php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78771 PHP FPM segmentation fault with opcache enabled
Submitted: 2019-11-01 17:12 UTC Modified: -
Votes:5
Avg. Score:4.6 ± 0.5
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:1 (20.0%)
From: Bruce at FutureQuest dot net Assigned:
Status: Open Package: Unknown/Other Function
PHP Version: 7.3.11 OS: Gentoo Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-11-01 17:12 UTC] Bruce at FutureQuest dot net 
Description:
------------
We have started using PHP 7.3 in FPM mode. When we have opcache enabled, it encounters segmentation faults after a while. Disabling opcache eliminates the problem, but that isn't desirable of course. I don't have a specific script that triggers the problem, it appears to come from the interaction of several scripts.

The backtrace always points to something in zend_accel_hash, either zend_accel_hash_update (rarely) or zend_accel_hash_find_ex, in both cases in the condition immediately after "while (entry)". From what gdb is telling me, the pointers in accel_hash->hash_table has been overwritten by strings.

This is version 7.3.11 on Gentoo Linux with effectively no patches, on 32-bit systems.

I have enabled opcache.consistency_checks=1 and opcache.protect_memory=1 to no avail.

This may be the same issue as #77048, but it was suspended so I'm submitting anew. Setting opcache.optimization_level as suggested does not appear to resolve the problem.

Actual result:
--------------
#0  0xdf0c2397 in zend_accel_hash_update (accel_hash=0xd6e00050, key=0xda92ad30 "/big/dom/REDACTED", key_length=71, indirect=0 '\000', data=0xda92abc0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:97
#1  0xdf0bd166 in cache_script_in_shared_memory (new_persistent_script=0xda92abc0, key=0xda92acd8 "/big/dom/REDACTED", key_length=71, from_shared_memory=0xf1e9fca8) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:1587
#2  0xdf0becff in persistent_compile_file (file_handle=0xf1e9fd90, type=8) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:2167
#3  0x043c7012 in zend_include_or_eval (inc_filename=0xdee20640, type=16) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute.c:3162
#4  0x043e1488 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER (execute_data=0xdee20510) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:12464
#5  0x0443a18a in execute_ex (ex=0xdee20020) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:55338
#6  0x0443a2ed in zend_execute (op_array=0xdeed4e60, return_value=0x0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:60889
#7  0x0435b43a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend.c:1568
#8  0x042bf39f in php_execute_script (primary_file=0xf1ea2188) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/main/main.c:2639
#9  0x0444e3a4 in main (argc=5, argv=0xf1ea23c4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1950

#0  0xdf0c2589 in zend_accel_hash_find_ex (accel_hash=0xd6e00050, key=0xdee05000 "/big/dom/REDACTED", key_length=32, hash_value=3555166747, data=0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:155
#1  0xdf0c27b0 in zend_accel_hash_str_find_entry (accel_hash=0xd6e00050, key=0xdee05000 "/big/dom/REDACTED", key_length=32) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:221
#2  0xdf0bf2c5 in persistent_zend_resolve_path (filename=0xdee05000 "/big/dom/REDACTED", filename_len=32) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:2293
#3  0x042c5084 in php_fopen_primary_script (file_handle=0xf1ea2188) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/main/fopen_wrappers.c:421
#4  0x0444e259 in main (argc=5, argv=0xf1ea23c4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1929

#0  0xdf0c2589 in zend_accel_hash_find_ex (accel_hash=0xd6e00050, key=0xdefc4a10 "/big/dom/REDACTED", key_length=78, hash_value=3274861205, data=0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:155
#1  0xdf0c27b0 in zend_accel_hash_str_find_entry (accel_hash=0xd6e00050, key=0xdefc4a10 "/big/dom/REDACTED", key_length=78) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:221
#2  0xdf0bf2c5 in persistent_zend_resolve_path (filename=0xdefc4a10 "/big/dom/REDACTED", filename_len=78) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:2293
#3  0x043c6f11 in zend_include_or_eval (inc_filename=0xdee206a0, type=4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute.c:3140
#4  0x043e1488 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER (execute_data=0xdee20650) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:12464
#5  0x0443a18a in execute_ex (ex=0xdee20650) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:55338
#6  0x04343de2 in zend_call_function (fci=0xf1e9fbc4, fci_cache=0xf1e9fbb4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:756
#7  0x040c6884 in zif_spl_autoload_call (execute_data=0xdee20610, return_value=0xf1e9fd34) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/spl/php_spl.c:448
#8  0x04343ea8 in zend_call_function (fci=0xf1e9fd54, fci_cache=0xf1e9fd44) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:770
#9  0x0434459a in zend_lookup_class_ex (name=0xd747f8cc, key=0xda9d4338, use_autoload=1) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:926
#10 0x04345480 in zend_fetch_class_by_name (class_name=0xd747f8cc, key=0xda9d4338, fetch_type=512) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:1361
#11 0x043d29a1 in ZEND_INIT_STATIC_METHOD_CALL_SPEC_CONST_CONST_HANDLER (execute_data=0xdee205c0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:5209
#12 0x0443a18a in execute_ex (ex=0xdee20020) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:55338
#13 0x0443a2ed in zend_execute (op_array=0xdee73320, return_value=0x0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:60889
#14 0x0435b43a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend.c:1568
#15 0x042bf39f in php_execute_script (primary_file=0xf1ea2188) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/main/main.c:2639
#16 0x0444e3a4 in main (argc=5, argv=0xf1ea23c4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1950

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-16 06:43 UTC] nick at nickg dot me dot uk 
I see this too occasionally on 32-bit Debian PHP 7.3.19-1~deb10u1

(gdb) bt
#0  zend_accel_hash_find_ex (data=1, hash_value=4103019430, key_length=30,
    key=0xe8b6f4dc "/sites/doof/wp-blog-header.php", accel_hash=0xe86f3050)
    at ./ext/opcache/zend_accelerator_hash.c:155
#1  zend_accel_hash_str_find (accel_hash=0xe86f3050,
    key=0xe8b6f4dc "/sites/doof/wp-blog-header.php", key_length=30)
    at ./ext/opcache/zend_accelerator_hash.c:208
#2  0xf529befa in persistent_compile_file (type=8, file_handle=0xffa7c7a0)
    at ./ext/opcache/ZendAccelerator.c:2001
#3  persistent_compile_file (file_handle=0xffa7c7a0, type=8)
    at ./ext/opcache/ZendAccelerator.c:1937
#4  0x567a4f2c in compile_filename (type=8, filename=0xea12df08)
    at Zend/zend_language_scanner.l:662
#5  0x56824320 in zend_include_or_eval (inc_filename=0xea12df08, type=8)
    at ./Zend/zend_execute.c:3192
#6  0x56858bad in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () at ./Zend/zend_vm_execute.h:3259
#7  0x5685f78a in execute_ex (ex=0xe8ef3038) at ./Zend/zend_vm_execute.h:55813
#8  0x56865cf4 in zend_execute (op_array=<optimized out>, return_value=<optimized out>)
    at ./Zend/zend_vm_execute.h:60939
#9  0x567db57d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at ./Zend/zend.c:1568
#10 0x5677b15c in php_execute_script (primary_file=<optimized out>) at ./main/main.c:2637
#11 0x56642858 in main (argc=<optimized out>, argv=<optimized out>)
    at ./sapi/fpm/fpm/fpm_main.c:1951
(gdb) list
150     #endif
151             index = hash_value % accel_hash->max_num_entries;
152
153             entry = accel_hash->hash_table[index];
154             while (entry) {
155                     if (entry->hash_value == hash_value
156                             && entry->key_length == key_length
157                             && !memcmp(entry->key, key, key_length)) {
158                             if (entry->indirect) {
159                                     if (data) {
(gdb) p entry
$7 = (zend_accel_hash_entry *) 0x146
(gdb) p *accel_hash
$8 = {hash_table = 0xe8ef3038, hash_entries = 0xe8f02dd0, num_entries = 1777,
  max_num_entries = 16229, num_direct_entries = 1209}


It looks like the `entry' iterator is bogus (0x146). I'm not sure what other information from GDB is useful? It happens randomly every few weeks but I don't have a reliable way to reproduce it.
 [2020-12-16 07:12 UTC] nick at nickg dot me dot uk 
It seems accel_hash->hash_table has been corrupted somehow. From the code I think all the entries ought to point into accel_hash->hash_entries, but see the first 100 values here:

(gdb) p *accel_hash->hash_table@100
$60 = {0xe, 0x656c6966, 0x72745f73, 0x62687361, 0x6e69, 0x0, 0x0, 0x1, 0x146, 0xdc7e8ab0,
  0xe, 0x656c6966, 0x65765f73, 0x6f697372, 0x736e, 0x0, 0x2e8c58, 0x1, 0x146, 0xd593d45b,
  0x11, 0x656c6966, 0x69765f73, 0x706f6564, 0x6579616c, 0x72, 0x0, 0x1, 0x146, 0xca13d413,
  0xe, 0x73726966, 0x6e757274, 0x617a6977, 0x6472, 0x0, 0x0, 0x1, 0x146, 0xd5f1db93, 0xe,
  0x6c6c7566, 0x74786574, 0x72616573, 0x6863, 0x0, 0x0, 0x1, 0x146, 0x993d994d, 0x1c,
  0x6c6c7566, 0x74786574, 0x72616573, 0x655f6863, 0x7473616c, 0x65736369, 0x68637261, 0x0,
  0x0, 0x0, 0x1, 0x146, 0x911ca07a, 0x9, 0x72676f6c, 0x65646165, 0x72, 0x2f7ac8, 0x1, 0x146,
  0x80d1ed1f, 0x17, 0x6b6f6f6c, 0x735f7075, 0x65767265, 0x6f635f72, 0x63656e6e, 0x726f74,
  0x0, 0x0, 0x1, 0x146, 0xf4ea4358, 0x17, 0x7478656e, 0x756f6c63, 0x6e615f64, 0x6e756f6e,
  0x656d6563, 0x73746e, 0x0, 0x0, 0x1, 0x146, 0xd7bc5eff, 0xd, 0x69746f6e, 0x61636966,
  0x6e6f6974}
(gdb) p *accel_hash->hash_entries@5
$63 = {{hash_value = 3206915583, key = 0xe8f62090 "/sites/doof/wp-admin/about.php",
    next = 0x0, data = 0xe8f61f48, key_length = 30, indirect = 0 '\000'}, {
    hash_value = 3779746733, key = 0xe8f64fa8 "/sites/doof/wp-admin/admin.php", next = 0x0,
    data = 0xe8f64e60, key_length = 30, indirect = 0 '\000'}, {hash_value = 4146891980,
    key = 0xe8f69690 "/sites/doof/wp-load.php", next = 0x0, data = 0xe8f69550,
    key_length = 23, indirect = 0 '\000'}, {hash_value = 4065189634,
    key = 0xe8f6ab30 "/sites/doof/wp-config.php", next = 0x0, data = 0xe8f6a9e8,
    key_length = 25, indirect = 0 '\000'}, {hash_value = 2915712093,
    key = 0xe8f6b158 "/sites/doof/wp-settings.php", next = 0x0, data = 0xe8f6b010,
    key_length = 27, indirect = 0 '\000'}}
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved. 		Last updated: Tue Jan 26 22:01:26 2021 UTC