php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76844 PHP crashes on big file with array inside
Submitted: 2018-09-05 17:03 UTC Modified: 2023-10-26 21:29 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: denis at bitrix dot ru Assigned: nielsdos (profile)
Status: Closed Package: opcache
PHP Version: 7.2.9 OS: Ubuntu 14.04.5 LTS
Private report: No CVE-ID: None
 [2018-09-05 17:03 UTC] denis at bitrix dot ru
Description:
------------
I have auto generated 12M script which causes segmentation fault with opcache enabled.

$ gdb -ex=r --args php restore.file_list.php
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...Reading symbols from /usr/lib/debug/.build-id/c0/4daf2c7bc6200e0a02e127d552d4290d6678e0.debug...done.
done.
Starting program: /usr/bin/php restore.file_list.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=65384, index=index@entry=0x7fffffffa48c, dfs=dfs@entry=0x7fffe9801000, 
    root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:173
173	{
(gdb) bt 10
#0  zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=65384, index=index@entry=0x7fffffffa48c, dfs=dfs@entry=0x7fffe9801000, 
    root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:173
#1  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#2  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#3  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#4  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#5  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#6  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#7  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#8  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
#9  0x00007ffff4a7eed6 in zend_ssa_check_scc_var (op_array=op_array@entry=0x7ffff5883008, ssa=ssa@entry=0x7ffff59de028, var=<optimized out>, index=index@entry=0x7fffffffa48c, 
    dfs=dfs@entry=0x7fffe9801000, root=root@entry=0x7fffe9a01000, stack=stack@entry=0x7fffffffa490) at /build/php7.2-pz0P3X/php7.2-7.2.9/ext/opcache/Optimizer/zend_inference.c:182
(More stack frames follow...)
(gdb) bt -1
#65394 0x00005555556422be in main (argc=2, argv=0x555555bfd6e0) at /build/php7.2-pz0P3X/php7.2-7.2.9/sapi/cli/php_cli.c:1404
(gdb) zbacktrace 
(gdb) 


Test script:
---------------
The script is uploaded to https://my.pcloud.com/publink/show?code=XZMTED7ZcA3xXabVtHSiwtefBkWj74HBSY1y

It is 12M length but very simple:

$ head restore.file_list.php 
<?
$a['modules/main/include/virtual_file_system.php'] = 1;
$a['modules/main/include/epilog_popup_admin.php'] = 1;
$a['modules/main/include/prolog_before.php'] = 1;
$a['modules/main/include/condition.php'] = 1;
$a['modules/main/include/mainpage.php'] = 1;
$a['modules/main/include/epilog.php'] = 1;
$a['modules/main/include/include_statistics_before.php'] = 1;
$a['modules/main/include/include_statistics.php'] = 1;
$a['modules/main/include/dbconn_error.php'] = 1;

$ tail restore.file_list.php
$a['components/bitrix/lists.element.edit/lang/en/ajax.php'] = 1;
$a['components/bitrix/lists.element.edit/lang/en/component.php'] = 1;
$a['components/bitrix/lists.element.edit/lang/en/.description.php'] = 1;
$a['components/bitrix/lists.element.edit/.description.php'] = 1;
$a['components/bitrix/tasks.interface.header/templates/.default/template.php'] = 1;
$a['components/bitrix/tasks.interface.header/templates/.default/script.js'] = 1;
$a['components/bitrix/tasks.interface.header/templates/.default/style.min.css'] = 1;
$a['components/bitrix/tasks.interface.header/templates/.default/script.map.js'] = 1;
$a['components/bitrix/tasks.interface.header/templates/.default/script.min.js'] = 1;
$a['components/bitrix/tasks.interface.header/class.php'] = 1;


Actual result:
--------------
$ php -d opcache.enable_cli=0 restore.file_list.php 
$ 
$ php -d opcache.enable_cli=1 restore.file_list.php 
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-05 17:13 UTC] spam2 at rhsoft dot net
check your opcache settings especially interned strings buffer
 [2018-09-05 18:13 UTC] cmb@php.net
On a quick glance, this looks like a stack overflow.
 [2018-09-06 08:24 UTC] denis at bitrix dot ru
opcache.interned_strings_buffer doesn't seem to affect:

$ php -i|grep opcache.interned_strings_buffer
opcache.interned_strings_buffer => 8 => 8
$ php -d opcache.enable_cli=1 -d opcache.interned_strings_buffer=16 restore.file_list.php 
Segmentation fault

I guess, 16M should be enough for 12M file. And further I got an error:

$ php -d opcache.enable_cli=1 -d opcache.interned_strings_buffer=18 restore.file_list.php 
Thu Sep  6 10:19:14 2018 (12707): Fatal Error Zend OPcache cannot allocate buffer for interned strings
 [2018-09-06 08:31 UTC] spam2 at rhsoft dot net
"Fatal Error Zend OPcache cannot allocate buffer for interned strings" clearly indicates that "opcache.memory_consumption" is way too small

frankly if you can allocate 18 MB i guess someone has lowered the default value

------

-rw-r--r-- 1 root root 198K 2018-03-05 16:37 /usr/share/phpMyAdmin/vendor/tecnickcom/tcpdf/fonts/dejavusans.ph

/usr/share/phpMyAdmin/vendor/tecnickcom/tcpdf/fonts/dejavusans.php allocates 1,36 MB in opcache so your guess 16M should be enough for 12M file is pretty wrong
 [2018-09-06 08:40 UTC] nikic@php.net
@rhsoft: The interned strings buffer is not really relevant to this issue. As @cmb pointed out, this is a stack overflow in zend_ssa_check_scc_var. The test script has a very long (and linear) chain of uses, each of which results in another recursive call. This could be resolved either by making the algorithm non-recursive or adding / changing some limits. E.g. we might want to punt on SSA optimizations if there are too many SSA vars.
 [2021-07-08 14:02 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2023-10-26 21:29 UTC] nielsdos@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: nielsdos
 [2023-10-26 21:29 UTC] nielsdos@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

Fixed by Dmitry via https://github.com/php/php-src/commit/bd185c3dd5f8811319db442ba6f8dd3d15515f3f
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 17:01:29 2024 UTC