|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73699 AddressSanitizer found a memory error on PHP7 with opcache
Submitted: 2016-12-09 10:13 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: naoki-kawamukai at cybozu dot co dot jp Assigned:
Status: Open Package: opcache
PHP Version: 7.0.14 OS: Ubuntu 16.04.1(64bit)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: naoki-kawamukai at cybozu dot co dot jp
New email:
PHP Version: OS:


 [2016-12-09 10:13 UTC] naoki-kawamukai at cybozu dot co dot jp
PHP 7.0.14 compiled with "-fsanitize=address" option with opcache
reports a memory error("free(): invalid size: 0x00006040000165d0").
If I set "opcache.enable_cli=0" on php.ini, this bug does not occur.
PHP 7.1.0 has same issue.
But PHP 5.6.29 does not. is a similar bug.

Test script:
Environment: Ubuntu 16.04.1(64bit) + gcc version 5.4.0

$ wget -O php-7.0.14.tar.gz
$ tar xzf php-7.0.14.tar.gz
$ cd php-7.0.14
$ ./configure
$ vi Makefile
  CC = cc
  CC = cc -fsanitize=address
$ make -j2
$ echo "zend_extension=$(pwd)/modules/" >> php.ini
$ echo "opcache.enable_cli=1" >> php.ini

Expected result:
$ gdb --args sapi/cli/php -c php.ini -v
(gdb) run
Starting program: /home/vagrant/php-7.0.14/sapi/cli/php -c php.ini -v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
PHP 7.0.14 (cli) (built: Dec  9 2016 10:02:37) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.14, Copyright (c) 1999-2016, by Zend Technologies
[Inferior 1 (process 31746) exited normally]

Actual result:
$ gdb --args sapi/cli/php -c php.ini -v
(gdb) run
Starting program: /home/vagrant/php-7.0.14/sapi/cli/php -c php.ini -v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
*** Error in `/home/vagrant/php-7.0.14/sapi/cli/php': free(): invalid size: 0x0000604000016590 ***
======= Backtrace: =========
======= Memory map: ========
00400000-013aa000 r-xp 00000000 fc:00 1853893                            /home/vagrant/php-7.0.14/sapi/cli/php
Program received signal SIGABRT, Aborted.
0x00007ffff5ff4428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff5ff4428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff5ff602a in __GI_abort () at abort.c:89
#2  0x00007ffff60367ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff614f2e0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff603ee0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff614c0ca "free(): invalid size", action=3) at malloc.c:5004
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00007ffff604298c in __GI___libc_free (mem=<optimized out>) at malloc.c:2966
#6  0x00007ffff069fdf4 in zend_string_release (s=0x604000016590) at /home/vagrant/php-7.0.14/Zend/zend_string.h:271
#7  accel_new_interned_string (str=0x604000016590) at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:504
#8  0x00007ffff06a050a in accel_use_shm_interned_strings () at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:564
#9  0x00007ffff06a1fe5 in zend_accel_init_shm () at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:2517
#10 accel_startup (extension=<optimized out>) at /home/vagrant/php-7.0.14/ext/opcache/ZendAccelerator.c:2754
#11 0x0000000000bc3c7c in zend_extension_startup (extension=0x611000009dd0) at /home/vagrant/php-7.0.14/Zend/zend_extensions.c:184
#12 0x0000000000b7d380 in zend_llist_apply_with_del (l=l@entry=0x17c5dc0 <zend_extensions>, func=func@entry=0xbc3c50 <zend_extension_startup>) at /home/vagrant/php-7.0.14/Zend/zend_llist.c:171
#13 0x0000000000bc3d77 in zend_startup_extensions () at /home/vagrant/php-7.0.14/Zend/zend_extensions.c:205
#14 0x0000000000aaabb8 in php_module_startup (sf=<optimized out>, additional_modules=additional_modules@entry=0x0, num_additional_modules=num_additional_modules@entry=0) at /home/vagrant/php-7.0.14/main/main.c:2220
#15 0x0000000000da3b0d in php_cli_startup (sapi_module=<optimized out>) at /home/vagrant/php-7.0.14/sapi/cli/php_cli.c:423
#16 0x000000000043a4df in main (argc=<optimized out>, argv=0x60400000df50) at /home/vagrant/php-7.0.14/sapi/cli/php_cli.c:1324


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed May 27 16:01:25 2020 UTC