PHP :: Bug #76986 :: Segfault in shutdown function?

Bug #76986	Segfault in shutdown function?
Submitted:	2018-10-09 13:45 UTC	Modified:	2018-10-11 14:44 UTC
From:	mate at sla dot hu	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	7.2.10	OS:	ubuntu 16
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mate at sla dot hu
New email:
PHP Version:		OS:

New Comment:

[2018-10-09 13:45 UTC] mate at sla dot hu

Description:
------------
This report is based on a previous issue

https://bugs.php.net/bug.php?id=76846

The php version is the same, I used in that report, so the bugfix by nikic is not applied in this php build.

I have finally deployed a debug version on production system
after 5 days a crash happened

In the apport crash report ProcStatus file the process state is still (S) sleeping when it was killed

This is a heap corruption
Is this the same bug?
Can this be consequence of the bug #76846?

What other info is needed from CoreDump?

thanks


20	../sysdeps/ieee754/dbl-64/wordsize-64/s_isinf.c: No such file or directory.
(gdb) bt
#0  0x00007fae4f2ae767 in __GI___isinf (x=1,3906711615657361e-309) at ../sysdeps/ieee754/dbl-64/wordsize-64/s_isinf.c:20
#1  0x000000000097e4fc in zend_mm_panic (message=0xd6393d "zend_mm_heap corrupted") at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:363
#2  0x0000000000980046 in zend_mm_get_debug_info (heap=0x7fae48c00040, ptr=0x7fae3bef00a8) at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:1316
#3  0x0000000000980195 in zend_mm_alloc_heap (heap=0x7fae48c00040, size=56, __zend_filename=0xd72d30 "/home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h", __zend_lineno=16301, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:1346
#4  0x0000000000982be8 in _emalloc (size=24, __zend_filename=0xd72d30 "/home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h", __zend_lineno=16301, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:2433
#5  0x0000000000a465df in ZEND_SEND_REF_SPEC_VAR_HANDLER () at /home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h:16301
#6  0x0000000000a468b6 in ZEND_SEND_VAR_EX_SPEC_VAR_QUICK_HANDLER () at /home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h:16372
#7  0x0000000000aaa614 in execute_ex (ex=0x7fae48c1ef80) at /home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h:60799
#8  0x00000000009a3a0f in zend_call_function (fci=0x7ffcd3d67690, fci_cache=0x7ffcd3d675a0) at /home/mate/php-7.2.6-debug/Zend/zend_execute_API.c:819
#9  0x00000000009a2f9b in _call_user_function_ex (object=0x0, function_name=0x7fae48c68540, retval_ptr=0x7ffcd3d67700, param_count=0, params=0x7fae48c68550, no_separation=1)
    at /home/mate/php-7.2.6-debug/Zend/zend_execute_API.c:654
#10 0x00000000007ce866 in user_shutdown_function_call (zv=0x7fae48ca14c8) at /home/mate/php-7.2.6-debug/ext/standard/basic_functions.c:5023
#11 0x00000000009d4ef5 in zend_hash_apply (ht=0x7fae48ca39c0, apply_func=0x7ce7a2 <user_shutdown_function_call>) at /home/mate/php-7.2.6-debug/Zend/zend_hash.c:1506
#12 0x00000000007cec3d in php_call_shutdown_functions () at /home/mate/php-7.2.6-debug/ext/standard/basic_functions.c:5107
#13 0x000000000092058c in php_request_shutdown (dummy=0x0) at /home/mate/php-7.2.6-debug/main/main.c:1846
#14 0x0000000000ac15ea in main (argc=3, argv=0x7ffcd3d68778) at /home/mate/php-7.2.6-debug/sapi/fpm/fpm/fpm_main.c:1994




bt full

(gdb) bt full
#0  0x00007fae4f2ae767 in __GI___isinf (x=1,3906711615657361e-309) at ../sysdeps/ieee754/dbl-64/wordsize-64/s_isinf.c:20
        i_ = <optimized out>
        ix = <optimized out>
        t = <optimized out>
#1  0x000000000097e4fc in zend_mm_panic (message=0xd6393d "zend_mm_heap corrupted") at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:363
No locals.
#2  0x0000000000980046 in zend_mm_get_debug_info (heap=0x7fae48c00040, ptr=0x7fae3bef00a8) at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:1316
        page_offset = 983208
        chunk = 0x7fae3be00000
        page_num = 240
        info = 2147483654
#3  0x0000000000980195 in zend_mm_alloc_heap (heap=0x7fae48c00040, size=56, __zend_filename=0xd72d30 "/home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h", __zend_lineno=16301, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:1346
        ptr = 0x7fae3bef00a8
        real_size = 24
        dbg = 0x7fae48c1f630
#4  0x0000000000982be8 in _emalloc (size=24, __zend_filename=0xd72d30 "/home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h", __zend_lineno=16301, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:2433
No locals.
#5  0x0000000000a465df in ZEND_SEND_REF_SPEC_VAR_HANDLER () at /home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h:16301
        _ref = 0x7fae48cc2a18
        free_op1 = 0x0
        varptr = 0x7fae48c7adc0
        arg = 0x7fae48c1f6c0
#6  0x0000000000a468b6 in ZEND_SEND_VAR_EX_SPEC_VAR_QUICK_HANDLER () at /home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h:16372
        varptr = 0x7ffcd3d674c0
        arg = 0xa58f41 <ZEND_FETCH_DIM_FUNC_ARG_SPEC_VAR_CV_HANDLER+133>
        free_op1 = 0x7fae48c1f630
        arg_num = 1
#7  0x0000000000aaa614 in execute_ex (ex=0x7fae48c1ef80) at /home/mate/php-7.2.6-debug/Zend/zend_vm_execute.h:60799
        orig_opline = 0x0
        orig_execute_data = 0x0
#8  0x00000000009a3a0f in zend_call_function (fci=0x7ffcd3d67690, fci_cache=0x7ffcd3d675a0) at /home/mate/php-7.2.6-debug/Zend/zend_execute_API.c:819
        call_via_handler = 0
        current_opline_before_exception = 0x7fae47273948
        i = 0
        call = 0x7fae48c1ef80
        dummy_execute_data = {opline = 0x0, call = 0x0, return_value = 0x0, func = 0x0, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, 
              ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, 
              type_info = 0}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}, prev_execute_data = 0x0, 
          symbol_table = 0x0, run_time_cache = 0x0, literals = 0x0}
        fci_cache_local = {initialized = 1 '\001', function_handler = 0x7fae48cb09b8, calling_scope = 0x7fae48cafd40, called_scope = 0x7fae48cafd40, object = 0x0}
        func = 0x7fae48cb09b8
        __PRETTY_FUNCTION__ = "zend_call_function"
#9  0x00000000009a2f9b in _call_user_function_ex (object=0x0, function_name=0x7fae48c68540, retval_ptr=0x7ffcd3d67700, param_count=0, params=0x7fae48c68550, no_separation=1)
    at /home/mate/php-7.2.6-debug/Zend/zend_execute_API.c:654
        fci = {size = 56, function_name = {value = {lval = 140386468441920, dval = 6,9360131198128981e-310, counted = 0x7fae45952f40, str = 0x7fae45952f40, arr = 0x7fae45952f40, obj = 0x7fae45952f40, 
              res = 0x7fae45952f40, ref = 0x7fae45952f40, ast = 0x7fae45952f40, zv = 0x7fae45952f40, ptr = 0x7fae45952f40, ce = 0x7fae45952f40, func = 0x7fae45952f40, ww = {w1 = 1167404864, 
                w2 = 32686}}, u1 = {v = {type = 6 '\006', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 6}, u2 = {next = 32764, cache_slot = 32764, lineno = 32764, 
              num_args = 32764, fe_pos = 32764, fe_iter_idx = 32764, access_flags = 32764, property_guard = 32764, extra = 32764}}, retval = 0x7ffcd3d67700, params = 0x7fae48c68550, object = 0x0, 
          no_separation = 1 '\001', param_count = 0}
#10 0x00000000007ce866 in user_shutdown_function_call (zv=0x7fae48ca14c8) at /home/mate/php-7.2.6-debug/ext/standard/basic_functions.c:5023
        shutdown_function_entry = 0x7fae48c68570
        retval = {value = {lval = 140386521982160, dval = 6,9360157650522235e-310, counted = 0x7fae48c624d0, str = 0x7fae48c624d0, arr = 0x7fae48c624d0, obj = 0x7fae48c624d0, res = 0x7fae48c624d0, 
---Type <return> to continue, or q <return> to quit---
            ref = 0x7fae48c624d0, ast = 0x7fae48c624d0, zv = 0x7fae48c624d0, ptr = 0x7fae48c624d0, ce = 0x7fae48c624d0, func = 0x7fae48c624d0, ww = {w1 = 1220945104, w2 = 32686}}, u1 = {v = {
              type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 1500, cache_slot = 1500, lineno = 1500, num_args = 1500, fe_pos = 1500, 
            fe_iter_idx = 1500, access_flags = 1500, property_guard = 1500, extra = 1500}}
#11 0x00000000009d4ef5 in zend_hash_apply (ht=0x7fae48ca39c0, apply_func=0x7ce7a2 <user_shutdown_function_call>) at /home/mate/php-7.2.6-debug/Zend/zend_hash.c:1506
        idx = 0
        p = 0x7fae48ca14c8
        result = 32686
        __PRETTY_FUNCTION__ = "zend_hash_apply"
#12 0x00000000007cec3d in php_call_shutdown_functions () at /home/mate/php-7.2.6-debug/ext/standard/basic_functions.c:5107
        __orig_bailout = 0x7ffcd3d678c0
        __bailout = {{__jmpbuf = {0, -2078076015084414857, 4461872, 140723862538096, 0, 0, -2078076015382210441, 2076326051212056695}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 
                140386521579520, 0, 4294967297, 0, 4607303365079072768, 0, 18193016, 0, 10112443, 140723862534192, 10119926, 0, 18193016, 140723862534208}}}}
#13 0x000000000092058c in php_request_shutdown (dummy=0x0) at /home/mate/php-7.2.6-debug/main/main.c:1846
        __orig_bailout = 0x7ffcd3d68420
        __bailout = {{__jmpbuf = {0, -2078076022281840521, 4461872, 140723862538096, 0, 0, -2078076015086512009, 2076324729213704311}, __mask_was_saved = 0, __saved_mask = {__val = {9960506, 0, 64, 
                4294967430, 1220542528, 0, 14072368, 68719476876, 140386521579584, 450971566487, 455266533381, 140386522033856, 140386522013696, 140386521579520, 140386522033856, 140386522033824}}}}
        report_memleaks = 1 '\001'
#14 0x0000000000ac15ea in main (argc=3, argv=0x7ffcd3d68778) at /home/mate/php-7.2.6-debug/sapi/fpm/fpm/fpm_main.c:1994
        primary_script = 0x7fae48c021e0 ""
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -2078076022392989577, 4461872, 140723862538096, 0, 0, -2078076022283937673, 2076324539806799991}, __mask_was_saved = 0, __saved_mask = {__val = {140386688859280, 1, 
                0, 1, 140386688979304, 1, 140386686786450, 5556334868490082924, 0, 140386688980160, 140723862537456, 7849019256, 140723862537440, 4131212846, 4334078, 4294967295}}}}
        exit_status = 0
        cgi = 0
        c = -1
        use_extended_info = 0
        file_handle = {handle = {fd = -740916364, fp = 0x7ffcd3d68374, stream = {handle = 0x7ffcd3d68374, isatty = 1385725921, mmap = {len = 140386688910568, pos = 140386651156847, map = 0x7fae5077cbb8, 
                buf = 0x7ffcd3d68378 "\030\204\326\323\374\177", old_handle = 0xff8760ae, old_closer = 0x3fe1d82}, reader = 0x7fae0000002e, fsizer = 0x7fae52987e14 <do_lookup_x+372>, 
              closer = 0x7fae4f289ff8}}, filename = 0x7fae48c02000 "P\357\356;\256\177", opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 100
        requests = 13
        fcgi_fd = 0
        request = 0x2aca220
        fpm_config = 0x7ffcd3d698ba ""
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = -1
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-10 09:57 UTC] mate at sla dot hu

Probably this one is a memory limit issue, 

HP Fatal error:  Allowed memory size of 134217728 bytes exhausted at /home/xxx/php-7.2.6-debug/Zend/zend_objects_API.c:145 (tried to allocate 4194304 bytes)

i have successfully reproduced it in production

In zend_get_debug_info the affected chunk's heap pointer is wrong

#2  0x0000000000980046 in zend_mm_get_debug_info (heap=0x7fae48c00040, ptr=0x7fae3bef00a8) at /home/mate/php-7.2.6-debug/Zend/zend_alloc.c:1316
        page_offset = 983208
        chunk = 0x7fae3be00000
        page_num = 240
        info = 2147483654

heap parameter is 0x7fae48c00040

ptr->chunk->heap is wrong 0x7fae4137e620

[2018-10-11 14:44 UTC] mate at sla dot hu

-Status: Open +Status: Closed

[2018-10-11 14:44 UTC] mate at sla dot hu

It is the same bug as 76846

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 02:01:30 2024 UTC