Debug logs from a similar incident

[10-Jul-2018 17:17:29.169525] NOTICE: pid 32007, fpm_sockets_init_main(), line 349: using inherited socket fd=37, "/run/php/php7.0-fpm.sock"
[10-Jul-2018 17:17:29.169525] NOTICE: pid 32007, fpm_sockets_init_main(), line 349: using inherited socket fd=37, "/run/php/php7.0-fpm.sock"
[10-Jul-2018 17:17:29.171013] DEBUG: pid 32007, fpm_event_init_main(), line 342: event module is epoll and 301 fds have been reserved
[10-Jul-2018 17:17:29.171170] NOTICE: pid 32007, fpm_init(), line 85: fpm is running, pid 32007
[10-Jul-2018 17:17:29.171538] DEBUG: pid 32007, fpm_children_make(), line 421: [pool www] child 32047 started
[10-Jul-2018 17:17:29.171768] DEBUG: pid 32007, fpm_children_make(), line 421: [pool www] child 32048 started
[10-Jul-2018 17:17:29.171831] DEBUG: pid 32007, fpm_event_loop(), line 371: 186000 bytes have been reserved in SHM
[10-Jul-2018 17:17:29.171871] NOTICE: pid 32007, fpm_event_loop(), line 372: ready to handle connections
[10-Jul-2018 17:17:29.174339] DEBUG: pid 32007, fpm_systemd_heartbeat(), line 68: have notify start to systemd
[10-Jul-2018 17:17:29.174535] NOTICE: pid 32007, fpm_systemd_heartbeat(), line 75: systemd monitor interval set to 10000ms
[10-Jul-2018 17:17:29.174628] DEBUG: pid 32007, fpm_got_signal(), line 112: received SIGUSR2
[10-Jul-2018 17:17:29.174681] NOTICE: pid 32007, fpm_got_signal(), line 113: Reloading in progress ...
[10-Jul-2018 17:17:29.174732] DEBUG: pid 32007, fpm_pctl(), line 234: switching to 'reloading' state
[10-Jul-2018 17:17:29.174790] DEBUG: pid 32007, fpm_pctl_kill_all(), line 162: [pool www] sending signal 3 SIGQUIT to child 32048
[10-Jul-2018 17:17:29.174840] DEBUG: pid 32007, fpm_pctl_kill_all(), line 162: [pool www] sending signal 3 SIGQUIT to child 32047
[10-Jul-2018 17:17:29.174887] DEBUG: pid 32007, fpm_pctl_kill_all(), line 171: 2 child(ren) still alive
[10-Jul-2018 17:17:29.174935] DEBUG: pid 32007, fpm_got_signal(), line 112: received SIGUSR2
[10-Jul-2018 17:17:29.174980] NOTICE: pid 32007, fpm_got_signal(), line 113: Reloading in progress ...
[10-Jul-2018 17:17:29.175025] DEBUG: pid 32007, fpm_event_loop(), line 424: event module triggered 1 events
[10-Jul-2018 17:17:29.176463] DEBUG: pid 32007, fpm_pctl_kill_all(), line 162: [pool www] sending signal 15 SIGTERM to child 32048
[10-Jul-2018 17:17:29.176504] DEBUG: pid 32007, fpm_pctl_kill_all(), line 162: [pool www] sending signal 15 SIGTERM to child 32047
[10-Jul-2018 17:17:29.176510] DEBUG: pid 32007, fpm_pctl_kill_all(), line 171: 2 child(ren) still alive
[10-Jul-2018 17:17:29.186320] DEBUG: pid 32007, fpm_got_signal(), line 112: received SIGUSR2
[10-Jul-2018 17:17:29.186506] NOTICE: pid 32007, fpm_got_signal(), line 113: Reloading in progress ...
[10-Jul-2018 17:17:29.186601] DEBUG: pid 32007, fpm_event_loop(), line 424: event module triggered 1 events 
[10-Jul-2018 17:17:29.197708] DEBUG: pid 32007, fpm_got_signal(), line 112: received SIGUSR2
[10-Jul-2018 17:17:29.197735] NOTICE: pid 32007, fpm_got_signal(), line 113: Reloading in progress ...
[10-Jul-2018 17:17:29.197741] DEBUG: pid 32007, fpm_event_loop(), line 424: event module triggered 1 events

I have traced down a part of the problem. SIGKILL is not sent to FPM workers at all.

The open question is why SIGQUIT and SIGTERM are not enough sometimes.
Maybe kill() of a child is interrupted by SIGUSR2 received by the master
process and check for EINTR is required after the kill() call.

Missed SIGQUIT and SIGTERM are hardly can be desirable, but ensuring
SIGKILL delivery allows to avoid process stuck in some intermediate
semi-functional state.

The problem is that SIGTERM and SIGKILL share the same fpm_event_s structure
and scheduled through the same event queue. The handler is invoked
synchronously and it is unable to reschedule itself

fpm_process_ctl.c:202 static void fpm_pctl_action_next()
        fpm_pctl_timeout_set(timeout);

due to

fpm_events.c:156 static int fpm_event_queue_add()
        if (fpm_event_queue_isset(*queue, ev)) {
                return 0;
        }

The timer is removed from the queue *after* completion of the handler

fpm_events.c:440 void fpm_event_loop()
                                        } else { /* delete the event */

Possible solution is to mark the event as persistent (see the patch).
It helps even in the case when some signals from previous iteration
are not delivered, the cost is another second before reexec.

With the patch from https://bugs.php.net/bug.php?id=74083
PHP-FPM becomes immune to SIGUSR2 flood.

SIGQUIT and SIGTERM may be missed by children just after reload due to

fpm_signals.c:169 static void sig_handler()
	if (fpm_globals.parent_pid != getpid()) {
		/* prevent a signal race condition when child process
			have not set up it's own signal handler yet */
		return;
	}

Looks like this measure is not a solution for all cases. sigprocmask() SIG_BLOCK/SIG_UNBLOCK may be added around the fork() call to

fpm_children.c:400 int fpm_children_make()
		pid = fork();

I have added another patch that blocks signal delivery during child initialization. It depends on the patch for #74083.

Patch php-76601_kill-not-rescheduled_7.2.11_2018-09-28.patch is required.
Patch php-fpm-76601-avoid-child-ignorance_7.2.11_2018-09-28.patch
is intended to stop children more gently in the case of concurrent reload.
Actually any of them fixes #76601 but I suppose that it is better
to avoid both problems.

With kill-not-rescheduled patch I am unable to reproduce
#76895 "PHP-FPM7.x can't finish reloading after encountering a fatal error"

These patches are for 7.2.11, can be cleanly applied for 7.1.23.
Quite trivial conflicts related to context lines exist
for 7.0.32 and for 5.6.38.

Dear maintainers, please note this bug (and its solution provided by mnikulin at plesk dot com), applies to all versions from 7.1 to at least 7.3

@bukka: Are you familiar with the FPM signal handling code? This looks like something we should really fix and the patch at least looks reasonable to me.

Last week I was trying to write a test for Bug #76895 that is the easiest way to reproduce the case. I realized that the code that runs test suite does not force empty TEST_PHP_EXECUTABLE directory so if php is already installed to the prefix, ini files for modules may affect test results. I have not reproduce the issue in the build environment but "break/continue" is reproducible on test servers. The difference in modules/extensions and their configurations (sodium, etc.) and error reporting options. My current draft is

-----
--TEST--
FPM: bug76895 bug77443 - child blocks reload
--SKIPIF--
<?php include "skipif.inc"; ?>
--FILE--
<?php

require_once "tester.inc";

$cfg = <<<EOT
[global]
error_log = {{FILE:LOG}}
pid = {{FILE:PID}}
[unconfined]
listen = {{ADDR}}
pm = ondemand
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
catch_workers_output = yes
EOT;

$code = <<<EOT
<?php
\$variable = 'test';
if (!empty(\$variable)) {
  break;
}
EOT;

$tester = new FPM\Tester($cfg, $code);
$tester->start();
$tester->expectLogStartNotices();
$tester->request()->expectEmptyBody();
$tester->expectLogWarning('child \d+ said into stderr: "NOTICE: PHP message: PHP Fatal error:  \'break\' not in the \'loop\' or \'switch\' context in .* on line 4"', 'unconfined');
$tester->signal('USR2');
$tester->expectLogNotice('Reloading in progress ...');
$tester->expectLogNotice('reloading: .*');
$tester->expectLogNotice('using inherited socket fd=\d+, "127.0.0.1:\d+"');
$tester->expectLogStartNotices();
$tester->terminate();
$tester->expectLogTerminatingNotices();
$tester->close();

?>
Done
--EXPECT--
Done
--CLEAN--
<?php
require_once "tester.inc";
FPM\Tester::clean();
?>
-----

Message body is actually not empty in build environment, message
pattern and output should be adjusted as well.

I am unsure if I will have time this week to proceed further, hope the draft might be useful for you.

As I said earlier, the easiest way to test
php-76601_kill-not-rescheduled_7.2.11_2018-09-28.patch
may be in the scope of Bug #76895. However I have realized that
to reproduce 76895 opcache must be enabled. I faced some
obstacles trying to implement such test

- PHP_INI_SCAN_DIR must be set to empty or invalid directory
  otherwise .ini files there (from already installed previous build)
  may change settings related error reporting and may lead
  to failed expectations in messages tests.
- It is necessary to explicitly load opcache.so, so .ini file
  should be passed to php-fpm command.
- opcache.so loading error must be ignored if it is not built.
- If built, opcache.so must be loaded from build directory,
  and I have no idea now to obtain it.

I hope, somebody from PHP developers can solve such issues better than me.
Other reload failures are caused by races, so I am unsure it it is worth
to write tests that repeat actions many times due to such tests may lasts
quite long time.

I consider patches attached to this bug and to Bug #74083 as well tested
in production environment for php-5.6, and 7.0-7.3,
however the servers have mostly similar configuration.

I do not plan to work on the test further. My lates draft is

--TEST--
FPM: bug76895 bug77443 - child blocks reload
--SKIPIF--
<?php include "skipif.inc"; ?>
--FILE--
<?php

require_once "tester.inc";

$cfg = <<<EOT
[global]
error_log = {{FILE:LOG}}
pid = {{FILE:PID}}
[unconfined]
listen = {{ADDR}}
pm = ondemand
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
EOT;

// TODO skip if opcache is not compiled
// TODO obtain build dir somehow
$cwd = getcwd();
$ini = <<<EOT
zend_extension = $cwd/build-fpm/modules/opcache.so
EOT;

$code = <<<EOT
<?php
\$variable = 'test';
if (!empty(\$variable)) {
  break;
}
EOT;

// TODO It seems that tester.inc does not allow custom php.ini even though file can be created
$iniFile = __DIR__ . '/.user.ini';
putenv("PHPRC=$iniFile");
putenv("PHP_INI_SCAN_DIR=/dev/null");
$tester = new FPM\Tester($cfg, $code);
$tester->setUserIni($ini);
$tester->start();
$tester->expectLogStartNotices();
$body = $tester->request()->getBody();
$expectedBody = "/^<br \\/>\n<b>Fatal error<\\/b>:  'break' not in the 'loop' or 'switch' context in <b>.*\.php<\\/b> on line <b>4<\\/b><br \\/>$/";
if (!preg_match($expectedBody, $body)) {
  echo 'ERROR: expected body ' . $expectedBody . "\n" . 'does not match actual body: ' . $body . "\n";
  false;
}
// Alternatively error may be suppressed in response and directed to log.
// $tester->expectLogWarning('child \d+ said into stderr: "NOTICE: PHP message: PHP Fatal error:  \'break\' not in the \'loop\' or \'switch\' context in .* on line 4"', 'unconfined');
$tester->signal('USR2');
$tester->expectLogNotice('Reloading in progress ...');
$tester->expectLogNotice('reloading: .*');
$tester->expectLogNotice('using inherited socket fd=\d+, "127.0.0.1:\d+"');
$tester->expectLogStartNotices();
$tester->terminate();
$tester->expectLogTerminatingNotices();
$tester->close();

?>
Done
--EXPECT--
Done
--CLEAN--
<?php
require_once "tester.inc";
FPM\Tester::clean();
?>

Sorry for the late reply! Finally got time to take a look. First of all thanks for the thorough analysis of the problem and all the patches!

The patches make sense from the first look but need to think about it more and do some testing.

In terms of the test, it needs some updates to the main tester to handle the main ini load (php-fpm -c). Ideally it could be generated for each run with options to extend it. It would be also good to have some helpers to quickly enable opcache as there are other issues that would make use of that. I have got an idea how to do it and will try to find some time to implement it. It would be really good to have this covered. It might help to minimize breaks to FPM that Opcache from time to time introduces.

I have added a pull request with a test independent of opcache and Bug #76895. The only disadvantage that it takes 3-5 seconds in the case of success.

This issue should be fixed in 7.4.