Opened 7 months ago

Last modified 2 weeks ago

#338 accepted defect

SEGV triggered by xc_restore_zend_op_array

Reported by: bharat Owned by: moo
Priority: major Milestone: 3.3.0
Component: cacher Version: 3.1.0
Keywords: Cc:
Application: PHP Version:
Other Exts: Zend OPcache SAPI: Irrelevant
Probability: Always Blocked By:
Blocking:

Description

I'm running MediaWiki? on my production website and just upgraded to Apache 2.4. When I browse to the http://example.com/Special:SpecialPages page, I get a seg fault in XCache. I build 3.1.0 from source and used it to get the symbols below. Stack trace included along with some very basic debugging in gdb. Can't figure an easy way to get a repro case here since the site is complicated, but if you install a stock MediaWiki? you might be able to repro. I can also be remote hands on gdb for you if you need some more data.

$ apache2 -v && php -v                                                                                                                    
Server version: Apache/2.4.7 (Debian)
Server built:   Jan  2 2014 01:47:52
PHP 5.5.8-3 (cli) (built: Jan 24 2014 09:12:11) 
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with XCache v3.1.0, Copyright (c) 2005-2013, by mOo
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies
    with XCache Optimizer v3.1.0, Copyright (c) 2005-2013, by mOo
    with XCache Cacher v3.1.0, Copyright (c) 2005-2013, by mOo
    with XCache Coverager v3.1.0, Copyright (c) 2005-2013, by mOo

#0  0x00007ff7647d807a in zend_hash_find (ht=0x28, arKey=arKey@entry=0x7ff74269f850 "getInputHTML", nKeyLength=13, 
    pData=pData@entry=0x7fff06d4ee10) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_hash.c:924
#1  0x00007ff757225617 in xc_restore_zend_op_array (processor=processor@entry=0x7fff06d4ef80, dst=<optimized out>, src=<optimized out>)
    at ./xc_processor.c.h:31213
#2  0x00007ff757225f83 in xc_restore_zend_function (processor=processor@entry=0x7fff06d4ef80, dst=<optimized out>, src=<optimized out>)
    at ./xc_processor.c.h:26066
#3  0x00007ff7572260f3 in xc_restore_HashTable_zend_function (processor=processor@entry=0x7fff06d4ef80, dst=dst@entry=0x7ff76df061a8, 
    src=src@entry=0x7ff742771538) at ./xc_processor.c.h:24232
#4  0x00007ff757226a52 in xc_restore_zend_class_entry (processor=processor@entry=0x7fff06d4ef80, dst=<optimized out>, 
    src=<optimized out>) at ./xc_processor.c.h:28657
#5  0x00007ff757227078 in xc_restore_xc_classinfo_t (processor=processor@entry=0x7fff06d4ef80, dst=<optimized out>, src=<optimized out>)
    at ./xc_processor.c.h:31662
#6  0x00007ff7572271ff in xc_restore_xc_entry_data_php_t (processor=processor@entry=0x7fff06d4ef80, dst=dst@entry=0x7fff06d4f260, 
    src=src@entry=0x7ff74267aa88) at ./xc_processor.c.h:32202
#7  0x00007ff7572272e7 in xc_processor_restore_xc_entry_data_php_t (entry_php=entry_php@entry=0x7ff7427b5420, 
    dst=dst@entry=0x7fff06d4f260, src=src@entry=0x7ff74267aa88, readonly_protection=<optimized out>) at ./xc_processor.c.h:1258
#8  0x00007ff75722adbd in xc_compile_restore (stored_entry=0x7ff7427b5420, stored_php=stored_php@entry=0x7ff74267aa88)
    at /usr/home/bharat/local/xcache-3.1.0/mod_cacher/xc_cacher.c:1888
#9  0x00007ff75722d703 in xc_compile_file_cached (compiler=compiler@entry=0x7fff06d4f9c0, h=h@entry=0x7fff06d50bd0, type=type@entry=8)
    at /usr/home/bharat/local/xcache-3.1.0/mod_cacher/xc_cacher.c:2150
#10 0x00007ff75722f13f in xc_compile_file (h=0x7fff06d50bd0, type=8) at /usr/home/bharat/local/xcache-3.1.0/mod_cacher/xc_cacher.c:2200
#11 0x00007ff75723134c in xc_compile_file_for_coverage (h=<optimized out>, type=<optimized out>)
    at /usr/home/bharat/local/xcache-3.1.0/mod_coverager/xc_coverager.c:457
#12 0x00007ff764794537 in compile_filename (type=type@entry=8, filename=filename@entry=0x7ff76de4af08)
    at Zend/zend_language_scanner.l:631
#13 0x00007ff764878333 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7ff76c2f2350)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:30925
#14 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f2350) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#15 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#16 0x00007ff7647bbd18 in zend_call_function (fci=fci@entry=0x7fff06d50fe0, fci_cache=<optimized out>, fci_cache@entry=0x7fff06d50fb0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:939
#17 0x00007ff7647e0be5 in zend_call_method (object_pp=0x0, obj_ce=<optimized out>, fn_proxy=0x7ff76d30e130, 
    function_name=0x7ff76d30e108 "autoloader::autoload", function_name_len=<optimized out>, 
    retval_ptr_ptr=retval_ptr_ptr@entry=0x7fff06d510c8, param_count=param_count@entry=1, arg1=0x7ff76de4adc8, arg2=arg2@entry=0x0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_interfaces.c:97
#18 0x00007ff7646b9d06 in zif_spl_autoload_call (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, 
    this_ptr=<optimized out>, return_value_used=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/ext/spl/php_spl.c:436
#19 0x00007ff7647b9b1b in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, 
    return_value_used=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:97
#20 0x00007ff7647bbe6b in zend_call_function (fci=fci@entry=0x7fff06d51370, fci_cache=fci_cache@entry=0x7fff06d51340)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:959
#21 0x00007ff7647bc5e2 in zend_lookup_class_ex (name=name@entry=0x7ff73e83d978 "HTMLSelectField", name_length=<optimized out>, 
    key=0x7ff73e83d798, use_autoload=use_autoload@entry=1, ce=ce@entry=0x7fff06d51408)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:1115
#22 0x00007ff7647bccc2 in zend_fetch_class_by_name (class_name=0x7ff73e83d978 "HTMLSelectField", class_name_len=<optimized out>, 
    key=<optimized out>, fetch_type=4) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:1595
#23 0x00007ff764801a99 in ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (execute_data=0x7ff76c2f2230)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:1197
#24 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f2230) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#25 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#26 0x00007ff7648784bc in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7ff76c2f20f0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:30964
#27 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f20f0) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#28 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#29 0x00007ff7647bbd18 in zend_call_function (fci=fci@entry=0x7fff06d51890, fci_cache=<optimized out>, fci_cache@entry=0x7fff06d51860)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:939
#30 0x00007ff7647e0be5 in zend_call_method (object_pp=0x0, obj_ce=<optimized out>, fn_proxy=0x7ff76d30e130, 
    function_name=0x7ff76d30e108 "autoloader::autoload", function_name_len=<optimized out>, 
    retval_ptr_ptr=retval_ptr_ptr@entry=0x7fff06d51978, param_count=param_count@entry=1, arg1=0x7ff76de31fd8, arg2=arg2@entry=0x0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_interfaces.c:97
#31 0x00007ff7646b9d06 in zif_spl_autoload_call (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, 
    this_ptr=<optimized out>, return_value_used=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/ext/spl/php_spl.c:436
#32 0x00007ff7647b9b1b in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, 
    return_value_used=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:97
#33 0x00007ff7647bbe6b in zend_call_function (fci=fci@entry=0x7fff06d51c40, fci_cache=fci_cache@entry=0x7fff06d51c10)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:959
#34 0x00007ff7647bc5e2 in zend_lookup_class_ex (name=name@entry=0x7ff76d578f00 "SpecialBlockList", name_length=name_length@entry=16, 
    key=key@entry=0x0, use_autoload=use_autoload@entry=1, ce=ce@entry=0x7fff06d51cd8)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:1115
#35 0x00007ff7647bcb08 in zend_fetch_class (class_name=0x7ff76d578f00 "SpecialBlockList", class_name_len=16, fetch_type=4)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_execute_API.c:1572
#36 0x00007ff76480d4f0 in ZEND_FETCH_CLASS_SPEC_CV_HANDLER (execute_data=0x7ff76c2f1f70)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:1940
#37 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1f70) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#38 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#39 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f1de0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#40 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1de0) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#41 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#42 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f1c20)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#43 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1c20) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#44 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#45 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f1aa8)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#46 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1aa8) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#47 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#48 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f1998)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#49 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1998) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#50 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#51 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f17f8)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#52 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f17f8) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#53 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#54 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f1580)
#55 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1580) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#56 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#57 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f1398)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#58 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f1398) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#59 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#60 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f12a0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#61 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f12a0) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#62 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#63 0x00007ff76487a1bc in zend_do_fcall_common_helper_SPEC (execute_data=0x7ff76c2f11d0)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#64 0x00007ff7647f3768 in execute_ex (execute_data=0x7ff76c2f11d0) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#65 0x00007ff7647b9a19 in dtrace_execute_ex (execute_data=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#66 0x00007ff7647cb400 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /tmp/buildd/php5-5.5.8+dfsg/Zend/zend.c:1316
#67 0x00007ff76476b615 in php_execute_script (primary_file=primary_file@entry=0x7fff06d54e50)
    at /tmp/buildd/php5-5.5.8+dfsg/main/main.c:2506
#68 0x00007ff76487b83a in php_handler (r=<optimized out>) at /tmp/buildd/php5-5.5.8+dfsg/sapi/apache2handler/sapi_apache2.c:667
#69 0x00007ff76c4e05a0 in ap_run_handler ()
#70 0x00007ff76c4e0ae9 in ap_invoke_handler ()
#71 0x00007ff76c4f5b5c in ap_internal_redirect ()
#72 0x00007ff76123bd0c in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#73 0x00007ff76c4e05a0 in ap_run_handler ()
#74 0x00007ff76c4e0ae9 in ap_invoke_handler ()
#75 0x00007ff76c4f609a in ap_process_async_request ()
#76 0x00007ff76c4f6374 in ap_process_request ()
#77 0x00007ff76c4f2e32 in ?? ()
#78 0x00007ff76c4e9c00 in ap_run_process_connection ()
#79 0x00007ff76515d767 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#80 0x00007ff76515d996 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#81 0x00007ff76515d9f6 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#82 0x00007ff76515e6d0 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#83 0x00007ff76c4c767e in ap_run_mpm ()
#84 0x00007ff76c4c0da7 in main ()


(gdb) up
#1  0x00007ff757225617 in xc_restore_zend_op_array (processor=processor@entry=0x7fff06d4ef80, dst=<optimized out>, src=<optimized out>)
    at ./xc_processor.c.h:31213

(gdb) print *processor->active_class_entry_dst
$3 = {type = 2 '\002', name = 0x7ff76df063c8 "HTMLSubmitField", name_length = 15, parent = 0x0, refcount = 2, ce_flags = 0, 
  function_table = {nTableSize = 32, nTableMask = 31, nNumOfElements = 22, nNextFreeElement = 0, pInternalPointer = 0x0, 
    pListHead = 0x7ff76df076d8, pListTail = 0x7ff74277d908, arBuckets = 0x7ff76df075c8, 
    pDestructor = 0x7ff7647bf020 <zend_function_dtor>, persistent = 0 '\000', nApplyCount = 0 '\000', bApplyProtection = 1 '\001'}, 
  properties_info = {nTableSize = 16, nTableMask = 15, nNumOfElements = 11, nNextFreeElement = 0, pInternalPointer = 0x0, 
    pListHead = 0x7ff76df06478, pListTail = 0x7ff76df06d58, arBuckets = 0x7ff76df063e8, 
    pDestructor = 0x7ff7600b6390 <zend_destroy_property_info>, persistent = 0 '\000', nApplyCount = 0 '\000', 
    bApplyProtection = 1 '\001'}, default_properties_table = 0x7ff76df06e58, default_static_members_table = 0x0, 
  static_members_table = 0x0, constants_table = {nTableSize = 8, nTableMask = 0, nNumOfElements = 0, nNextFreeElement = 0, 
    pInternalPointer = 0x0, pListHead = 0x0, pListTail = 0x0, arBuckets = 0x7ff7602c7ae8 <uninitialized_bucket>, 
    pDestructor = 0x7ff7647b9c10 <_zval_ptr_dtor>, persistent = 0 '\000', nApplyCount = 0 '\000', bApplyProtection = 1 '\001'}, 
  default_properties_count = 12, default_static_members_count = 0, constructor = 0x7ff76df07740, destructor = 0x0, clone = 0x0, 
  __get = 0x0, __set = 0x0, __unset = 0x0, __isset = 0x0, __call = 0x0, __callstatic = 0x0, __tostring = 0x0, serialize_func = 0x0, 
  unserialize_func = 0x0, iterator_funcs = {funcs = 0x0, zf_new_iterator = 0x0, zf_valid = 0x0, zf_current = 0x0, zf_key = 0x0, 
    zf_next = 0x0, zf_rewind = 0x0}, create_object = 0x0, get_iterator = 0x0, interface_gets_implemented = 0x0, get_static_method = 0x0, 
  serialize = 0x0, unserialize = 0x0, interfaces = 0x0, num_interfaces = 0, traits = 0x0, num_traits = 0, trait_aliases = 0x0, 
  trait_precedences = 0x0, info = {user = {filename = 0x7ff7427b54b8 "/usr/www/website/codex.gallery2.org/includes/HTMLForm.php", 
      line_start = 2835, line_end = 2837, 
      doc_comment = 0x7ff76df07538 "/**\n * Add a submit button inline in the form (as opposed to\n * HTMLForm::addButton(), which will add it at the end).\n */", doc_comment_len = 121}, internal = {builtin_functions = 0x7ff7427b54b8, module = 0xb1500000b13}}}

Change History (6)

comment:1 Changed 7 months ago by moo

What if you disable Zend OPcache?

comment:2 Changed 7 months ago by bharat

Disabling the OPCache does make the problem go away. Are the two known to be incompatible?

comment:3 Changed 7 months ago by moo

reproduced with opcache on and located inside includes/HTMLForm.php with debug build
another workaround, is to move

class HTMLSubmitField extends HTMLButtonField {
    protected $buttonType = 'submit';
}

to after class HTMLButtonField. still have no idea why it's different after Zend OPcache is enabled yet

comment:4 Changed 7 months ago by moo

  • Milestone changed from undecided to 3.1.1
  • Status changed from new to accepted

comment:5 Changed 6 months ago by nijel

comment:6 Changed 2 weeks ago by moo

  • Other Exts set to Zend OPcache
Note: See TracTickets for help on using tickets.