zend_string_init error: Cannot access memory

Bug #1865338 reported by Scott Hollenbeck on 2020-03-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.2 (Ubuntu)
Medium
Unassigned

Bug Description

I'm using php7.2-fpm to run the Simple Machines Community Forum. I have an fpm pool dedicated to the forum. Every so often I see an error like this in my fpm log:

[01-Mar-2020 01:18:15] WARNING: [pool smf] child 23384 exited on signal 7 (SIGBUS - core dumped) after 0.708817 seconds from start

Here's a backtrace:

[New LWP 23384]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool smf'.
Program terminated with signal SIGBUS, Bus error.
#0 __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:620
620 ../sysdeps/x86_64/multiarch/memcpy-ssse3.S: No such file or directory.
(gdb) bt
#0 __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:620
#1 0x000055feb96ec706 in memcpy (__len=38654, __src=0x7f220d2bf06b, __dest=0x7f220789a018)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 zend_string_init (persistent=0, len=38654, str=0x7f220d2bf06b <error: Cannot access memory at address 0x7f220d2bf06b>)
    at ./Zend/zend_string.h:172
#3 lex_scan (zendlval=zendlval@entry=0x7ffe48510e90) at Zend/zend_language_scanner.l:1995
#4 0x000055feb970140e in zendlex (elem=elem@entry=0x7ffe48510f48) at ./Zend/zend_compile.c:1728
#5 0x000055feb96e4dff in zendparse () at ./Zend/zend_language_parser.c:4229
#6 0x000055feb96e7457 in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:586
#7 0x000055feb96e898a in compile_file (file_handle=0x7ffe48511e50, type=2) at Zend/zend_language_scanner.l:636
#8 0x00007f21fd0b3ecc in ?? () from /usr/lib/php/20170718/phar.so
#9 0x00007f22072ba29c in ?? () from /usr/lib/php/20170718/opcache.so
#10 0x00007f22072bbf58 in ?? () from /usr/lib/php/20170718/opcache.so
#11 0x000055feb96e8a32 in compile_filename (type=type@entry=2, filename=filename@entry=0x7f220781e460) at Zend/zend_language_scanner.l:663
#12 0x000055feb978925b in zend_include_or_eval (inc_filename=inc_filename@entry=0x7f220781e460, type=2) at ./Zend/zend_execute.c:2832
#13 0x000055feb97c9483 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at ./Zend/zend_vm_execute.h:48894
#14 0x000055feb97cef97 in execute_ex (ex=0x7f22078a1020) at ./Zend/zend_vm_execute.h:63210
#15 0x000055feb97d5f77 in zend_execute (op_array=op_array@entry=0x7f2207880000, return_value=return_value@entry=0x7f21f9fbd258)
    at ./Zend/zend_vm_execute.h:63780
#16 0x000055feb9724702 in zend_execute_scripts (type=type@entry=8, retval=0x7f21f9fbd258, retval@entry=0x0, file_count=125952816,
    file_count@entry=3) at ./Zend/zend.c:1498
#17 0x000055feb96c0160 in php_execute_script (primary_file=0x7ffe48514670) at ./main/main.c:2599
#18 0x000055feb956f7bb in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966
(gdb)

I haven't found a specific way to reproduce the error beyond letting the software run for several hours. More info:

$ lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04
$ apt-cache policy php7.2-fpm
php7.2-fpm:
  Installed: 7.2.24-0ubuntu0.18.04.3
  Candidate: 7.2.24-0ubuntu0.18.04.3
  Version table:
 *** 7.2.24-0ubuntu0.18.04.3 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     7.2.3-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
$

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Can you attach the core dump? Or the crash file, if you have one in /var/crash about this.

Revision history for this message
Scott Hollenbeck (g-sah) wrote :

Unfortunately I didn't keep that particular core dump, but I have more recent dumps. I've attached one of them. The error has changed:

[New LWP 3553]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool smf'.
Program terminated with signal SIGBUS, Bus error.
#0 0x0000560f1b3fc426 in lex_scan (zendlval=zendlval@entry=0x7ffc84fdf5b0) at Zend/zend_language_scanner.l:1981
1981 Zend/zend_language_scanner.l: No such file or directory.
(gdb) bt
#0 0x0000560f1b3fc426 in lex_scan (zendlval=zendlval@entry=0x7ffc84fdf5b0) at Zend/zend_language_scanner.l:1981
#1 0x0000560f1b41340e in zendlex (elem=elem@entry=0x7ffc84fdf668) at ./Zend/zend_compile.c:1728
#2 0x0000560f1b3f6dff in zendparse () at ./Zend/zend_language_parser.c:4229
#3 0x0000560f1b3f9457 in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:586
#4 0x0000560f1b3fa98a in compile_file (file_handle=0x7ffc84fe0570, type=2) at Zend/zend_language_scanner.l:636
#5 0x00007faf412b3ecc in ?? () from /usr/lib/php/20170718/phar.so
#6 0x00007faf4b4ba29c in ?? () from /usr/lib/php/20170718/opcache.so
#7 0x00007faf4b4bbf58 in ?? () from /usr/lib/php/20170718/opcache.so
#8 0x0000560f1b3faa32 in compile_filename (type=type@entry=2, filename=filename@entry=0x7faf4ba1f460) at Zend/zend_language_scanner.l:663
#9 0x0000560f1b49b25b in zend_include_or_eval (inc_filename=inc_filename@entry=0x7faf4ba1f460, type=2) at ./Zend/zend_execute.c:2832
#10 0x0000560f1b4db483 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at ./Zend/zend_vm_execute.h:48894
#11 0x0000560f1b4e0f97 in execute_ex (ex=0x27) at ./Zend/zend_vm_execute.h:63210
#12 0x0000560f1b4e7f77 in zend_execute (op_array=op_array@entry=0x7faf4ba7f000, return_value=return_value@entry=0x7faf2f6c3098)
    at ./Zend/zend_vm_execute.h:63780
#13 0x0000560f1b436702 in zend_execute_scripts (type=type@entry=8, retval=0x7faf2f6c3098, retval@entry=0x0, file_count=1268904752,
    file_count@entry=3) at ./Zend/zend.c:1498
#14 0x0000560f1b3d2160 in php_execute_script (primary_file=0x7ffc84fe2d90) at ./main/main.c:2599
#15 0x0000560f1b2817bb in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966
(gdb)

Revision history for this message
Scott Hollenbeck (g-sah) wrote :

The original error reappeared:

[New LWP 4655]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool smf '.
Program terminated with signal SIGBUS, Bus error.
#0 __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:620
620 ../sysdeps/x86_64/multiarch/memcpy-ssse3.S: No such file or directory.
(gdb) bt
#0 __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:620
#1 0x0000560f1b3fe706 in memcpy (__len=38756, __src=0x7faf515a506b, __dest=0x7faf4ba99018)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 zend_string_init (persistent=0, len=38756, str=0x7faf515a506b <error: Cannot access memory at address 0x7faf515a506b>)
    at ./Zend/zend_string.h:172
#3 lex_scan (zendlval=zendlval@entry=0x7ffc84fdf5b0) at Zend/zend_language_scanner.l:1995
#4 0x0000560f1b41340e in zendlex (elem=elem@entry=0x7ffc84fdf668) at ./Zend/zend_compile.c:1728
#5 0x0000560f1b3f6dff in zendparse () at ./Zend/zend_language_parser.c:4229
#6 0x0000560f1b3f9457 in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:586
#7 0x0000560f1b3fa98a in compile_file (file_handle=0x7ffc84fe0570, type=2) at Zend/zend_language_scanner.l:636
#8 0x00007faf412b3ecc in ?? () from /usr/lib/php/20170718/phar.so
#9 0x00007faf4b4ba29c in ?? () from /usr/lib/php/20170718/opcache.so
#10 0x00007faf4b4bbf58 in ?? () from /usr/lib/php/20170718/opcache.so
#11 0x0000560f1b3faa32 in compile_filename (type=type@entry=2, filename=filename@entry=0x7faf4ba1f460) at Zend/zend_language_scanner.l:663
#12 0x0000560f1b49b25b in zend_include_or_eval (inc_filename=inc_filename@entry=0x7faf4ba1f460, type=2) at ./Zend/zend_execute.c:2832
#13 0x0000560f1b4db483 in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at ./Zend/zend_vm_execute.h:48894
#14 0x0000560f1b4e0f97 in execute_ex (ex=0x7faf4ba99fa0) at ./Zend/zend_vm_execute.h:63210
#15 0x0000560f1b4e7f77 in zend_execute (op_array=op_array@entry=0x7faf4ba80000, return_value=return_value@entry=0x7faf389afdd8)
    at ./Zend/zend_vm_execute.h:63780
#16 0x0000560f1b436702 in zend_execute_scripts (type=type@entry=8, retval=0x7faf389afdd8, retval@entry=0x0, file_count=1268904752,
    file_count@entry=3) at ./Zend/zend.c:1498
#17 0x0000560f1b3d2160 in php_execute_script (primary_file=0x7ffc84fe2d90) at ./main/main.c:2599
#18 0x0000560f1b2817bb in main (argc=<optimized out>, argv=<optimized out>) at ./sapi/fpm/fpm/fpm_main.c:1966
(gdb)

Core dump (hopefully, it's a 70MB compressed zip archive) attached.

Paride Legovini (paride) on 2020-03-06
tags: added: server-triage-discuss
Changed in php7.2 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: removed: server-triage-discuss
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers