php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74543 SIGSEGV in _zend_hash_find_bucket with opcache enabled
Submitted: 2017-05-04 21:09 UTC Modified: 2021-09-05 04:22 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: zinigor+php at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: opcache
PHP Version: 7.1.4 OS: Ubuntu 16.10
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-05-04 21:09 UTC] zinigor+php at gmail dot com
Description:
------------
I have a web server running PHP under FPM with PHP version 7.1.4-1+deb.sury.org~yakkety+1_amd64. Here is the full info if you're interested: http://dev71.lousy.site/info.php

I get a segfault in the same place when I enable opcache (default settings, nothing fancy). I'm running WordPress with Jetpack, and here's the line that causes the error:
https://github.com/Automattic/jetpack/blob/master/json-endpoints.php#L141

I don't know why, but if I remove that line completely, execution happens right until;
https://github.com/Automattic/jetpack/blob/master/json-endpoints.php#L612

where it segfaults again.

I have been trying to figure out a small script that would illustrate the problem, but I can't - I know what lines in the PHP code are the last to get executed, but I don't know why and I can't reproduce the same thing in an isolated file.

I have been able to get a stack trace with debug symbols, here it is:

Reading symbols from /usr/sbin/php-fpm7.1...Reading symbols from /usr/lib/debug/.build-id/6d/1b8d73ab820b0d911a4252da9febf10aa54f2d.debug...done.
done.
[New LWP 4945]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                            '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000564573545c0f in zend_hash_find_bucket (key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:481
481	./Zend/zend_hash.c: No such file or directory.
(gdb) bt
#0  0x0000564573545c0f in zend_hash_find_bucket (key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:481
#1  _zend_hash_add_or_update_i (flag=1, pData=0x7fef504bdd40, key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:556
#2  _zend_hash_update (ht=0x7fef4d03fa00, key=0x7fef4eab4f68, pData=0x7fef504bdd40) at ./Zend/zend_hash.c:627
#3  0x0000564573581efc in ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_CONST_HANDLER () at ./Zend/zend_vm_execute.h:5886
#4  0x000056457358273b in execute_ex (ex=<optimized out>) at ./Zend/zend_vm_execute.h:429
#5  0x00005645735dd888 in zend_execute (op_array=op_array@entry=0x7fef5b279000, return_value=return_value@entry=0x7fef504d8cf0) at ./Zend/zend_vm_execute.h:474
#6  0x0000564573538b53 in zend_execute_scripts (type=1528907680, type@entry=8, retval=0x7fef504d8cf0, retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1476
#7  0x00005645734d4ca0 in php_execute_script (primary_file=0x7fffce0ad610) at ./main/main.c:2537
#8  0x00005645733b1efa in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966


Here's what it says about frame 0:

(gdb) frame 0
#0  0x0000564573545c0f in zend_hash_find_bucket (key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:481
481	in ./Zend/zend_hash.c

Please let me know what more I can provide.

P,S. this looks kinda similar to https://bugs.php.net/bug.php?id=70428, but the stack trace is different, so I thought I'd create a new bug anyway. Sorry if it's a duplicate.

Test script:
---------------
None, but if you have a WordPress site installed, you can:
1. Install Jetpack.
2. Activate Jetpack by connecting to WordPress.com
3. Go to https://wordpress.com/settings/discussion/your.site.url.com

This is enough to trigger a request that fails with a segfault.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-02 13:03 UTC] zxsz4084 at 163 dot com
I found this error。Is there a official niubility man to reponse this issue?

cat /etc/redhat-release 
CentOS release 5.11 (Final)

uname -a
Linux V6_W_141_238 2.6.18-417.el5.centos.plus #1 SMP Tue Dec 20 19:37:45 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

php -v
PHP 7.1.2 (cli) (built: Jun 28 2018 18:44:22) ( NTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.1.2, Copyright (c) 1999-2017, by Zend Technologies


grep SIGSEGV /data/logs/php-fpm.log
[02-Jul-2018 16:52:33] WARNING: [pool www] child 27861 exited on signal 11 (SIGSEGV - core dumped) after 1.044045 seconds from start


gdb php core.php-fpm.27861.1530521553
(gdb) bt
#0  0x00000000009f346b in zend_hash_find_bucket (ht=0x1413e50, key=0x2acdbc89ef50) at /root/softwares/php-7.1.2/Zend/zend_hash.c:484
#1  0x00000000009f7d65 in zend_hash_find (ht=0x1413e50, key=0x2acdbc89ef50) at /root/softwares/php-7.1.2/Zend/zend_hash.c:1959
#2  0x00000000009c9ce1 in zend_attach_symbol_table (execute_data=0x2acdb7615030) at /root/softwares/php-7.1.2/Zend/zend_execute_API.c:1579
#3  0x0000000000a3b7b3 in i_init_execute_data (execute_data=0x2acdb7615030, op_array=0x2acdb766b000, return_value=0x0) at /root/softwares/php-7.1.2/Zend/zend_execute.c:2223
#4  0x0000000000a3d895 in zend_execute (op_array=0x2acdb766b000, return_value=0x0) at /root/softwares/php-7.1.2/Zend/zend_vm_execute.h:473
#5  0x00000000009e078b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/softwares/php-7.1.2/Zend/zend.c:1475
#6  0x000000000094c6b5 in php_execute_script (primary_file=0x7fff1897deb0) at /root/softwares/php-7.1.2/main/main.c:2537
#7  0x0000000000add14c in ?? ()
#8  0x0000000000000000 in ?? ()
(gdb) frame 0
#0  0x00000000009f346b in zend_hash_find_bucket (ht=0x1413e50, key=0x2acdbc89ef50) at /root/softwares/php-7.1.2/Zend/zend_hash.c:484
484                     if (EXPECTED(p->key == key)) { /* check for the same interned string */




grep opcache /usr/local/php/lib/php.ini  |grep -v ";"

zend_extension=opcache.so
[opcache]
opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=10
opcache.max_accelerated_files=10000
opcache.max_wasted_percentage=15
opcache.use_cwd=1
opcache.validate_timestamps=1
opcache.revalidate_freq =2
opcache.fast_shutdown=1
 [2021-08-24 13:58 UTC] cmb@php.net
-Status: Open +Status: Feedback -Package: FPM related +Package: opcache -Assigned To: +Assigned To: cmb
 [2021-08-24 13:58 UTC] cmb@php.net
This looks like an OPcache issue.  Anyhow, iIs this still an issue
with any of the actively supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-09-05 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 18 08:03:34 2021 UTC