php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76518 segfault when opcache enabled + extensions like apcu/imagick
Submitted: 2018-06-22 09:51 UTC Modified: 2018-06-22 17:23 UTC
Votes:10
Avg. Score:4.6 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:4 (50.0%)
Same OS:3 (37.5%)
From: lists at iezzi dot ch Assigned:
Status: Open Package: opcache
PHP Version: 7.2.7 OS: Linux (Debian Stretch)
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-06-22 09:51 UTC] lists at iezzi dot ch
Description:
------------
I am getting the following segfaults in syslog:

```
php-fpm[15221]: [WARNING] [pool web447-php72] child 24117 exited on signal 11 (SIGSEGV - core dumped) after 11.003968 seconds from start
```

This only seems to happen on fpm pools with both enabled OPcache and either one of PECL apcu 5.1.11 (http://pecl.php.net/package/APCu) or imagick 3.4.3 (http://pecl.php.net/package/imagick) extensions.

The problem does not seem to be directly related to these extensions. It more looks like #76337 (https://bugs.php.net/bug.php?id=76337) is not fully fixed in PHP 7.2.7.

Such segfaults don't occur on latest PHP 7.0 / 7.1, only on PHP 7.2 (all compiled from sources).

gdb backtrace:

```
$ gdb /opt/php/php72/sbin/php-fpm /tmp/coredump-php-fpm.24117
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /opt/php/php72/sbin/php-fpm...done.
[New LWP 24117]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool web447-php72                                                    '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
289		if (!ZSTR_IS_INTERNED(s)) {

(gdb) bt
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
#1  destroy_zend_class (zv=<optimized out>) at /usr/src/php-7.2.7/Zend/zend_opcode.c:334
#2  0x000055af43e9c586 in zend_hash_destroy (ht=0x55af45461160) at /usr/src/php-7.2.7/Zend/zend_hash.c:1245
#3  0x000055af43e8b8f1 in zend_shutdown () at /usr/src/php-7.2.7/Zend/zend.c:911
#4  0x000055af43e2a5fb in php_module_shutdown () at /usr/src/php-7.2.7/main/main.c:2453
#5  0x000055af43a0835e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/php-7.2.7/sapi/fpm/fpm/fpm_main.c:2020


(gdb) frame 5
#5  0x000055af43a0835e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/php-7.2.7/sapi/fpm/fpm/fpm_main.c:2020
2020		php_module_shutdown();
(gdb) frame 4
#4  0x000055af43e2a5fb in php_module_shutdown () at /usr/src/php-7.2.7/main/main.c:2453
2453		zend_shutdown();
(gdb) frame 3
#3  0x000055af43e8b8f1 in zend_shutdown () at /usr/src/php-7.2.7/Zend/zend.c:911
911		zend_hash_destroy(GLOBAL_CLASS_TABLE);
(gdb) frame 2
#2  0x000055af43e9c586 in zend_hash_destroy (ht=0x55af45461160) at /usr/src/php-7.2.7/Zend/zend_hash.c:1245
1245						ht->pDestructor(&p->val);
(gdb) frame 1
#1  destroy_zend_class (zv=<optimized out>) at /usr/src/php-7.2.7/Zend/zend_opcode.c:334
334				zend_string_release(ce->name);
```



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-22 17:23 UTC] nikic@php.net
Can you please set opcache.protect_memory=1 and see if this changes the crash location?

ce->name should never be NULL, so I'm assuming something is corrupting SHM.
 [2018-07-01 18:03 UTC] lists at iezzi dot ch
I am providing two more coredumps. Both under PHP 7.2.7 with enabled opcache AND imagick extensions. Segfaults only happen if both opcache and an additional extension like opcache/apcu/excel is enabled, not if only opcache is enabled.

first cachedump without setting `opcache.protect_memory=1`:


```
$ gdb /opt/php/php72/sbin/php-fpm /root/php-fpm-coredumps/coredump-php-fpm-11-4447-4447-6046-1530452704
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
(...)
Reading symbols from /opt/php/php72/sbin/php-fpm...done.
[New LWP 6046]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool web447-php72                                                    '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
289		if (!ZSTR_IS_INTERNED(s)) {

(gdb) bt
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
#1  destroy_zend_class (zv=<optimized out>) at /usr/src/php-7.2.7/Zend/zend_opcode.c:334
#2  0x0000562db874f586 in zend_hash_destroy (ht=0x562db9883160) at /usr/src/php-7.2.7/Zend/zend_hash.c:1245
#3  0x0000562db873e8f1 in zend_shutdown () at /usr/src/php-7.2.7/Zend/zend.c:911
#4  0x0000562db86dd5fb in php_module_shutdown () at /usr/src/php-7.2.7/main/main.c:2453
#5  0x0000562db82bb35e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/php-7.2.7/sapi/fpm/fpm/fpm_main.c:2020

(gdb) bt full
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
No locals.
#1  destroy_zend_class (zv=<optimized out>) at /usr/src/php-7.2.7/Zend/zend_opcode.c:334
        prop_info = <optimized out>
        ce = 0x562dba494220
        fn = <optimized out>
#2  0x0000562db874f586 in zend_hash_destroy (ht=0x562db9883160) at /usr/src/php-7.2.7/Zend/zend_hash.c:1245
        p = 0x562db98eedd0
        end = 0x562db98eef10
#3  0x0000562db873e8f1 in zend_shutdown () at /usr/src/php-7.2.7/Zend/zend.c:911
No locals.
#4  0x0000562db86dd5fb in php_module_shutdown () at /usr/src/php-7.2.7/main/main.c:2453
No locals.
#5  0x0000562db82bb35e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/php-7.2.7/sapi/fpm/fpm/fpm_main.c:2020
        exit_status = 0
        c = <optimized out>
        use_extended_info = <optimized out>
        file_handle = {handle = {fd = 1573298176, fp = 0x7f2a5dc6a000, stream = {handle = 0x7f2a5dc6a000, isatty = 0, mmap = {len = 418, pos = 0, map = 0x0, buf = 0x7f2a6984b000 <error: Cannot access memory at address 0x7f2a6984b000>, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x562db86f3f00 <_php_stream_read>, fsizer = 0x562db86db3e0 <php_zend_stream_fsizer>, closer = 0x562db86db3c0 <php_zend_stream_mmap_closer>}}, 
          filename = 0x7f2a5dc02000 "( \300]*\177", opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        orig_optind = <optimized out>
        orig_optarg = <optimized out>
        ini_entries_len = <optimized out>
        max_requests = 0
        requests = <optimized out>
        fcgi_fd = <optimized out>
        request = <optimized out>
        fpm_config = <optimized out>
        fpm_prefix = <optimized out>
        fpm_pid = <optimized out>
        test_conf = <optimized out>
        force_daemon = <optimized out>
        force_stderr = <optimized out>
        php_information = <optimized out>
        php_allow_to_run_as_root = <optimized out>
        __func__ = "main"
```

second coredump with enabled `opcache.protect_memory=1`:

```
$ gdb /opt/php/php72/sbin/php-fpm /root/php-fpm-coredumps/coredump-php-fpm-11-4447-4447-18124-1530467520
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
(...)
Reading symbols from /opt/php/php72/sbin/php-fpm...done.
[New LWP 18124]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool web447-php72                                                    '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
289		if (!ZSTR_IS_INTERNED(s)) {

(gdb) bt
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
#1  destroy_zend_class (zv=<optimized out>) at /usr/src/php-7.2.7/Zend/zend_opcode.c:334
#2  0x00005625787fb586 in zend_hash_destroy (ht=0x56257976f160) at /usr/src/php-7.2.7/Zend/zend_hash.c:1245
#3  0x00005625787ea8f1 in zend_shutdown () at /usr/src/php-7.2.7/Zend/zend.c:911
#4  0x00005625787895fb in php_module_shutdown () at /usr/src/php-7.2.7/main/main.c:2453
#5  0x000056257836735e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/php-7.2.7/sapi/fpm/fpm/fpm_main.c:2020

(gdb) bt full
#0  zend_string_release (s=0x0) at /usr/src/php-7.2.7/Zend/zend_string.h:289
No locals.
#1  destroy_zend_class (zv=<optimized out>) at /usr/src/php-7.2.7/Zend/zend_opcode.c:334
        prop_info = <optimized out>
        ce = 0x56257a380010
        fn = <optimized out>
#2  0x00005625787fb586 in zend_hash_destroy (ht=0x56257976f160) at /usr/src/php-7.2.7/Zend/zend_hash.c:1245
        p = 0x5625797dadd0
        end = 0x5625797daf10
#3  0x00005625787ea8f1 in zend_shutdown () at /usr/src/php-7.2.7/Zend/zend.c:911
No locals.
#4  0x00005625787895fb in php_module_shutdown () at /usr/src/php-7.2.7/main/main.c:2453
No locals.
#5  0x000056257836735e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/php-7.2.7/sapi/fpm/fpm/fpm_main.c:2020
        exit_status = 0
        c = <optimized out>
        use_extended_info = <optimized out>
        file_handle = {handle = {fd = 434544640, fp = 0x7fba19e6a000, stream = {handle = 0x7fba19e6a000, isatty = 0, mmap = {len = 418, pos = 0, map = 0x0, buf = 0x7fba25a70000 <error: Cannot access memory at address 0x7fba25a70000>, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x56257879ff00 <_php_stream_read>, fsizer = 0x5625787873e0 <php_zend_stream_fsizer>, closer = 0x5625787873c0 <php_zend_stream_mmap_closer>}}, 
          filename = 0x7fba19e06000 "P`\340\031\272\177", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        orig_optind = <optimized out>
        orig_optarg = <optimized out>
        ini_entries_len = <optimized out>
        max_requests = 0
        requests = <optimized out>
        fcgi_fd = <optimized out>
        request = <optimized out>
        fpm_config = <optimized out>
        fpm_prefix = <optimized out>
        fpm_pid = <optimized out>
        test_conf = <optimized out>
        force_daemon = <optimized out>
        force_stderr = <optimized out>
        php_information = <optimized out>
        php_allow_to_run_as_root = <optimized out>
        __func__ = "main"
```
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 22:01:26 2019 UTC