php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74543 SIGSEGV in _zend_hash_find_bucket with opcache enabled
Submitted: 2017-05-04 21:09 UTC Modified: -
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: zinigor+php at gmail dot com Assigned:
Status: Open Package: FPM related
PHP Version: 7.1.4 OS: Ubuntu 16.10
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: zinigor+php at gmail dot com
New email:
PHP Version: OS:

 

 [2017-05-04 21:09 UTC] zinigor+php at gmail dot com
Description:
------------
I have a web server running PHP under FPM with PHP version 7.1.4-1+deb.sury.org~yakkety+1_amd64. Here is the full info if you're interested: http://dev71.lousy.site/info.php

I get a segfault in the same place when I enable opcache (default settings, nothing fancy). I'm running WordPress with Jetpack, and here's the line that causes the error:
https://github.com/Automattic/jetpack/blob/master/json-endpoints.php#L141

I don't know why, but if I remove that line completely, execution happens right until;
https://github.com/Automattic/jetpack/blob/master/json-endpoints.php#L612

where it segfaults again.

I have been trying to figure out a small script that would illustrate the problem, but I can't - I know what lines in the PHP code are the last to get executed, but I don't know why and I can't reproduce the same thing in an isolated file.

I have been able to get a stack trace with debug symbols, here it is:

Reading symbols from /usr/sbin/php-fpm7.1...Reading symbols from /usr/lib/debug/.build-id/6d/1b8d73ab820b0d911a4252da9febf10aa54f2d.debug...done.
done.
[New LWP 4945]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                            '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000564573545c0f in zend_hash_find_bucket (key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:481
481	./Zend/zend_hash.c: No such file or directory.
(gdb) bt
#0  0x0000564573545c0f in zend_hash_find_bucket (key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:481
#1  _zend_hash_add_or_update_i (flag=1, pData=0x7fef504bdd40, key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:556
#2  _zend_hash_update (ht=0x7fef4d03fa00, key=0x7fef4eab4f68, pData=0x7fef504bdd40) at ./Zend/zend_hash.c:627
#3  0x0000564573581efc in ZEND_ADD_ARRAY_ELEMENT_SPEC_CONST_CONST_HANDLER () at ./Zend/zend_vm_execute.h:5886
#4  0x000056457358273b in execute_ex (ex=<optimized out>) at ./Zend/zend_vm_execute.h:429
#5  0x00005645735dd888 in zend_execute (op_array=op_array@entry=0x7fef5b279000, return_value=return_value@entry=0x7fef504d8cf0) at ./Zend/zend_vm_execute.h:474
#6  0x0000564573538b53 in zend_execute_scripts (type=1528907680, type@entry=8, retval=0x7fef504d8cf0, retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1476
#7  0x00005645734d4ca0 in php_execute_script (primary_file=0x7fffce0ad610) at ./main/main.c:2537
#8  0x00005645733b1efa in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966


Here's what it says about frame 0:

(gdb) frame 0
#0  0x0000564573545c0f in zend_hash_find_bucket (key=0x7fef4eab4f68, ht=0x7fef4d03fa00) at ./Zend/zend_hash.c:481
481	in ./Zend/zend_hash.c

Please let me know what more I can provide.

P,S. this looks kinda similar to https://bugs.php.net/bug.php?id=70428, but the stack trace is different, so I thought I'd create a new bug anyway. Sorry if it's a duplicate.

Test script:
---------------
None, but if you have a WordPress site installed, you can:
1. Install Jetpack.
2. Activate Jetpack by connecting to WordPress.com
3. Go to https://wordpress.com/settings/discussion/your.site.url.com

This is enough to trigger a request that fails with a segfault.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-02 13:03 UTC] zxsz4084 at 163 dot com
I found this error。Is there a official niubility man to reponse this issue?

cat /etc/redhat-release 
CentOS release 5.11 (Final)

uname -a
Linux V6_W_141_238 2.6.18-417.el5.centos.plus #1 SMP Tue Dec 20 19:37:45 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

php -v
PHP 7.1.2 (cli) (built: Jun 28 2018 18:44:22) ( NTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.1.2, Copyright (c) 1999-2017, by Zend Technologies


grep SIGSEGV /data/logs/php-fpm.log
[02-Jul-2018 16:52:33] WARNING: [pool www] child 27861 exited on signal 11 (SIGSEGV - core dumped) after 1.044045 seconds from start


gdb php core.php-fpm.27861.1530521553
(gdb) bt
#0  0x00000000009f346b in zend_hash_find_bucket (ht=0x1413e50, key=0x2acdbc89ef50) at /root/softwares/php-7.1.2/Zend/zend_hash.c:484
#1  0x00000000009f7d65 in zend_hash_find (ht=0x1413e50, key=0x2acdbc89ef50) at /root/softwares/php-7.1.2/Zend/zend_hash.c:1959
#2  0x00000000009c9ce1 in zend_attach_symbol_table (execute_data=0x2acdb7615030) at /root/softwares/php-7.1.2/Zend/zend_execute_API.c:1579
#3  0x0000000000a3b7b3 in i_init_execute_data (execute_data=0x2acdb7615030, op_array=0x2acdb766b000, return_value=0x0) at /root/softwares/php-7.1.2/Zend/zend_execute.c:2223
#4  0x0000000000a3d895 in zend_execute (op_array=0x2acdb766b000, return_value=0x0) at /root/softwares/php-7.1.2/Zend/zend_vm_execute.h:473
#5  0x00000000009e078b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/softwares/php-7.1.2/Zend/zend.c:1475
#6  0x000000000094c6b5 in php_execute_script (primary_file=0x7fff1897deb0) at /root/softwares/php-7.1.2/main/main.c:2537
#7  0x0000000000add14c in ?? ()
#8  0x0000000000000000 in ?? ()
(gdb) frame 0
#0  0x00000000009f346b in zend_hash_find_bucket (ht=0x1413e50, key=0x2acdbc89ef50) at /root/softwares/php-7.1.2/Zend/zend_hash.c:484
484                     if (EXPECTED(p->key == key)) { /* check for the same interned string */




grep opcache /usr/local/php/lib/php.ini  |grep -v ";"

zend_extension=opcache.so
[opcache]
opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=10
opcache.max_accelerated_files=10000
opcache.max_wasted_percentage=15
opcache.use_cwd=1
opcache.validate_timestamps=1
opcache.revalidate_freq =2
opcache.fast_shutdown=1
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Dec 04 02:01:23 2020 UTC