PHP :: Bug #77647 :: preload: Access violation in zend_mm

Bug #77647	preload: Access violation in zend_mm_shutdown
Submitted:	2019-02-21 19:48 UTC	Modified:	2020-01-08 11:04 UTC
From:	mberchtold at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	opcache
PHP Version:	master-Git-2019-02-21 (snap)	OS:	Windows 10 x64
Private report:	No	CVE-ID:	None

View Developer Edit

[2019-02-21 19:48 UTC] mberchtold at gmail dot com

Description:
------------
With preloading (preloading of zend framework 3, others) enabled, visiting certain urls of the website crashes php-cgi.exe
When preloading is disabled, or when no classes are preloaded it does not crash.

php master: r82d6759

>	php8.dll!zend_mm_shutdown(_zend_mm_heap * heap, int full, int silent) Line 2269	C
 	[Inline Frame] php8.dll!shutdown_memory_manager(int)	C
 	php8.dll!php_module_startup(_sapi_module_struct * sf, _zend_module_entry * additional_modules, unsigned int num_additional_modules) Line 2405	C
 	php-cgi.exe!php_cgi_startup(_sapi_module_struct * sapi_module) Line 973	C
 	php-cgi.exe!main(int argc, char * * argv) Line 1921	C
 	[Inline Frame] php-cgi.exe!invoke_main() Line 78	C++
 	php-cgi.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!00007ff81f3b81f4()	Unknown
 	ntdll.dll!00007ff82174a251()	Unknown


zend_mm_shutdown
...

Code:
	/* move all chunks except of the first one into the cache */
	p = heap->main_chunk->next;
	while (p != heap->main_chunk) {
--->		zend_mm_chunk *q = p->next;
   // p is null
   
		p->next = heap->cached_chunks;
		heap->cached_chunks = p;
		p = q;
		heap->chunks_count--;
		heap->cached_chunks_count++;
	}


Locals:
+		heap	0x0000026899200040 {use_custom_heap=0x00000000 storage=0x0000000000000000 <NULL> size=0x0000000000000000 ...}	_zend_mm_heap *
+		heap->main_chunk	0x0000026899200000 {heap=0x0000026899200040 {use_custom_heap=0x00000000 storage=0x0000000000000000 <NULL> ...} ...}	_zend_mm_chunk *
+		heap->main_chunk->next	0x0000000000000000 <NULL>	_zend_mm_chunk *
+		p	0x0000000000000000 <NULL>	_zend_mm_chunk *

For some reason, heap->main_chunk->next is NULL which looks unexpected (heap corruption?).


Test script:
---------------
I don't have a reproducible case other than that it always crashes when accessing a certain url on an internal website.

Expected result:
----------------
no crash

Actual result:
--------------
Unhandled exception thrown: read access violation.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-18 10:58 UTC] nikic@php.net

Just want to check back if this issue still exists. A lot of preloading issues have been fixed since this bug report, so maybe the issue is already resolved?

[2019-03-23 00:42 UTC] mberchtold at gmail dot com

Yes, the issue still exists with the latest master build:
Revision: r598175e (March 22 2019, 18:25:00)

[2019-03-23 01:04 UTC] mberchtold at gmail dot com

The stack trace:
>	VCRUNTIME140.dll!memset_repmovs() Line 67	Unknown
 	php8.dll!00007ffc60cabd45()	Unknown
 	php-cgi.exe!00007ff77d6a1763()	Unknown
 	php-cgi.exe!00007ff77d6a40f8()	Unknown
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown


But for some reason, the debug symbols (in the debug-pack) aren't matching the binaries.

[2019-03-23 10:31 UTC] nikic@php.net

Thanks for checking! Unfortunately it's hard to do anything here, as a segfault during memory manager shutdown just indicates that memory manager data structures were corrupted at some point, but doesn't really tell us where.

This is the point where I'd usually suggest to set opcache.protect_memory=1, but after checking the code this functionality is currently implemented using mprotect() only and has no VirtualProtect() support, so it won't actually do anything on Windows. We should probably add that to make debugging opcache issues easier on Windows...

[2019-04-15 13:38 UTC] nikic@php.net

Support for opcache.protect_memory=1 on Windows has landed in the meantime, so it might be possible to produce a better trace now. (Assuming that ext/phar is not used, which is not compatible with memory protection right now.)

[2019-04-16 06:55 UTC] mberchtold at gmail dot com

With
opcache.protect_memory=1 
and the latest snapshot, I get the following crash now:


 	[Inline Frame] php_opcache.dll!accel_interned_strings_save_state() Line 416	C
 	php_opcache.dll!accel_use_shm_interned_strings() Line 749	C
 	php_opcache.dll!accel_post_startup() Line 2986	C
 	[Inline Frame] php8.dll!zend_post_startup() Line 992	C
 	php8.dll!php_module_startup(_sapi_module_struct * sf, _zend_module_entry * additional_modules, unsigned int num_additional_modules) Line 2337	C
 	php-cgi.exe!php_cgi_startup(_sapi_module_struct * sapi_module) Line 969	C
 	php-cgi.exe!main(int argc, char * * argv) Line 1916	C
>	[Inline Frame] php-cgi.exe!invoke_main() Line 78	C++
 	php-cgi.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown


code:
static void accel_interned_strings_save_state(void)
{
	ZCSG(interned_strings).saved_top = ZCSG(interned_strings).top;
}

debug out:
Unhandled exception thrown: write access violation.
**accel_shared_globals** was 0x100000000080.

[2019-04-29 10:00 UTC] nikic@php.net

That's weird, this call is happening as part of an SHM_UNPROTECT region and shouldn't generate an access violation :/

[2020-01-05 11:58 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2020-01-05 11:58 UTC] cmb@php.net

Please try a recent PHP 7.4 snapshot[1].  Also note that
preloading support is very much restricted on Windows currently,
and might be dropped altogether[2].

[1] <https://windows.php.net/downloads/snaps/php-7.4/>
[2] <https://github.com/php/php-src/pull/4999>

[2020-01-05 13:34 UTC] mberchtold at gmail dot com

-Status: Feedback +Status: Closed

[2020-01-05 13:34 UTC] mberchtold at gmail dot com

I was recently testing it (2 weeks ago) with a master snapshot. Same issue. I recommend to close this as the opcache is clearly not usable on Windows at the moment.

[2020-01-08 11:04 UTC] cmb@php.net

Thanks for checking!  However, since preloading support has been
removed for Windows[1], this ticket can indeed be closed.

[1] <https://github.com/php/php-src/pull/4999>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Dec 16 09:00:02 2025 UTC