PHP :: Bug #74008 :: Segmentation fault using Drupal 7

Bug #74008

Segmentation fault using Drupal 7

Submitted:

2017-01-27 17:49 UTC

Modified:

2017-11-22 11:23 UTC

Votes:	15
Avg. Score:	4.5 ± 0.7
Reproduced:	14 of 14 (100.0%)
Same Version:	10 (71.4%)
Same OS:	10 (71.4%)

From:

pierre at brin-de-toile dot fr

Assigned:

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

7.0.15

OS:

Debian Jessie 64 bits

Private report:

CVE-ID:

None

View Developer Edit

[2017-01-27 17:49 UTC] pierre at brin-de-toile dot fr

Description:
------------
Hello,

I can't provide a script to reproduce the problem, since it's part of Drupal.
The problem starts to occur when I add multiple products to the cart, using discounts. Then it occurs on different pages, often when I show the cart.

If there is a way to find what PHP code in Drupal creates the error, I could test it, but I don't know how.


Software used:
* Debian 8.7, kernel 3.18.43
* Nginx 1.10.2
* PHP 7.0.15 (php-fpm)
  - php -m output : bz2,calendar,Core,ctype,curl,date,dom,exif,fileinfo,filter,ftp,gd,gettext,hash,iconv,imap,json,libxml,mbstring,mysqli,mysqlnd,openssl,pcntl,pcre,PDO,pdo_mysql,Phar,posix,readline,Reflection,session,shmop,SimpleXML,soap,sockets,SPL,standard,sysvm,g,sysvsem,sysvshm,tokenizer,wddx,xml,xmlreader,xmlrpc,xmlwriter,xsl,zip,zlib
* Drupal 7.53, Drupal Commerce 1.13, Commerce Discount 1.x-dev


php.ini modifications:
max_execution_time = 300
post_max_size = 32M
upload_max_filesize = 32M
date.timezone = Europe/Paris

Actual result:
--------------
% sudo gdb /usr/sbin/php-fpm7.0 /tmp/core-php-fpm7.0.23489
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
[...]
Core was generated by `php-fpm: pool www                                                            '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=56, bin_num=6, heap=0x7f9322200040) at /usr/src/builddir/Zend/zend_alloc.c:1306
[...]
(gdb) bt
#0  zend_mm_alloc_small (size=56, bin_num=6, heap=0x7f9322200040) at /usr/src/builddir/Zend/zend_alloc.c:1306
#1  _emalloc_56 () at /usr/src/builddir/Zend/zend_alloc.c:2380
#2  0x00007f932520a3fe in zend_array_dup (source=0x7f9314f65cb0) at /usr/src/builddir/Zend/zend_hash.c:1793
#3  0x00007f93251f5f1d in _zval_copy_ctor_func (zvalue=zvalue@entry=0x7f931468bd60) at /usr/src/builddir/Zend/zend_variables.c:221
#4  0x00007f93252683c1 in zend_binary_assign_op_dim_helper_SPEC_VAR_CONST (binary_op=0x7f93251f0f30 <add_function>) at /usr/src/builddir/Zend/zend_vm_execute.h:16769
#5  0x00007f932523798b in execute_ex (ex=<optimized out>) at /usr/src/builddir/Zend/zend_vm_execute.h:414
#6  0x00007f93251e8915 in zend_call_function (fci=fci@entry=0x7ffc56a3c710, fci_cache=0x7f9314e35580, fci_cache@entry=0x7ffc56a3c6e0) at /usr/src/builddir/Zend/zend_execute_API.c:858
#7  0x00007f9325215e0e in zend_call_method (object=object@entry=0x7ffc56a3c810, obj_ce=<optimized out>, fn_proxy=<optimized out>, function_name=function_name@entry=0x7f9325397597 "__get", function_name_len=function_name_len@entry=5, 
    retval_ptr=retval_ptr@entry=0x7ffc56a3c800, param_count=1, arg1=0x7f9315ca9dc0, arg2=0x0) at /usr/src/builddir/Zend/zend_interfaces.c:104
#8  0x00007f932522f2df in zend_std_call_getter (object=object@entry=0x7ffc56a3c810, member=member@entry=0x7f9315ca9dc0, retval=retval@entry=0x7ffc56a3c800) at /usr/src/builddir/Zend/zend_object_handlers.c:200
#9  0x00007f9325230b55 in zend_std_has_property (object=<optimized out>, member=0x7f9315ca9dc0, has_set_exists=1, cache_slot=<optimized out>) at /usr/src/builddir/Zend/zend_object_handlers.c:1519
#10 0x00007f9325237aaa in ZEND_ISSET_ISEMPTY_PROP_OBJ_SPEC_CV_CONST_HANDLER () at /usr/src/builddir/Zend/zend_vm_execute.h:33061
#11 0x00007f932523798b in execute_ex (ex=<optimized out>) at /usr/src/builddir/Zend/zend_vm_execute.h:414
#12 0x00007f932528c7e7 in zend_execute (op_array=0x7f9322275000, op_array@entry=0x7f9315c7bee0, return_value=return_value@entry=0x7f93222152d0) at /usr/src/builddir/Zend/zend_vm_execute.h:458
#13 0x00007f93251f7963 in zend_execute_scripts (type=type@entry=8, retval=0x7f93222152d0, retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1437
#14 0x00007f93251976c0 in php_execute_script (primary_file=0x7ffc56a3ee80) at /usr/src/builddir/main/main.c:2492
#15 0x00007f932507d6e5 in main (argc=658790613, argv=0x7f9327445847) at /usr/src/builddir/sapi/fpm/fpm/fpm_main.c:1968
(gdb) f 0
#0  zend_mm_alloc_small (size=56, bin_num=6, heap=0x7f9322200040) at /usr/src/builddir/Zend/zend_alloc.c:1306
1306			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) list
1301		} while (0);
1302	#endif
1303	
1304		if (EXPECTED(heap->free_slot[bin_num] != NULL)) {
1305			zend_mm_free_slot *p = heap->free_slot[bin_num];
1306			heap->free_slot[bin_num] = p->next_free_slot;
1307			return (void*)p;
1308		} else {
1309			return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
1310		}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-02-08 11:41 UTC] tim at netlog dot com

I'm seeing the same segfaults on ubuntu 14.04 without joomla. We get about 1 segfault per 2k requests, seamingly random. I can't pin it down to a single call. The only common thing in the backtraces seems to be zend_alloc.c:1306.
Additional fun fact: if I install the newrelic php extension, the segfaults seem to go away.

Software used:
* Ubuntu 14.04, kernel 4.4.37
* nginx 1.4.6-1ubuntu3.7
* php-fpm 7.0.15
* php modules: apcu, calendar, Core, couchbase, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, iconv, igbinary, json, libxml, maxminddb, mbstring, mcrypt, memcached, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, Phar, posix, readline, redis, Reflection, session, shmop, SimpleXML, soap, sockets, SPL, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlwriter, xsl, Zend OPcache, zlib

Some stacktraces:
-----------------
% sudo gdb php-fpm7.0 core.php-fpm7.0.5446.1484921634
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
Core was generated by `php-fpm: pool www0'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
1306	/build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
#1  zend_mm_alloc_heap (size=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1377
#2  _emalloc (size=3, size@entry=32) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:2461
#3  0x00005650ebc7d451 in zend_string_alloc (persistent=<optimized out>, len=4)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_string.h:121
#4  zend_string_init (persistent=<optimized out>, len=4, str=0x5650ebd4576e "type")
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_string.h:157
#5  _zend_hash_str_update (ht=ht@entry=0x7f5337e1a310, str=str@entry=0x5650ebd4576e "type", len=len@entry=4, 
    pData=pData@entry=0x7ffd164d1b30) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_hash.c:666
#6  0x00005650ebc73856 in zend_symtable_str_update (pData=0x7ffd164d1b30, len=4, str=0x5650ebd4576e "type", 
    ht=0x7f5337e1a310) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_hash.h:407
#7  add_assoc_string_ex (arg=arg@entry=0x7ffd164d1bc0, key=key@entry=0x5650ebd4576e "type", 
    key_len=key_len@entry=4, str=str@entry=0x5650ebd58d7c "->")
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_API.c:1389
#8  0x00005650ebc89a49 in zend_fetch_debug_backtrace (return_value=return_value@entry=0x7f53cde13b70, 
    skip_last=skip_last@entry=1, options=<optimized out>, limit=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_builtin_functions.c:2613
#9  0x00005650ebc89e0b in zif_debug_backtrace (execute_data=<optimized out>, return_value=0x7f53cde13b70)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_builtin_functions.c:2698
#10 0x00005650ebcbae7d in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:586
#11 0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#12 0x00005650ebcf6a5f in zend_execute (op_array=0x7f53cdea39a0, op_array@entry=0x7f53520883b0, 
    return_value=return_value@entry=0x7f53cde13aa0) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:458
#13 0x00005650ebc70c14 in zend_execute_scripts (type=type@entry=8, retval=0x7f53cde13aa0, retval@entry=0x0, 
    file_count=file_count@entry=3) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend.c:1437
#14 0x00005650ebc13c28 in php_execute_script (primary_file=0x7ffd164d40d0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/main/main.c:2494
#15 0x00005650ebb02c2c in main (argc=<optimized out>, argv=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/sapi/fpm/fpm/fpm_main.c:1968


% sudo gdb php-fpm7.0 core.php-fpm7.0.5390.1484921424
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
Core was generated by `php-fpm: pool www0'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=7, heap=0x7f53cde00040)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
1306	/build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=7, heap=0x7f53cde00040)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7f53cde00040)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1377
#2  zend_mm_realloc_heap (heap=0x7f53cde00040, ptr=0x7f533f49b8f8, size=<optimized out>, copy_size=64)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1655
#3  0x00005650ebce2f7f in zend_string_realloc (persistent=0, len=34, s=0x7f533f49b8f8)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_string.h:187
#4  ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER () at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:43789
#5  0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#6  0x00005650ebc62eaa in zend_call_function (fci=fci@entry=0x7ffd164d1920, fci_cache=0x7f53518aa800, 
    fci_cache@entry=0x7ffd164d18f0) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:858
#7  0x00005650ebc8cf04 in zend_call_method (object=0x7f53cde8f158, obj_ce=<optimized out>, fn_proxy=0x7f53cde8f150, 
    function_name=0x7f53cdec0bf8 "composer\\autoload\\classloader::loadclass\002", 
    function_name_len=<optimized out>, retval_ptr=retval_ptr@entry=0x0, param_count=param_count@entry=1, 
    arg1=0x7f53cde13b60, arg2=arg2@entry=0x0) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_interfaces.c:104
#8  0x00005650ebb7e7a4 in zif_spl_autoload_call (execute_data=<optimized out>, return_value=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/ext/spl/php_spl.c:409
#9  0x00005650ebc62f2c in zend_call_function (fci=fci@entry=0x7ffd164d1ba0, 
    fci_cache=fci_cache@entry=0x7ffd164d1b70) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:878
#10 0x00005650ebc635c2 in zend_lookup_class_ex (name=name@entry=0x7f5349b5ca30, key=0x7f53525d78f8, 
    use_autoload=use_autoload@entry=1) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:1040
#11 0x00005650ebc63f08 in zend_fetch_class_by_name (class_name=0x7f5349b5ca30, key=<optimized out>, 
    fetch_type=fetch_type@entry=512) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:1386
#12 0x00005650ebcbb352 in ZEND_FETCH_CONSTANT_SPEC_CONST_CONST_HANDLER ()
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:5980
#13 0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#14 0x00005650ebcf6a5f in zend_execute (op_array=0x7f53cdea39a0, op_array@entry=0x7f53525d8c90, 
    return_value=return_value@entry=0x7f53cde13720) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:458
#15 0x00005650ebc70c14 in zend_execute_scripts (type=type@entry=8, retval=0x7f53cde13720, retval@entry=0x0, 
    file_count=file_count@entry=3) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend.c:1437
#16 0x00005650ebc13c28 in php_execute_script (primary_file=0x7ffd164d40d0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/main/main.c:2494
#17 0x00005650ebb02c2c in main (argc=<optimized out>, argv=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/sapi/fpm/fpm/fpm_main.c:1968



% sudo gdb php-fpm7.0 core.php-fpm7.0.5456.1484923643
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
Core was generated by `php-fpm: pool www0                                                           '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
1306	/build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
#1  zend_mm_alloc_heap (size=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1377
#2  _emalloc (size=3) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:2461
#3  0x00007f53c41e1d7c in ?? () from /usr/lib/php/20151012/igbinary.so
#4  0x00007f53c41e30b7 in ?? () from /usr/lib/php/20151012/igbinary.so
#5  0x00007f53c41e1e0c in ?? () from /usr/lib/php/20151012/igbinary.so
#6  0x00007f53c41e8d9d in igbinary_unserialize () from /usr/lib/php/20151012/igbinary.so
#7  0x00007f53c03d5de9 in s_unserialize_value (memc=<optimized out>, return_value=0x7ffd164d1880, 
    payload=<optimized out>, val_type=<optimized out>) at /home/tim/php-memcached/php_memcached.c:3472
#8  s_memcached_result_to_zval (memc=<optimized out>, return_value=0x7ffd164d1880, result=0x7ffd164d18a0)
    at /home/tim/php-memcached/php_memcached.c:3572
#9  php_memc_result_apply (intern=intern@entry=0x7f53cdfc50c0, 
    result_apply_fn=result_apply_fn@entry=0x7f53c03d5360 <s_get_apply_fn>, fetch_delay=fetch_delay@entry=0 '\000', 
    context=context@entry=0x7ffd164d1ae0) at /home/tim/php-memcached/php_memcached.c:620
#10 0x00007f53c03d741c in php_memc_mget_apply (intern=intern@entry=0x7f53cdfc50c0, server_key=<optimized out>, 
    keys=keys@entry=0x7ffd164d1b00, result_apply_fn=result_apply_fn@entry=0x7f53c03d5360 <s_get_apply_fn>, 
    with_cas=<optimized out>, context=context@entry=0x7ffd164d1ae0) at /home/tim/php-memcached/php_memcached.c:706
#11 0x00007f53c03d8b30 in php_memc_mget_apply (context=0x7ffd164d1ae0, with_cas=<optimized out>, 
    result_apply_fn=0x7f53c03d5360 <s_get_apply_fn>, keys=0x7ffd164d1b00, server_key=<optimized out>, 
    intern=0x7f53cdfc50c0) at /home/tim/php-memcached/php_memcached.c:1419
#12 php_memc_get_impl (execute_data=<optimized out>, return_value=0x7f53cde142f0, by_key=<optimized out>)
    at /home/tim/php-memcached/php_memcached.c:1428
#13 0x00005650ebceb09b in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:842
#14 0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#15 0x00005650ebcf6a5f in zend_execute (op_array=0x7f53cdea69a0, op_array@entry=0x7f535210d238, 
    return_value=return_value@entry=0x7f53cde14250) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:458
#16 0x00005650ebc70c14 in zend_execute_scripts (type=type@entry=8, retval=0x7f53cde14250, retval@entry=0x0, 
    file_count=file_count@entry=3) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend.c:1437
#17 0x00005650ebc13c28 in php_execute_script (primary_file=0x7ffd164d40d0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/main/main.c:2494
#18 0x00005650ebb02c2c in main (argc=<optimized out>, argv=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/sapi/fpm/fpm/fpm_main.c:1968



% sudo gdb php-fpm7.0 core.php-fpm7.0.5348.1484922041
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
Core was generated by `php-fpm: pool www0'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=64, bin_num=7, heap=0x7f53cde00040)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
1306	/build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (size=64, bin_num=7, heap=0x7f53cde00040)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
#1  _emalloc_64 () at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:2380
#2  0x00007f53c231ceb5 in redis_serialize () from /usr/lib/php/20151012/redis.so
#3  0x00007f53c230490a in generic_mset () from /usr/lib/php/20151012/redis.so
#4  0x00005650ebc62f2c in zend_call_function (fci=fci@entry=0x7ffd164d19e0, fci_cache=0x7ffd164d1910, 
    fci_cache@entry=0x0) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:878
#5  0x00005650ebc633e8 in call_user_function_ex (function_table=<optimized out>, object=<optimized out>, 
    function_name=<optimized out>, retval_ptr=<optimized out>, param_count=<optimized out>, params=<optimized out>, 
    no_separation=no_separation@entry=1, symbol_table=symbol_table@entry=0x0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:675
#6  0x00005650ebc63419 in call_user_function (function_table=<optimized out>, object=<optimized out>, 
    function_name=<optimized out>, retval_ptr=<optimized out>, param_count=<optimized out>, params=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:657
#7  0x00007f53c2320601 in ?? () from /usr/lib/php/20151012/redis.so
#8  0x00007f53c2322271 in zim_RedisArray_mset () from /usr/lib/php/20151012/redis.so
#9  0x00005650ebceb09b in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:842
#10 0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#11 0x00005650ebcf6a5f in zend_execute (op_array=0x7f53cded39a0, op_array@entry=0x7f5352236ae0, 
    return_value=return_value@entry=0x7f53cde137b0) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:458
#12 0x00005650ebc70c14 in zend_execute_scripts (type=type@entry=8, retval=0x7f53cde137b0, retval@entry=0x0, 
    file_count=file_count@entry=3) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend.c:1437
#13 0x00005650ebc13c28 in php_execute_script (primary_file=0x7ffd164d40d0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/main/main.c:2494
#14 0x00005650ebb02c2c in main (argc=<optimized out>, argv=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/sapi/fpm/fpm/fpm_main.c:1968


% sudo gdb php-fpm7.0 core.php-fpm7.0.5432.1484922527
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
Core was generated by `php-fpm: pool www0'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
1306	/build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1306
#1  zend_mm_alloc_heap (size=<optimized out>, heap=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:1377
#2  _emalloc (size=7) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_alloc.c:2461
#3  0x00007f53cdbdf3f2 in ?? () from /usr/lib/php/20151012/opcache.so
#4  0x00007f53cdbdf244 in ?? () from /usr/lib/php/20151012/opcache.so
#5  0x00007f53cdbe099f in zend_accel_load_script () from /usr/lib/php/20151012/opcache.so
#6  0x00007f53cdbd26e9 in persistent_compile_file () from /usr/lib/php/20151012/opcache.so
#7  0x00005650ebc3b1e5 in compile_filename (type=2, filename=filename@entry=0x7f53cde13ce0)
    at Zend/zend_language_scanner.l:649
#8  0x00005650ebcf30b7 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:29441
#9  0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#10 0x00005650ebc62eaa in zend_call_function (fci=fci@entry=0x7ffd164d18f0, fci_cache=0x7f53518a1f90, 
    fci_cache@entry=0x7ffd164d18c0) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:858
#11 0x00005650ebc8cf04 in zend_call_method (object=0x7f53cde8f0f8, obj_ce=<optimized out>, fn_proxy=0x7f53cde8f0f0, 
    function_name=0x7f53cdedd898 "universalclassloader::loadclass\001", function_name_len=<optimized out>, 
    retval_ptr=retval_ptr@entry=0x0, param_count=param_count@entry=1, arg1=0x7f53cde13c20, arg2=arg2@entry=0x0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_interfaces.c:104
#12 0x00005650ebb7e7a4 in zif_spl_autoload_call (execute_data=<optimized out>, return_value=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/ext/spl/php_spl.c:409
#13 0x00005650ebc62f2c in zend_call_function (fci=fci@entry=0x7ffd164d1b70, 
    fci_cache=fci_cache@entry=0x7ffd164d1b40) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:878
#14 0x00005650ebc635c2 in zend_lookup_class_ex (name=name@entry=0x7f5349aa7f98, key=0x7f535207a688, 
    use_autoload=use_autoload@entry=1) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:1040
#15 0x00005650ebc63f08 in zend_fetch_class_by_name (class_name=0x7f5349aa7f98, key=<optimized out>, 
    fetch_type=fetch_type@entry=512) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_execute_API.c:1386
#16 0x00005650ebcf4300 in ZEND_NEW_SPEC_CONST_HANDLER ()
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:3358
#17 0x00005650ebcad1eb in execute_ex (ex=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:414
#18 0x00005650ebcf6a5f in zend_execute (op_array=0x7f53cdea39a0, op_array@entry=0x7f535207aa78, 
    return_value=return_value@entry=0x7f53cde13b00) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend_vm_execute.h:458
#19 0x00005650ebc70c14 in zend_execute_scripts (type=type@entry=8, retval=0x7f53cde13b00, retval@entry=0x0, 
    file_count=file_count@entry=3) at /build/php7.0-VhrlDZ/php7.0-7.0.14/Zend/zend.c:1437
#20 0x00005650ebc13c28 in php_execute_script (primary_file=0x7ffd164d40d0)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/main/main.c:2494
#21 0x00005650ebb02c2c in main (argc=<optimized out>, argv=<optimized out>)
    at /build/php7.0-VhrlDZ/php7.0-7.0.14/sapi/fpm/fpm/fpm_main.c:1968

[2017-02-21 14:30 UTC] tim at netlog dot com

FYI the issue still occurs with 7.0.16.

[2017-04-18 17:06 UTC] kol at nextmail dot ru

Same issue. More often on requests to MySQL via PDO.

(gdb) l
1301		} while (0);
1302	#endif
1303	
1304		if (EXPECTED(heap->free_slot[bin_num] != NULL)) {
1305			zend_mm_free_slot *p = heap->free_slot[bin_num];
1306			heap->free_slot[bin_num] = p->next_free_slot;
1307			return (void*)p;
1308		} else {
1309			return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
1310		}

(gdb) p bin_num
$1 = 7
(gdb) p *heap  
$2 = {use_custom_heap = 0, storage = 0x0, size = 8688248, peak = 8874560, free_slot = {0x7f88dfe62278, 0x7f88dfe698a0, 0x7f88581db900, 0x7f88576c0900, 0x7f88576d4ac8, 0x7f8857682db0, 0x7f885760fb28, 0x1, 0x7f88dffe67d0, 0x7f8857662b40, 0x7f8857629f50, 0x7f88dfe6ef80, 
    0x7f8858072dc0, 0x7f88dfea5a80, 0x7f8857952b60, 0x7f8857959300, 0x7f88578fd4c0, 0x7f88dfe9b100, 0x7f88dff6f540, 0x7f88dfe9f600, 0x7f8857c0a480, 0x7f88dfed3a00, 0x7f8857992380, 0x7f88dfed4400, 0x7f88576cb400, 0x7f88dfed6000, 0x7f88dfed9000, 0x7f88dfee0000, 0x0, 
    0x7f8857843c00}, real_size = 4194304, real_peak = 4194304, limit = 134217728, overflow = 0, huge_list = 0x0, main_chunk = 0x7f88dfe00000, cached_chunks = 0x0, chunks_count = 5, peak_chunks_count = 5, cached_chunks_count = 0, avg_chunks_count = 4.2484463100770391, 
  custom_heap = {std = {_malloc = 0x0, _free = 0x0, _realloc = 0x0}, debug = {_malloc = 0x0, _free = 0x0, _realloc = 0x0}}}


(gdb) p p
$3 = (zend_mm_free_slot *) 0x1

(gdb) p *p   
Cannot access memory at address 0x1

[2017-04-19 16:32 UTC] dmitry@php.net

-Status: Open +Status: Feedback

[2017-04-19 16:32 UTC] dmitry@php.net

It looks like this problem caused by use-after-free or double-free.
It would be great to catch the original source of the problem using valgrind.

Instead of php-fpm, run single process FastCGI server under valgrind and perform few requests that caused crash (they are going to be served very slow).

$ USE_ZEND_ALLOC=0 valgrind php-cgi -b <listen-socket>

[2017-04-20 13:02 UTC] dmitry@php.net

-Status: Feedback +Status: Open

[2017-04-20 13:02 UTC] dmitry@php.net

It looks like an invalid free in memcache.c:476
Most probably it's caused by a bug in reference counting.


==12487== Invalid read of size 1
==12487==    at 0x9048FA7: ZEND_FE_FETCH_R_SPEC_VAR_HANDLER (zend_vm_execute.h:16015)
==12487==    by 0x9033E0A: execute_ex (zend_vm_execute.h:414)
==12487==    by 0x9087B26: zend_execute (zend_vm_execute.h:458)
==12487==    by 0x8FF64B3: zend_execute_scripts (zend.c:1437)
==12487==    by 0x8F99C6F: php_execute_script (main.c:2492)
==12487==    by 0x9089429: php_handler (sapi_apache2.c:678)
==12487==    by 0x16268F: ap_run_handler (in /usr/sbin/apache2)
==12487==    by 0x162BD8: ap_invoke_handler (in /usr/sbin/apache2)
==12487==    by 0x1783DB: ap_internal_redirect (in /usr/sbin/apache2)
==12487==    by 0xA869EA1: ??? (in /usr/lib/apache2/modules/mod_rewrite.so)
==12487==    by 0x16268F: ap_run_handler (in /usr/sbin/apache2)
==12487==    by 0x162BD8: ap_invoke_handler (in /usr/sbin/apache2)
==12487==    by 0x178AB1: ap_process_async_request (in /usr/sbin/apache2)
==12487==    by 0x178C4F: ap_process_request (in /usr/sbin/apache2)
==12487==    by 0x175551: ??? (in /usr/sbin/apache2)
==12487==    by 0x16BF3F: ap_run_process_connection (in /usr/sbin/apache2)
==12487==    by 0x89A47B9: ??? (in /usr/lib/apache2/modules/mod_mpm_prefork.so)
==12487==    by 0x89A4A00: ??? (in /usr/lib/apache2/modules/mod_mpm_prefork.so)
==12487==    by 0x89A5666: ??? (in /usr/lib/apache2/modules/mod_mpm_prefork.so)
==12487==    by 0x1467ED: ap_run_mpm (in /usr/sbin/apache2)
==12487==    by 0x13F5F2: main (in /usr/sbin/apache2)
==12487==  Address 0x35a9d265 is 5 bytes inside a block of size 48 free'd
==12487==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==12487==    by 0x166F8F9C: zend_string_release (zend_string.h:271)
==12487==    by 0x166F8F9C: php_mmc_store (memcache.c:476)
==12487==    by 0x9078471: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:842)
==12487==    by 0x9033E0A: execute_ex (zend_vm_execute.h:414)
==12487==    by 0x9087B26: zend_execute (zend_vm_execute.h:458)
==12487==    by 0x8FF64B3: zend_execute_scripts (zend.c:1437)
==12487==    by 0x8F99C6F: php_execute_script (main.c:2492)
==12487==    by 0x9089429: php_handler (sapi_apache2.c:678)
==12487==    by 0x16268F: ap_run_handler (in /usr/sbin/apache2)
==12487==    by 0x162BD8: ap_invoke_handler (in /usr/sbin/apache2)
==12487==    by 0x1783DB: ap_internal_redirect (in /usr/sbin/apache2)
==12487==    by 0xA869EA1: ??? (in /usr/lib/apache2/modules/mod_rewrite.so)
==12487==    by 0x16268F: ap_run_handler (in /usr/sbin/apache2)
==12487==    by 0x162BD8: ap_invoke_handler (in /usr/sbin/apache2)
==12487==    by 0x178AB1: ap_process_async_request (in /usr/sbin/apache2)
==12487==    by 0x178C4F: ap_process_request (in /usr/sbin/apache2)
==12487==    by 0x175551: ??? (in /usr/sbin/apache2)
==12487==    by 0x16BF3F: ap_run_process_connection (in /usr/sbin/apache2)
==12487==    by 0x89A47B9: ??? (in /usr/lib/apache2/modules/mod_mpm_prefork.so)
==12487==    by 0x89A4A00: ??? (in /usr/lib/apache2/modules/mod_mpm_prefork.so)
==12487==    by 0x89A5666: ??? (in /usr/lib/apache2/modules/mod_mpm_prefork.so)
==12487==    by 0x1467ED: ap_run_mpm (in /usr/sbin/apache2)
==12487==    by 0x13F5F2: main (in /usr/sbin/apache2)

[2017-04-24 17:20 UTC] tomas dot srnka at gmail dot com

Hi,

@kolsys at github posted a patch for this problem for pecl-memcache that we've ported to PHP7. Give it a try please, it should be fixed now.

https://github.com/websupport-sk/pecl-memcache

Tomas

[2017-07-23 02:04 UTC] kalle@php.net

-Status: Open +Status: Feedback

[2017-07-26 22:02 UTC] mbreden at acromediainc dot com

I also appear to be suffering from this problem, although I do not have memcache enabled at all.

Software
==========================================
Happens on Ubuntu 16.04 & 14.04 at least
Drupal 7.56
Commerce 1.13
Commerce Discount 1.0-alpha8
Commerce Discount Extra 1.0-rc4
PHP - Tested with fpm w/nginx and cli w/ built in server: 7.0.18, 7.0.21, 7.1.7
==========================================

The bug is similar to the first story - multiple discounts being applied to an order, and PHP often segfaults in product pages, the cart, and checkout.

The problem appears to be happening with the zend memory manager.
With "export USE_ZEND_ALLOC=0" it does not happen.
It does also not happen if the garbage collector is disabled.
ini_set('zend.enable_gc', 0);

Valgrind also can't be run with zend memory manager turned off as per https://bugs.php.net/bugs-getting-valgrind-log.php as the problem seems to be stemming there - with zend mm turned off, there's no issue.



A valgrind memcheck gives this log:

==19806== Memcheck, a memory error detector
==19806== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==19806== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==19806== Command: /usr/bin/php7.0 -S localhost:3000
==19806== Parent PID: 18844
==19806== 
==19806== Invalid read of size 8
==19806==    at 0x3468F4: zend_mm_alloc_small (zend_alloc.c:1306)
==19806==    by 0x3468F4: zend_mm_alloc_heap (zend_alloc.c:1377)
==19806==    by 0x3468F4: _emalloc (zend_alloc.c:2461)
==19806==    by 0x2F9718: zend_string_alloc (zend_string.h:121)
==19806==    by 0x2F9718: zend_string_init (zend_string.h:157)
==19806==    by 0x2F9718: php_var_unserialize_internal (var_unserializer.c:1047)
==19806==    by 0x2F989E: process_nested_data (var_unserializer.c:401)
==19806==    by 0x2F989E: php_var_unserialize_internal (var_unserializer.c:940)
==19806==    by 0x2F989E: process_nested_data (var_unserializer.c:401)
==19806==    by 0x2F989E: php_var_unserialize_internal (var_unserializer.c:940)
==19806==    by 0x2F989E: process_nested_data (var_unserializer.c:401)
==19806==    by 0x2F989E: php_var_unserialize_internal (var_unserializer.c:940)
==19806==    by 0x2EA95F: zif_unserialize (var.c:1076)
==19806==    by 0x3BA3AC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==19806==    by 0x3AB50A: execute_ex (zend_vm_execute.h:414)
==19806==    by 0x3FFC86: zend_execute (zend_vm_execute.h:458)
==19806==    by 0x36AD42: zend_execute_scripts (zend.c:1443)
==19806==    by 0x309E9F: php_execute_script (main.c:2492)
==19806==    by 0x4075F9: php_cli_server_dispatch_script (php_cli_server.c:1937)
==19806==    by 0x40850A: php_cli_server_dispatch (php_cli_server.c:2111)
==19806==    by 0x40850A: php_cli_server_recv_event_read_request (php_cli_server.c:2321)
==19806==    by 0x408B2D: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2401)
==19806==    by 0x4096B8: php_cli_server_poller_iter_on_active (php_cli_server.c:831)
==19806==    by 0x4096B8: php_cli_server_do_event_for_each_fd (php_cli_server.c:2424)
==19806==    by 0x4096B8: php_cli_server_do_event_loop (php_cli_server.c:2434)
==19806==    by 0x4096B8: do_cli_server (php_cli_server.c:2535)
==19806==    by 0x1EC975: main (php_cli.c:1350)
==19806==  Address 0xc5cf00001f432dff is not stack'd, malloc'd or (recently) free'd
==19806== 
==19806== 
==19806== Process terminating with default action of signal 11 (SIGSEGV)
==19806==  General Protection Fault
==19806==    at 0x3468F4: zend_mm_alloc_small (zend_alloc.c:1306)
==19806==    by 0x3468F4: zend_mm_alloc_heap (zend_alloc.c:1377)
==19806==    by 0x3468F4: _emalloc (zend_alloc.c:2461)
==19806==    by 0x2F9718: zend_string_alloc (zend_string.h:121)
==19806==    by 0x2F9718: zend_string_init (zend_string.h:157)
==19806==    by 0x2F9718: php_var_unserialize_internal (var_unserializer.c:1047)
==19806==    by 0x2F989E: process_nested_data (var_unserializer.c:401)
==19806==    by 0x2F989E: php_var_unserialize_internal (var_unserializer.c:940)
==19806==    by 0x2F989E: process_nested_data (var_unserializer.c:401)
==19806==    by 0x2F989E: php_var_unserialize_internal (var_unserializer.c:940)
==19806==    by 0x2F989E: process_nested_data (var_unserializer.c:401)
==19806==    by 0x2F989E: php_var_unserialize_internal (var_unserializer.c:940)
==19806==    by 0x2EA95F: zif_unserialize (var.c:1076)
==19806==    by 0x3BA3AC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==19806==    by 0x3AB50A: execute_ex (zend_vm_execute.h:414)
==19806==    by 0x3FFC86: zend_execute (zend_vm_execute.h:458)
==19806==    by 0x36AD42: zend_execute_scripts (zend.c:1443)
==19806==    by 0x309E9F: php_execute_script (main.c:2492)
==19806==    by 0x4075F9: php_cli_server_dispatch_script (php_cli_server.c:1937)
==19806==    by 0x40850A: php_cli_server_dispatch (php_cli_server.c:2111)
==19806==    by 0x40850A: php_cli_server_recv_event_read_request (php_cli_server.c:2321)
==19806==    by 0x408B2D: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2401)
==19806==    by 0x4096B8: php_cli_server_poller_iter_on_active (php_cli_server.c:831)
==19806==    by 0x4096B8: php_cli_server_do_event_for_each_fd (php_cli_server.c:2424)
==19806==    by 0x4096B8: php_cli_server_do_event_loop (php_cli_server.c:2434)
==19806==    by 0x4096B8: do_cli_server (php_cli_server.c:2535)
==19806==    by 0x1EC975: main (php_cli.c:1350)
==19806== 
==19806== HEAP SUMMARY:
==19806==     in use at exit: 3,601,710 bytes in 28,437 blocks
==19806==   total heap usage: 40,253 allocs, 11,816 frees, 15,131,436 bytes allocated
==19806== 
==19806== LEAK SUMMARY:
==19806==    definitely lost: 0 bytes in 0 blocks
==19806==    indirectly lost: 0 bytes in 0 blocks
==19806==      possibly lost: 2,344,249 bytes in 17,155 blocks
==19806==    still reachable: 1,257,461 bytes in 11,282 blocks
==19806==         suppressed: 0 bytes in 0 blocks
==19806== Rerun with --leak-check=full to see details of leaked memory
==19806== 
==19806== For counts of detected and suppressed errors, rerun with: -v
==19806== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

[2017-07-30 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2017-11-22 10:21 UTC] itsekhmistro at adyax dot com

The issue is still active.
On the website Drupal 	7.56, Commerce, Discounts ( php 7.1.9, php 7.1.11 )

Current fix:  Disabling the Zend garbage collector solves the issue.
`ini_set('zend.enable_gc', 0);`

[2017-11-22 11:23 UTC] nikic@php.net

This bug report is about a crash in Drupal related to memcache. If you're encountering crashes in Drupal that are not related to memcache, please file a new report.

[2017-11-29 20:47 UTC] nmd dot matt at gmail dot com

The problem is not memcache, from what I have been able to reproduce this occurs when using Drupal Commerce and contributed modules in the ecosystem which rely heavily on classes provided by the Entity API module.

It provides a series of classes that wrap data structure pretty inefficiently. It causes a lot of object creation and triggers the garbage collector at least once (maybe even twice) in a request.

Really the problem is bad code in the `entity` module. So far disabling garbage collection has been the resolution.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Nov 26 03:01:31 2024 UTC