php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80899 Segfault in sapi_deactivate when opcache is enabled
Submitted: 2021-03-23 17:54 UTC Modified: 2021-03-24 11:27 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: seisenhauer at dropbox dot com Assigned:
Status: Open Package: opcache
PHP Version: 7.4.16 OS: Ubuntu 18.04.5 LTS
Private report: No CVE-ID: None
 [2021-03-23 17:54 UTC] seisenhauer at dropbox dot com
Description:
------------
We are in the process of upgrading a PHP7.3 web application to PHP7.4, and certain endpoints with certain request payloads reliably result in a segfault in the second and subsequent requests (the first request after restarting Apache always works without a crash).

Disabling opcache (either by setting opcache.enabled=0 in INI or by removing it from apache2/conf.d entirely) makes the segfaults stop completely. Other opcache INI settings tweaks (e.g. opcache.optimization_level=0) had no effect.

Attempts to isolate the contributing factor(s) in the application code have been unsuccessful; Seemingly unrelated changes appear to mitigate the crash by accident, such as assigning (or not assigning) a result to a local variable, or slightly modifying string values that are used in the scripts or provided via the HTTP request payload.

This was originally encountered using PHP 7.4.15, and has persisted through an upgrade to PHP 7.4.16. We are using the packages in Ondřej Surý's PPA.

Backtrace Line Locations on GitHub
==================================

#0: https://github.com/php/php-src/blob/php-7.4.16/Zend/zend_alloc.c#L1368
#1: https://github.com/php/php-src/blob/php-7.4.16/Zend/zend_alloc.c#L2550
#2: https://github.com/php/php-src/blob/php-7.4.16/Zend/zend_llist.c#L109
#3: https://github.com/php/php-src/blob/php-7.4.16/main/SAPI.c#L496
#4: https://github.com/php/php-src/blob/php-7.4.16/main/main.c#L1930

Installed Package Versions (Sample)
===================================

libapache2-mod-php7.4/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
libapache2-mod-php7.4-dbgsym/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
php7.4/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 all 
php7.4-apcu/bionic,now 5.1.19+4.0.11-7+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-apcu-bc/bionic,now 1.0.5-13+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-bcmath/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-cli/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
php7.4-common/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-common-dbgsym/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
php7.4-curl/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-dev/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-gd/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-geoip/bionic,now 1.1.1-12+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-http/bionic,now 4.0.0+3.2.4+2.6.0-7+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-igbinary/bionic,now 3.2.1+2.0.8-6+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-imagick/bionic,now 3.4.4-9 amd64 
php7.4-imap/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-intl/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-json/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-mbstring/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-memcache/bionic,now 8.0+4.0.5.2+3.0.9~20170802.e702b5f9+-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-memcached/bionic,now 3.1.5+2.2.0-9+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-msgpack/bionic,now 2.1.2+0.5.7-6+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-mysql/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-oauth/bionic,now 2.0.7+1.2.3-7+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-opcache/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-opcache-dbgsym/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
php7.4-pcov/bionic,now 1.0.6-10+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
php7.4-propro/bionic,now 2.1.0+1.0.2+nophp8-8+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-raphf/bionic,now 2.0.1+1.1.2-8+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-readline/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-redis/bionic,now 5.3.2+4.3.0-7+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-soap/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-xdebug/bionic,now 3.0.3+2.9.8+2.8.1+2.5.5-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
php7.4-xml/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 
php7.4-zip/bionic,now 7.4.16-1+ubuntu18.04.1+deb.sury.org+1 amd64 

Test script:
---------------
Unable to provide a sample at this time

Actual result:
--------------
GDB Backtrace
=============

Program received signal SIGSEGV, Segmentation fault.
zend_mm_free_heap (ptr=0x6e72657478652f67, heap=0x7fefefe00040) at ./Zend/zend_alloc.c:1368
1368    ./Zend/zend_alloc.c: No such file or directory.
(gdb) backtrace full
#0  zend_mm_free_heap (ptr=0x6e72657478652f67, heap=0x7fefefe00040) at ./Zend/zend_alloc.c:1368
        chunk = 0x6e72657478600000
        page_num = 82
        info = <optimized out>
        page_offset = 339815
        page_offset = <optimized out>
        chunk = <optimized out>
        page_num = <optimized out>
        info = <optimized out>
        pages_count = <optimized out>
#1  _efree (ptr=0x6e72657478652f67) at ./Zend/zend_alloc.c:2550
No locals.
#2  0x00007feff55ab7b7 in zend_llist_destroy (l=l@entry=0x7feff59942a0 <sapi_globals+160>) at ./Zend/zend_llist.c:109
        current = 0x7fefefee1730
        next = 0x7fefeffd41b8
#3  0x00007feff555e42f in sapi_deactivate () at ./main/SAPI.c:496
No locals.
#4  0x00007feff55555a2 in php_request_shutdown (dummy=dummy@entry=0x0) at ./main/main.c:1930
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {140668594372416, 346286686061158855, 140668767502496, 0, 140734527642324, 0, 355562081879024071, 
              346285074702754247}, __mask_was_saved = 0, __saved_mask = {__val = {140668767502496, 0, 32, 18446744073709551536, 
                140668767502496, 0, 140734527642324, 0, 140668754407884, 1, 140668493343985, 30251, 140668590402569, 140668495658144, 
                140668594374432, 140668767502496}}}}
        report_memleaks = 1 '\001'
#5  0x00007feff5646cbf in php_apache_request_dtor (r=0x7fefffeb00a0) at ./sapi/apache2handler/sapi_apache2.c:542
No locals.
#6  php_handler (r=<optimized out>) at ./sapi/apache2handler/sapi_apache2.c:712
        ctx = 0x7feff014ab00
        conf = <optimized out>
        brigade = 0x7feff0147d88
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#7  0x000056251ff450e0 in ap_run_handler ()
No symbol table info available.
#8  0x000056251ff4565d in ap_invoke_handler ()
No symbol table info available.
#9  0x000056251ff5d4db in ap_process_async_request ()
No symbol table info available.
#10 0x000056251ff5d6be in ap_process_request ()
No symbol table info available.
#11 0x000056251ff5999d in ?? ()
No symbol table info available.
#12 0x000056251ff4e9f0 in ap_run_process_connection ()
No symbol table info available.
#13 0x00007feff1c24831 in ?? () from target:/usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#14 0x00007feff1c24b34 in ?? () from target:/usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#15 0x00007feff1c24b71 in ?? () from target:/usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#16 0x00007feff1c2525f in ?? () from target:/usr/lib/apache2/modules/mod_mpm_prefork.so

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-24 11:27 UTC] cmb@php.net
I presume the memory corruption happens earlier, but only
manifests during shutdown; if so, the backtrace is not of
particular value.  Running Apache with valgrind -M might produce a
more useful report.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 05:01:27 2024 UTC