in php_module_startup (sf=<optimized out>, additional_modules=additional_modules@entry=0x0, num_additional_modules=num_additional_modules@entry=0) at /home/vagrant/php-7.0.14/main/main.c:2220
#15 0x0000000000da3b0d in php_cli_startup (sapi_module=<optimized out>) at /home/vagrant/php-7.0.14/sapi/cli/php_cli.c:423
#16 0x000000000043a4df in main (argc=<optimized out>, argv=0x60400000df50) at /home/vagrant/php-7.0.14/sapi/cli/php_cli.c:1324

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-06-10 14:19 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-06-10 14:19 UTC] cmb@php.net
This likely has been fixed in the meantime, or can you still
reproduce this memory issue with any of the supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2020-06-12 04:34 UTC] naoki-kawamukai at cybozu dot co dot jp
-Status: Feedback +Status: Closed
 [2020-06-12 04:34 UTC] naoki-kawamukai at cybozu dot co dot jp
Thank you for reminding me this.
It looks OK for now.
I close this record.

I checked the following:
7.0.14 (original report)
 -> reproduced

7.2.31
 -> not reproduced

7.3.18
 -> not reproduced

7.4.6
 -> I can't compile it on my ubuntu 16.04.
    But it would be OK.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 04:01:31 2024 UTC