php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77647 preload: Access violation in zend_mm_shutdown
Submitted: 2019-02-21 19:48 UTC Modified: 2020-01-08 11:04 UTC
From: mberchtold at gmail dot com Assigned: cmb (profile)
Status: Closed Package: opcache
PHP Version: master-Git-2019-02-21 (snap) OS: Windows 10 x64
Private report: No CVE-ID: None
 [2019-02-21 19:48 UTC] mberchtold at gmail dot com
Description:
------------
With preloading (preloading of zend framework 3, others) enabled, visiting certain urls of the website crashes php-cgi.exe
When preloading is disabled, or when no classes are preloaded it does not crash.

php master: r82d6759

>	php8.dll!zend_mm_shutdown(_zend_mm_heap * heap, int full, int silent) Line 2269	C
 	[Inline Frame] php8.dll!shutdown_memory_manager(int)	C
 	php8.dll!php_module_startup(_sapi_module_struct * sf, _zend_module_entry * additional_modules, unsigned int num_additional_modules) Line 2405	C
 	php-cgi.exe!php_cgi_startup(_sapi_module_struct * sapi_module) Line 973	C
 	php-cgi.exe!main(int argc, char * * argv) Line 1921	C
 	[Inline Frame] php-cgi.exe!invoke_main() Line 78	C++
 	php-cgi.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!00007ff81f3b81f4()	Unknown
 	ntdll.dll!00007ff82174a251()	Unknown


zend_mm_shutdown
...

Code:
	/* move all chunks except of the first one into the cache */
	p = heap->main_chunk->next;
	while (p != heap->main_chunk) {
--->		zend_mm_chunk *q = p->next;
   // p is null
   
		p->next = heap->cached_chunks;
		heap->cached_chunks = p;
		p = q;
		heap->chunks_count--;
		heap->cached_chunks_count++;
	}


Locals:
+		heap	0x0000026899200040 {use_custom_heap=0x00000000 storage=0x0000000000000000 <NULL> size=0x0000000000000000 ...}	_zend_mm_heap *
+		heap->main_chunk	0x0000026899200000 {heap=0x0000026899200040 {use_custom_heap=0x00000000 storage=0x0000000000000000 <NULL> ...} ...}	_zend_mm_chunk *
+		heap->main_chunk->next	0x0000000000000000 <NULL>	_zend_mm_chunk *
+		p	0x0000000000000000 <NULL>	_zend_mm_chunk *

For some reason, heap->main_chunk->next is NULL which looks unexpected (heap corruption?).


Test script:
---------------
I don't have a reproducible case other than that it always crashes when accessing a certain url on an internal website.

Expected result:
----------------
no crash

Actual result:
--------------
Unhandled exception thrown: read access violation.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-18 10:58 UTC] nikic@php.net
Just want to check back if this issue still exists. A lot of preloading issues have been fixed since this bug report, so maybe the issue is already resolved?
 [2019-03-23 00:42 UTC] mberchtold at gmail dot com
Yes, the issue still exists with the latest master build:
Revision: r598175e (March 22 2019, 18:25:00)
 [2019-03-23 01:04 UTC] mberchtold at gmail dot com
The stack trace:
>	VCRUNTIME140.dll!memset_repmovs() Line 67	Unknown
 	php8.dll!00007ffc60cabd45()	Unknown
 	php-cgi.exe!00007ff77d6a1763()	Unknown
 	php-cgi.exe!00007ff77d6a40f8()	Unknown
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown


But for some reason, the debug symbols (in the debug-pack) aren't matching the binaries.
 [2019-03-23 10:31 UTC] nikic@php.net
Thanks for checking! Unfortunately it's hard to do anything here, as a segfault during memory manager shutdown just indicates that memory manager data structures were corrupted at some point, but doesn't really tell us where.

This is the point where I'd usually suggest to set opcache.protect_memory=1, but after checking the code this functionality is currently implemented using mprotect() only and has no VirtualProtect() support, so it won't actually do anything on Windows. We should probably add that to make debugging opcache issues easier on Windows...
 [2019-04-15 13:38 UTC] nikic@php.net
Support for opcache.protect_memory=1 on Windows has landed in the meantime, so it might be possible to produce a better trace now. (Assuming that ext/phar is not used, which is not compatible with memory protection right now.)
 [2019-04-16 06:55 UTC] mberchtold at gmail dot com
With
opcache.protect_memory=1 
and the latest snapshot, I get the following crash now:


 	[Inline Frame] php_opcache.dll!accel_interned_strings_save_state() Line 416	C
 	php_opcache.dll!accel_use_shm_interned_strings() Line 749	C
 	php_opcache.dll!accel_post_startup() Line 2986	C
 	[Inline Frame] php8.dll!zend_post_startup() Line 992	C
 	php8.dll!php_module_startup(_sapi_module_struct * sf, _zend_module_entry * additional_modules, unsigned int num_additional_modules) Line 2337	C
 	php-cgi.exe!php_cgi_startup(_sapi_module_struct * sapi_module) Line 969	C
 	php-cgi.exe!main(int argc, char * * argv) Line 1916	C
>	[Inline Frame] php-cgi.exe!invoke_main() Line 78	C++
 	php-cgi.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown


code:
static void accel_interned_strings_save_state(void)
{
	ZCSG(interned_strings).saved_top = ZCSG(interned_strings).top;
}

debug out:
Unhandled exception thrown: write access violation.
**accel_shared_globals** was 0x100000000080.
 [2019-04-29 10:00 UTC] nikic@php.net
That's weird, this call is happening as part of an SHM_UNPROTECT region and shouldn't generate an access violation :/
 [2020-01-05 11:58 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-01-05 11:58 UTC] cmb@php.net
Please try a recent PHP 7.4 snapshot[1].  Also note that
preloading support is very much restricted on Windows currently,
and might be dropped altogether[2].

[1] <https://windows.php.net/downloads/snaps/php-7.4/>
[2] <https://github.com/php/php-src/pull/4999>
 [2020-01-05 13:34 UTC] mberchtold at gmail dot com
-Status: Feedback +Status: Closed
 [2020-01-05 13:34 UTC] mberchtold at gmail dot com
I was recently testing it (2 weeks ago) with a master snapshot. Same issue. I recommend to close this as the opcache is clearly not usable on Windows at the moment.
 [2020-01-08 11:04 UTC] cmb@php.net
Thanks for checking!  However, since preloading support has been
removed for Windows[1], this ticket can indeed be closed.

[1] <https://github.com/php/php-src/pull/4999>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC