php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76405 Process lsphp-7.1 of user killed by SIGSEGV
Submitted: 2018-06-02 06:35 UTC Modified: 2018-06-24 04:25 UTC
From: alexey at nsk21 dot ru Assigned:
Status: No Feedback Package: CGI/CLI related
PHP Version: 7.1.18 OS: CentOS Linux release 7.5.1804 (C
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: alexey at nsk21 dot ru
New email:
PHP Version: OS:

 

 [2018-06-02 06:35 UTC] alexey at nsk21 dot ru
Description:
------------
PHP crashes randomly during running WordPress crontask:

reason:         lsphp-7.1 killed by SIGSEGV
cmdline:        lsphp5: ..skipped.. ./wp-cron.php

PHP 7.1.18 (cli) (built: May 31 2018 17:47:26) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
    with the ionCube PHP Loader (enabled) + Intrusion Protection from ioncube24.com (unconfigured) v10.2.1, Copyright (c) 2002-2018, by ionCube Ltd.
    with Zend OPcache v7.1.18, Copyright (c) 1999-2018, by Zend Technologies


Test script:
---------------
It's a regular WordPress wp-cron.php file.


Expected result:
----------------
Crontask complete without crash.

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa300df3c60 in ?? ()
(gdb) bt
#0  0x00007fa300df3c60 in ?? ()
#1  0x00007ffd9c11a310 in ?? ()
#2  0x000000000076ce58 in process_nested_data (rval=<optimized out>, objprops=0, elements=140727221855168, ht=0x7ffd9c11a420, var_hash=0x7fa2d61fffff,
    max=0x7fa300e1d000 "", p=0x7fa2d6dc85a6) at /usr/local/directadmin/custombuild/php-7.1.18/ext/standard/var_unserializer.c:376
#3  php_var_unserialize_internal (rval=<optimized out>, p=0x7fa2d6dc85a6, max=0x7fa300e1d000 "", var_hash=0x7fa2d61fffff)
    at /usr/local/directadmin/custombuild/php-7.1.18/ext/standard/var_unserializer.c:1330
#4  0x00002000f7a755ac in ?? ()
#5  0x0000010e00000022 in ?? ()
#6  0x00007fa2d6dc8498 in ?? ()
#7  0x0000000003437300 in ?? ()
#8  0x00000000032064d0 in ?? ()
#9  0x0000000003091520 in ?? ()
#10 0x00007fa2d6dc84ba in ?? ()
#11 0x00007fa2d6dc8498 in ?? ()
#12 0x00007fa2d6dc85a6 in ?? ()
#13 0x00007ffd9c11a6c0 in ?? ()
#14 0x00000000008acd8f in zend_verify_arg_type (cache_slot=<optimized out>, default_value=0x0, arg=<optimized out>, arg_num=16, zf=0x7fa200000000)
    at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_execute.c:958
#15 ZEND_RECV_SPEC_HANDLER () at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_vm_execute.h:1470
#16 0x00007ffd9c11a6c0 in ?? ()
#17 0x0000000000000004 in ?? ()
#18 0x00002000f7a1a350 in ?? ()
#19 0x0000010e00000022 in ?? ()
#20 0x00007fa2d6dc8498 in ?? ()
#21 0x000000000323d7c0 in ?? ()
#22 0x00000000032064d0 in ?? ()
#23 0x00007fa2f7a1a190 in ?? ()
#24 0x000000000074bee8 in php_strspn (s1=0x7ffd9c11a3c0 " \025\t\003", s2=0x7fa300e15008 "\034Q\247\367\242\177", s1_end=0x10 <Address 0x10 out of bounds>,
    s2_end=0xffffffffff46fbf7 <Address 0xffffffffff46fbf7 out of bounds>) at /usr/local/directadmin/custombuild/php-7.1.18/ext/standard/string.c:1757
#25 0x00007fa2f7a1a190 in ?? ()
#26 0x00007fa2d7f5dd20 in ?? ()
#27 0x00007ffd9c11a660 in ?? ()
#28 0x000000000085af5b in ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_CONST_HANDLER () at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_vm_execute.h:13752
#29 0x00007fa2d6d9bbc0 in ?? ()
#30 0x00007fa2d6d9bba0 in ?? ()
#31 0x000000000082630e in _zend_hash_del_el_ex (prev=0x2000, p=0x1377, idx=14766088, ht=0x7ffd9c11a400)
    at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_hash.c:969
#32 zend_hash_str_del_ind (ht=0x7ffd9c11a400, str=0x7fa2000f4240 <Address 0x7fa2000f4240 out of bounds>, len=140338040721974)
    at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_hash.c:1144
#33 0x00007fa2f783edf3 in ?? ()
#34 0x000000019c11a870 in ?? ()
#35 0x0000000000000000 in ?? ()
(gdb)
(gdb)
(gdb) frame 2
#2  0x000000000076ce58 in process_nested_data (rval=<optimized out>, objprops=0, elements=140727221855168, ht=0x7ffd9c11a420, var_hash=0x7fa2d61fffff,
    max=0x7fa300e1d000 "", p=0x7fa2d6dc85a6) at /usr/local/directadmin/custombuild/php-7.1.18/ext/standard/var_unserializer.c:376
376             while (elements-- > 0) {
(gdb)
(gdb) frame 3
#3  php_var_unserialize_internal (rval=<optimized out>, p=0x7fa2d6dc85a6, max=0x7fa300e1d000 "", var_hash=0x7fa2d61fffff)
    at /usr/local/directadmin/custombuild/php-7.1.18/ext/standard/var_unserializer.c:1330
1330            if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL_P(rval), elements, 0)) {
(gdb)
(gdb) frame 14
#14 0x00000000008acd8f in zend_verify_arg_type (cache_slot=<optimized out>, default_value=0x0, arg=<optimized out>, arg_num=16, zf=0x7fa200000000)
    at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_execute.c:958
958             if (UNEXPECTED(!zend_check_type(zf, cur_arg_info, arg, &ce, cache_slot, default_value, 0))) {
(gdb)
(gdb) frame 24
#24 0x000000000074bee8 in php_strspn (s1=0x7ffd9c11a3c0 " \025\t\003", s2=0x7fa300e15008 "\034Q\247\367\242\177", s1_end=0x10 <Address 0x10 out of bounds>,
    s2_end=0xffffffffff46fbf7 <Address 0xffffffffff46fbf7 out of bounds>) at /usr/local/directadmin/custombuild/php-7.1.18/ext/standard/string.c:1757
1757            for (spanp = s2; p != s1_end && spanp != s2_end;) {
(gdb) frame 28
#28 0x000000000085af5b in ZEND_ADD_ARRAY_ELEMENT_SPEC_TMP_CONST_HANDLER () at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_vm_execute.h:13752
13752                   } else if (Z_TYPE_P(offset) == IS_TRUE) {
(gdb)
(gdb) frame 30
#30 0x00007fa2d6d9bba0 in ?? ()
(gdb)
(gdb) frame 31
#31 0x000000000082630e in _zend_hash_del_el_ex (prev=0x2000, p=0x1377, idx=14766088, ht=0x7ffd9c11a400)
    at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_hash.c:969
969                     } while (ht->nNumUsed > 0 && (UNEXPECTED(Z_TYPE(ht->arData[ht->nNumUsed-1].val) == IS_UNDEF)));
(gdb)
(gdb) frame 32
#32 zend_hash_str_del_ind (ht=0x7ffd9c11a400, str=0x7fa2000f4240 <Address 0x7fa2000f4240 out of bounds>, len=140338040721974)
    at /usr/local/directadmin/custombuild/php-7.1.18/Zend/zend_hash.c:1144
1144                                    _zend_hash_del_el_ex(ht, idx, p, prev);
(gdb) q


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-02 09:08 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2018-06-02 09:08 UTC] requinix@php.net
Lots of question marks in that backtrace...

What about with ionCube disabled?
 [2018-06-06 16:40 UTC] alexey at nsk21 dot ru
Hello,

Crashed under PHP 7.0.30 without ionCube too:


Reading symbols from /usr/local/php70/bin/lsphp70...done.
[New LWP 30602]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `lsphp70:ly/domains/sovital.at'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f4833467598 in ?? ()
(gdb)
(gdb)
(gdb) bt
#0  0x00007f4833467598 in ?? ()
#1  0x0000000000000000 in ?? ()
(gdb)
#0  0x00007f4833467598 in ?? ()
#1  0x0000000000000000 in ?? ()
(gdb) frame 0
#0  0x00007f4833467598 in ?? ()
(gdb) frame 1
#1  0x0000000000000000 in ?? ()
(gdb) quit
[root@good ccpp-2018-06-06-17:51:25-30602]# /usr/local/php70/bin/lsphp70 -v
PHP 7.0.30 (litespeed) (built: May 15 2018 10:19:23)
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.30, Copyright (c) 1999-2017, by Zend Technologies
[root@good ccpp-2018-06-06-17:51:25-30602]#


Kindly advice.

Regards,
Alex.
 [2018-06-24 04:25 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Aug 19 09:05:50 2022 UTC