php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79973 Segfault in php-fpm
Submitted: 2020-08-13 13:57 UTC Modified: 2020-09-20 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: php at mni dot de Assigned:
Status: No Feedback Package: FPM related
PHP Version: 7.4.9 OS: CentOS 7.8.2003
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-08-13 13:57 UTC] php at mni dot de
Description:
------------
We experiences a problem with a Wordpress/Woocommerce Installation. Some of our users are no longer able to login, when they have a saved shopping cart in the database. The login fails with a 502 (Bad Gateway) Error because the FPM-Child dies with a segfault:

[2083913.678027] php-fpm[18682]: segfault at 7ffd48dddff8 ip 000055ffaf5ae175 sp 00007ffd48dde000 error 6 in php-fpm[55ffaf320000+472000]

Core was generated by `php-fpm: pool www              '.
Program terminated with signal 11, Segmentation fault.
#0  0x0000560723ee1e09 in zend_dtoa (dd=39.899999999999999, mode=mode@entry=3, ndigits=ndigits@entry=2, decpt=decpt@entry=0x7ffcbac60098, sign=sign@entry=0x7ffcbac60174, 
    rve=rve@entry=0x7ffcbac60030) at /usr/src/debug/php-7.4.9/Zend/zend_strtod.c:3721
3721	{

If it is useful for debugging, i can send you the whole Core-Dump (350MB).

The problem exists also on Centos 7.6 with php7.3. I can 'solve' the problem by deleting the saved shopping cart entry from the database. The problem ist reproducible on a staging server.

Please let me know, what further information do you need. Thank you in advance.

Expected result:
----------------
No segfault, User is able to login.

Actual result:
--------------
segfault, see above

backtrace 

#0  0x0000560723ee1e09 in zend_dtoa (dd=39.899999999999999, mode=mode@entry=3, ndigits=ndigits@entry=2, decpt=decpt@entry=0x7ffcbac60098, sign=sign@entry=0x7ffcbac60174, 
    rve=rve@entry=0x7ffcbac60030) at /usr/src/debug/php-7.4.9/Zend/zend_strtod.c:3721
#1  0x0000560723e5e1d7 in __cvt (value=value@entry=39.899999999999999, ndigit=ndigit@entry=2, decpt=0x7ffcbac60098, sign=sign@entry=0x7ffcbac60174, fmode=fmode@entry=1, pad=1)
    at /usr/src/debug/php-7.4.9/main/snprintf.c:90
#2  0x0000560723e5e4db in php_fcvt (sign=0x7ffcbac60174, decpt=0x7ffcbac60098, ndigit=2, value=39.899999999999999) at /usr/src/debug/php-7.4.9/main/snprintf.c:386
#3  php_conv_fp (format=<optimized out>, num=num@entry=39.899999999999999, add_dp=NO, precision=2, dec_point=<optimized out>, is_negative=is_negative@entry=0x7ffcbac60174, 
    buf=buf@entry=0x7ffcbac601a1 "", len=0x7ffcbac60178) at /usr/src/debug/php-7.4.9/main/snprintf.c:386
#4  0x0000560723e6117a in xbuf_format_converter (xbuf=0x7ffcbac60620, is_char=0 '\000', fmt=0x560723fb12f6 "F", ap=0x7ffcbac60650) at /usr/src/debug/php-7.4.9/main/spprintf.c:637
#5  0x0000560723ebe009 in zend_vstrpprintf (max_len=0, format=<optimized out>, ap=ap@entry=0x7ffcbac60650) at /usr/src/debug/php-7.4.9/Zend/zend.c:243
#6  0x0000560723ebe104 in zend_strpprintf (max_len=max_len@entry=0, format=format@entry=0x560723fb12f3 "%.*F") at /usr/src/debug/php-7.4.9/Zend/zend.c:264
#7  0x0000560723e1978e in _php_math_number_format_ex (d=39.899999999999999, dec=2, dec_point=dec_point@entry=0x7ffcbac607bc ".+\f\340\002", dec_point_len=dec_point_len@entry=1, 
    thousand_sep=thousand_sep@entry=0x7ffcbac607b8 ",\003D[.+\f\340\002", thousand_sep_len=thousand_sep_len@entry=1) at /usr/src/debug/php-7.4.9/ext/standard/math.c:1160
#8  0x0000560723e19be7 in _php_math_number_format (d=<optimized out>, dec=<optimized out>, dec_point=<optimized out>, thousand_sep=<optimized out>)
    at /usr/src/debug/php-7.4.9/ext/standard/math.c:1138
#9  0x0000560723e19d69 in zif_number_format () at /usr/src/debug/php-7.4.9/ext/standard/math.c:1282
#10 0x0000560723f40768 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.4.9/Zend/zend_vm_execute.h:1314
#11 execute_ex () at /usr/src/debug/php-7.4.9/Zend/zend_vm_execute.h:53740
#12 0x0000560723eb07e6 in zend_call_function () at /usr/src/debug/php-7.4.9/Zend/zend_execute_API.c:813
#13 0x0000560723de0b09 in php_array_user_compare (a=<optimized out>, b=<optimized out>) at /usr/src/debug/php-7.4.9/ext/standard/array.c:971
#14 0x0000560723ed93f0 in zend_sort_3 (swp=<optimized out>, cmp=<optimized out>, c=<optimized out>, b=<optimized out>, a=<optimized out>) at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:104
#15 zend_sort_3 (swp=<optimized out>, cmp=<optimized out>, c=<optimized out>, b=<optimized out>, a=<optimized out>) at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:98
#16 zend_insert_sort (base=0x7ff0b6085940, nmemb=<optimized out>, siz=32, cmp=0x560723de0a80 <php_array_user_compare>, swp=0x560723eca8e0 <zend_hash_bucket_swap>)
    at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:160
#17 0x0000560723ed1a2a in zend_hash_sort_ex (ht=ht@entry=0x7ff0b60839d8, sort=<optimized out>, compar=compar@entry=0x560723de0a80 <php_array_user_compare>, renumber=<optimized out>)
    at /usr/src/debug/php-7.4.9/Zend/zend_hash.c:2493
#18 0x0000560723de0f8f in php_usort () at /usr/src/debug/php-7.4.9/ext/standard/array.c:1038
#19 0x0000560723f40768 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.4.9/Zend/zend_vm_execute.h:1314
#20 execute_ex () at /usr/src/debug/php-7.4.9/Zend/zend_vm_execute.h:53740
#21 0x0000560723eb07e6 in zend_call_function () at /usr/src/debug/php-7.4.9/Zend/zend_execute_API.c:813
#22 0x0000560723de0b09 in php_array_user_compare (a=<optimized out>, b=<optimized out>) at /usr/src/debug/php-7.4.9/ext/standard/array.c:971
#23 0x0000560723ed93f0 in zend_sort_3 (swp=<optimized out>, cmp=<optimized out>, c=<optimized out>, b=<optimized out>, a=<optimized out>) at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:104
#24 zend_sort_3 (swp=<optimized out>, cmp=<optimized out>, c=<optimized out>, b=<optimized out>, a=<optimized out>) at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:98
#25 zend_insert_sort (base=0x7ff0b6082640, nmemb=<optimized out>, siz=32, cmp=0x560723de0a80 <php_array_user_compare>, swp=0x560723eca8e0 <zend_hash_bucket_swap>)
    at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:160
#26 0x0000560723ed1a2a in zend_hash_sort_ex (ht=ht@entry=0x7ff0b60833f0, sort=<optimized out>, compar=compar@entry=0x560723de0a80 <php_array_user_compare>, renumber=<optimized out>)
    at /usr/src/debug/php-7.4.9/Zend/zend_hash.c:2493
#27 0x0000560723de0f8f in php_usort () at /usr/src/debug/php-7.4.9/ext/standard/array.c:1038
#28 0x0000560723f40768 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.4.9/Zend/zend_vm_execute.h:1314
#29 execute_ex () at /usr/src/debug/php-7.4.9/Zend/zend_vm_execute.h:53740
#30 0x0000560723eb07e6 in zend_call_function () at /usr/src/debug/php-7.4.9/Zend/zend_execute_API.c:813
#31 0x0000560723de0b09 in php_array_user_compare (a=<optimized out>, b=<optimized out>) at /usr/src/debug/php-7.4.9/ext/standard/array.c:971
#32 0x0000560723ed93f0 in zend_sort_3 (swp=<optimized out>, cmp=<optimized out>, c=<optimized out>, b=<optimized out>, a=<optimized out>) at /usr/src/debug/php-7.4.9/Zend/zend_sort.c:104


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-13 14:07 UTC] nikic@php.net
The backtrace corresponds to a number_format(39.899999999999999, 2) call. Doesn't crash locally and presumably wouldn't crash for you either, if it were an isolated call.
 [2020-08-16 16:07 UTC] php at mni dot de
Thanks for your Feedback, so opening a ticket at woo/wp would be the way to go?
 [2020-08-16 19:26 UTC] nikic@php.net
No, this is almost certainly an issue with PHP or a PHP extension, just the place where it crashes is pretty harmless, so it's hard to guess at the root cause here.
 [2020-08-18 14:10 UTC] php at mni dot de
Just tested it on a Debian 10.5 Box with PHP 7.3.19, same Problem.
 [2020-08-18 15:03 UTC] requinix@php.net
Line 3721 is the beginning of the function.

#32-24 and #23-15 are identical. How deep does the backtrace go? Is this recursion?
 [2020-08-18 15:31 UTC] php at mni dot de
Yes, this is a recursion
 [2020-08-18 15:50 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2020-08-18 15:50 UTC] requinix@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Do you have something about the shopping cart that tries to sort it? Can you find and post that code? From the backtrace it looks like the sorting is done through usort() or related, but then the comparison function itself also tries to do a sort.
 [2020-08-19 06:40 UTC] php at mni dot de
Sorry but i don't have a script to reproduce the error because we only use third-party components like Wordpress (5.4.2), Woocommerce (4.3.2) and some Plugins.

The error happens during login, example:

"POST /my-account/ HTTP/1.1" 302 5 "https://staging.renderpeople.com/my-account/" 
"GET /my-account/ HTTP/1.1" 502 559 "https://staging.renderpeople.com/my-account/"

One of the affected carts is:

meta_key: _woocommerce_persistent_cart_1
meta_value:
a:1:{s:4:"cart";a:2:{s:32:"2f00b4f18ac4c685904b5df21bd3375c";a:11:{s:3:"key";s:32:"e1272f71b59ec211ff46e3cb8f6ae85a";s:10:"product_id";i:385498;s:12:"variation_id";i:385519;s:9:"variation";a:1:{s:24:"attribute_pa_file-format";s:13:"cinema-4d-obj";}s:8:"quantity";i:1;s:9:"data_hash";s:32:"6337484db59620a170393f98c3bb108d";s:13:"line_tax_data";a:2:{s:8:"subtotal";a:1:{i:12;d:7.98;}s:5:"total";a:1:{i:12;d:7.98;}}s:13:"line_subtotal";d:39.9;s:17:"line_subtotal_tax";d:7.98;s:10:"line_total";d:39.9;s:8:"line_tax";d:7.98;}s:32:"9715628f446e13a984e34e6de9ec003b";a:6:{s:3:"key";s:32:"9715628f446e13a984e34e6de9ec003b";s:10:"product_id";i:423648;s:12:"variation_id";i:423657;s:9:"variation";a:1:{s:24:"attribute_pa_file-format";s:16:"cinema-4d-obj-fr";}s:8:"quantity";i:1;s:9:"data_hash";s:32:"ec7d1c0d8094a952d31aca630b029fab";}}}

I already tried to modify the cart and the products by changing the price to 40, same error. After deleting this cart from a user he is able to login normally.

 
Please let me know if i can provide you with additional information.

Thank you
 [2020-08-30 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2020-08-30 04:27 UTC] requinix@php.net
-Status: No Feedback +Status: Feedback
 [2020-08-30 04:27 UTC] requinix@php.net
My question was about code that sorts the cart, or is doing something involving sorting and the cart. Because your backtrace suggests that the problem is a flaw in the code, not in PHP itself.
 [2020-09-20 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2020-09-22 13:05 UTC] php at mni dot de
The problem still exist with PHP-7.4.10 on Wordpress 5.5.1 with Woocommerce 4.5.2.
We also created an issue on woocommerce https://github.com/woocommerce/woocommerce/issues/27744 they should know which code sorts the cart.
 [2020-11-12 06:13 UTC] php at mni dot de
Ticket can be closed, the bug was caused by an infinite loop in a Wordpress plugin
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC