PHP :: Bug #78771 :: PHP FPM segmentation fault with opcache enabled

Bug #78771

PHP FPM segmentation fault with opcache enabled

Submitted:

2019-11-01 17:12 UTC

Modified:

2021-02-21 04:22 UTC

Votes:	11
Avg. Score:	4.5 ± 0.9
Reproduced:	11 of 11 (100.0%)
Same Version:	3 (27.3%)
Same OS:	2 (18.2%)

From:

Bruce at FutureQuest dot net

Assigned:

cmb (profile)

Status:

No Feedback

Package:

Unknown/Other Function

PHP Version:

7.3.11

OS:

Gentoo Linux

Private report:

CVE-ID:

None

View Developer Edit

[2019-11-01 17:12 UTC] Bruce at FutureQuest dot net

Description:
------------
We have started using PHP 7.3 in FPM mode. When we have opcache enabled, it encounters segmentation faults after a while. Disabling opcache eliminates the problem, but that isn't desirable of course. I don't have a specific script that triggers the problem, it appears to come from the interaction of several scripts.

The backtrace always points to something in zend_accel_hash, either zend_accel_hash_update (rarely) or zend_accel_hash_find_ex, in both cases in the condition immediately after "while (entry)". From what gdb is telling me, the pointers in accel_hash->hash_table has been overwritten by strings.

This is version 7.3.11 on Gentoo Linux with effectively no patches, on 32-bit systems.

I have enabled opcache.consistency_checks=1 and opcache.protect_memory=1 to no avail.

This may be the same issue as #77048, but it was suspended so I'm submitting anew. Setting opcache.optimization_level as suggested does not appear to resolve the problem.

Actual result:
--------------
#0  0xdf0c2397 in zend_accel_hash_update (accel_hash=0xd6e00050, key=0xda92ad30 "/big/dom/REDACTED", key_length=71, indirect=0 '\000', data=0xda92abc0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:97
#1  0xdf0bd166 in cache_script_in_shared_memory (new_persistent_script=0xda92abc0, key=0xda92acd8 "/big/dom/REDACTED", key_length=71, from_shared_memory=0xf1e9fca8) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:1587
#2  0xdf0becff in persistent_compile_file (file_handle=0xf1e9fd90, type=8) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:2167
#3  0x043c7012 in zend_include_or_eval (inc_filename=0xdee20640, type=16) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute.c:3162
#4  0x043e1488 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER (execute_data=0xdee20510) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:12464
#5  0x0443a18a in execute_ex (ex=0xdee20020) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:55338
#6  0x0443a2ed in zend_execute (op_array=0xdeed4e60, return_value=0x0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:60889
#7  0x0435b43a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend.c:1568
#8  0x042bf39f in php_execute_script (primary_file=0xf1ea2188) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/main/main.c:2639
#9  0x0444e3a4 in main (argc=5, argv=0xf1ea23c4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1950

#0  0xdf0c2589 in zend_accel_hash_find_ex (accel_hash=0xd6e00050, key=0xdee05000 "/big/dom/REDACTED", key_length=32, hash_value=3555166747, data=0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:155
#1  0xdf0c27b0 in zend_accel_hash_str_find_entry (accel_hash=0xd6e00050, key=0xdee05000 "/big/dom/REDACTED", key_length=32) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:221
#2  0xdf0bf2c5 in persistent_zend_resolve_path (filename=0xdee05000 "/big/dom/REDACTED", filename_len=32) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:2293
#3  0x042c5084 in php_fopen_primary_script (file_handle=0xf1ea2188) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/main/fopen_wrappers.c:421
#4  0x0444e259 in main (argc=5, argv=0xf1ea23c4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1929

#0  0xdf0c2589 in zend_accel_hash_find_ex (accel_hash=0xd6e00050, key=0xdefc4a10 "/big/dom/REDACTED", key_length=78, hash_value=3274861205, data=0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:155
#1  0xdf0c27b0 in zend_accel_hash_str_find_entry (accel_hash=0xd6e00050, key=0xdefc4a10 "/big/dom/REDACTED", key_length=78) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/zend_accelerator_hash.c:221
#2  0xdf0bf2c5 in persistent_zend_resolve_path (filename=0xdefc4a10 "/big/dom/REDACTED", filename_len=78) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/opcache/ZendAccelerator.c:2293
#3  0x043c6f11 in zend_include_or_eval (inc_filename=0xdee206a0, type=4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute.c:3140
#4  0x043e1488 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER (execute_data=0xdee20650) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:12464
#5  0x0443a18a in execute_ex (ex=0xdee20650) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:55338
#6  0x04343de2 in zend_call_function (fci=0xf1e9fbc4, fci_cache=0xf1e9fbb4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:756
#7  0x040c6884 in zif_spl_autoload_call (execute_data=0xdee20610, return_value=0xf1e9fd34) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/ext/spl/php_spl.c:448
#8  0x04343ea8 in zend_call_function (fci=0xf1e9fd54, fci_cache=0xf1e9fd44) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:770
#9  0x0434459a in zend_lookup_class_ex (name=0xd747f8cc, key=0xda9d4338, use_autoload=1) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:926
#10 0x04345480 in zend_fetch_class_by_name (class_name=0xd747f8cc, key=0xda9d4338, fetch_type=512) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_execute_API.c:1361
#11 0x043d29a1 in ZEND_INIT_STATIC_METHOD_CALL_SPEC_CONST_CONST_HANDLER (execute_data=0xdee205c0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:5209
#12 0x0443a18a in execute_ex (ex=0xdee20020) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:55338
#13 0x0443a2ed in zend_execute (op_array=0xdee73320, return_value=0x0) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend_vm_execute.h:60889
#14 0x0435b43a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/Zend/zend.c:1568
#15 0x042bf39f in php_execute_script (primary_file=0xf1ea2188) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/main/main.c:2639
#16 0x0444e3a4 in main (argc=5, argv=0xf1ea23c4) at /var/tmp/portage/dev-lang/php-7.3.11/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1950

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-12-16 06:43 UTC] nick at nickg dot me dot uk

I see this too occasionally on 32-bit Debian PHP 7.3.19-1~deb10u1

(gdb) bt
#0  zend_accel_hash_find_ex (data=1, hash_value=4103019430, key_length=30,
    key=0xe8b6f4dc "/sites/doof/wp-blog-header.php", accel_hash=0xe86f3050)
    at ./ext/opcache/zend_accelerator_hash.c:155
#1  zend_accel_hash_str_find (accel_hash=0xe86f3050,
    key=0xe8b6f4dc "/sites/doof/wp-blog-header.php", key_length=30)
    at ./ext/opcache/zend_accelerator_hash.c:208
#2  0xf529befa in persistent_compile_file (type=8, file_handle=0xffa7c7a0)
    at ./ext/opcache/ZendAccelerator.c:2001
#3  persistent_compile_file (file_handle=0xffa7c7a0, type=8)
    at ./ext/opcache/ZendAccelerator.c:1937
#4  0x567a4f2c in compile_filename (type=8, filename=0xea12df08)
    at Zend/zend_language_scanner.l:662
#5  0x56824320 in zend_include_or_eval (inc_filename=0xea12df08, type=8)
    at ./Zend/zend_execute.c:3192
#6  0x56858bad in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () at ./Zend/zend_vm_execute.h:3259
#7  0x5685f78a in execute_ex (ex=0xe8ef3038) at ./Zend/zend_vm_execute.h:55813
#8  0x56865cf4 in zend_execute (op_array=<optimized out>, return_value=<optimized out>)
    at ./Zend/zend_vm_execute.h:60939
#9  0x567db57d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at ./Zend/zend.c:1568
#10 0x5677b15c in php_execute_script (primary_file=<optimized out>) at ./main/main.c:2637
#11 0x56642858 in main (argc=<optimized out>, argv=<optimized out>)
    at ./sapi/fpm/fpm/fpm_main.c:1951
(gdb) list
150     #endif
151             index = hash_value % accel_hash->max_num_entries;
152
153             entry = accel_hash->hash_table[index];
154             while (entry) {
155                     if (entry->hash_value == hash_value
156                             && entry->key_length == key_length
157                             && !memcmp(entry->key, key, key_length)) {
158                             if (entry->indirect) {
159                                     if (data) {
(gdb) p entry
$7 = (zend_accel_hash_entry *) 0x146
(gdb) p *accel_hash
$8 = {hash_table = 0xe8ef3038, hash_entries = 0xe8f02dd0, num_entries = 1777,
  max_num_entries = 16229, num_direct_entries = 1209}


It looks like the `entry' iterator is bogus (0x146). I'm not sure what other information from GDB is useful? It happens randomly every few weeks but I don't have a reliable way to reproduce it.

[2020-12-16 07:12 UTC] nick at nickg dot me dot uk

It seems accel_hash->hash_table has been corrupted somehow. From the code I think all the entries ought to point into accel_hash->hash_entries, but see the first 100 values here:

(gdb) p *accel_hash->hash_table@100
$60 = {0xe, 0x656c6966, 0x72745f73, 0x62687361, 0x6e69, 0x0, 0x0, 0x1, 0x146, 0xdc7e8ab0,
  0xe, 0x656c6966, 0x65765f73, 0x6f697372, 0x736e, 0x0, 0x2e8c58, 0x1, 0x146, 0xd593d45b,
  0x11, 0x656c6966, 0x69765f73, 0x706f6564, 0x6579616c, 0x72, 0x0, 0x1, 0x146, 0xca13d413,
  0xe, 0x73726966, 0x6e757274, 0x617a6977, 0x6472, 0x0, 0x0, 0x1, 0x146, 0xd5f1db93, 0xe,
  0x6c6c7566, 0x74786574, 0x72616573, 0x6863, 0x0, 0x0, 0x1, 0x146, 0x993d994d, 0x1c,
  0x6c6c7566, 0x74786574, 0x72616573, 0x655f6863, 0x7473616c, 0x65736369, 0x68637261, 0x0,
  0x0, 0x0, 0x1, 0x146, 0x911ca07a, 0x9, 0x72676f6c, 0x65646165, 0x72, 0x2f7ac8, 0x1, 0x146,
  0x80d1ed1f, 0x17, 0x6b6f6f6c, 0x735f7075, 0x65767265, 0x6f635f72, 0x63656e6e, 0x726f74,
  0x0, 0x0, 0x1, 0x146, 0xf4ea4358, 0x17, 0x7478656e, 0x756f6c63, 0x6e615f64, 0x6e756f6e,
  0x656d6563, 0x73746e, 0x0, 0x0, 0x1, 0x146, 0xd7bc5eff, 0xd, 0x69746f6e, 0x61636966,
  0x6e6f6974}
(gdb) p *accel_hash->hash_entries@5
$63 = {{hash_value = 3206915583, key = 0xe8f62090 "/sites/doof/wp-admin/about.php",
    next = 0x0, data = 0xe8f61f48, key_length = 30, indirect = 0 '\000'}, {
    hash_value = 3779746733, key = 0xe8f64fa8 "/sites/doof/wp-admin/admin.php", next = 0x0,
    data = 0xe8f64e60, key_length = 30, indirect = 0 '\000'}, {hash_value = 4146891980,
    key = 0xe8f69690 "/sites/doof/wp-load.php", next = 0x0, data = 0xe8f69550,
    key_length = 23, indirect = 0 '\000'}, {hash_value = 4065189634,
    key = 0xe8f6ab30 "/sites/doof/wp-config.php", next = 0x0, data = 0xe8f6a9e8,
    key_length = 25, indirect = 0 '\000'}, {hash_value = 2915712093,
    key = 0xe8f6b158 "/sites/doof/wp-settings.php", next = 0x0, data = 0xe8f6b010,
    key_length = 27, indirect = 0 '\000'}}

[2021-02-11 17:35 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-02-11 17:35 UTC] cmb@php.net

PHP 7.3 is out of active support; does that segfault still happen
with any of the actively supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-02-21 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC