PHP 8.2.5 - 8.2.7 crash

[sitnikov]

Description

I only have a core from version 8.2.5, but version 8.2.6 also crashed. I can't replicate the issue for 8.2.6 because this is a production system. Version 8.2.1 is working properly

(gdb) bt

#0  zend_mm_alloc_small (bin_num=8, heap=0x7f5c54200040) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_alloc.c:1313
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7f5c54200040) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_alloc.c:1384
#2  _emalloc (size=<optimized out>) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_alloc.c:2594
#3  0x0000562af46da26e in zend_objects_new (ce=0x562afd1bc320) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_objects_API.h:83
#4  0x0000562af464c71a in _object_and_properties_init (properties=0x0, class_type=<optimized out>, arg=0x7f5c542160c0) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_API.c:1695
#5  object_init_ex (arg=arg@entry=0x7f5c542160c0, class_type=<optimized out>) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_API.c:1718
#6  0x0000562af4689e85 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_vm_execute.h:10289
#7  0x0000562af46b4a54 in execute_ex (ex=0x10f7e48) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_vm_execute.h:56937
#8  0x0000562af46bd1c2 in zend_execute (op_array=0x7f5c54202000, return_value=0x0) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend_vm_execute.h:60396
#9  0x0000562af4649be5 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php82-8.2.5-1.x86_64/Zend/zend.c:1826
#10 0x0000562af45e360a in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php82-8.2.5-1.x86_64/main/main.c:2542
#11 0x0000562af43e311c in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php82-8.2.5-1.x86_64/sapi/fpm/fpm/fpm_main.c:1924

(gdb) zbacktrace

[0x7f5c54215fc0] Doctrine\DBAL\Connection->executeQuery("SELECT spare_id AS sid, spare_id_name AS pnid, discount, stock,\12                            (!ISNULL(spare_id) + !ISNULL(spare_id_name) + !ISNULL(stock)) AS conditions,\12                            discounted_sell_price_no_vat AS price\12                     ...", array(2)[0x7f5c54216020], array(0)[0x7f5c54216030], NULL) /...../vendor/doctrine/dbal/src/Connection.php:1067 
[0x7f5c54215f10] ZZZZZ\DB\Connection->executeQuery("SELECT spare_id AS sid, spare_id_name AS pnid, discount, stock,\12                            (!ISNULL(spare_id) + !ISNULL(spare_id_name) + !ISNULL(stock)) AS conditions,\12                            discounted_sell_price_no_vat AS price\12                     ...", array(2)[0x7f5c54215f70], array(0)[0x7f5c54215f80]) /...../include/DB/Connection.php:248 
[0x7f5c54215e70] ZZZZZ\DB\Connection->fetchAll("SELECT spare_id AS sid, spare_id_name AS pnid, discount, stock,\12                            (!ISNULL(spare_id) + !ISNULL(spare_id_name) + !ISNULL(stock)) AS conditions,\12                            discounted_sell_price_no_vat AS price\12                     ...", array(2)[0x7f5c54215ed0]) /...../include/DB/Connection.php:298 
[0x7f5c54215de0] ZZZZZ\Price2\Helper\DiscountCalculator->ZZZZZ\Price2\Helper\{closure}() /...../include/Price2/Helper/DiscountCalculator.php:155 
[0x7f5c54215d40] cache_remember("_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 3600, object[0x7f5c54215db0]) /...../include/memcache.functions.php:112 
[0x7f5c54215b90] ZZZZZ\Price2\Helper\DiscountCalculator->find_abcxyz_discount(array(68)[0x7f5c54215be0], 0.000000) /...../include/Price2/Helper/DiscountCalculator.php:153 
[0x7f5c54215a90] ZZZZZ\Price2\Discount\MassiveDiscount->getDiscountPercent() /...../include/Price2/Discount/MassiveDiscount.php:46 
[0x7f5c542159e0] ZZZZZ\Price2\Helper\DiscountCalculator->getMaxDiscountByDiscounts(array(4)[0x7f5c54215a30]) /...../include/Price2/Helper/DiscountCalculator.php:383 
[0x7f5c54215850] ZZZZZ\Price2\Helper\DiscountCalculator->calculateDiscount(array(4)[0x7f5c542158a0], 0.000000, object[0x7f5c542158c0], array(68)[0x7f5c542158d0], object[0x7f5c542158e0]) /...../include/Price2/Helper/DiscountCalculator.php:317 
[0x7f5c54215700] ZZZZZ\Price2\Helper\DiscountCalculator->calculate_discount(array(68)[0x7f5c54215750], array(0)[0x7f5c54215760], 0) /...../include/Price2/Helper/DiscountCalculator.php:306 
[0x7f5c54215600] calculate_discount(array(68)[0x7f5c54215650], "catalog", 0, array(0)[0x7f5c54215680]) /...../include/ZZZZZ.functions.php:3742 
[0x7f5c542154c0] CatalogView->get_price_data(array(66)[0x7f5c54215510], array(0)[0x7f5c54215520], "ZZZZZZ-ZZZZZ") /...../include/CatalogView.class.php:358 
[0x7f5c54215280] ZZZZZ\CatalogBundle\DependencyInjection\Spare\SparesCatalogViewService->spareDetailData(30331702, array(66)[0x7f5c542152e0], array(6)[0x7f5c542152f0], array(1)[0x7f5c54215300], array(6)[0x7f5c54215310], object[0x7f5c54215320], NULL, 1) /...../Bundles/CatalogBundle/DependencyInjection/Spare/SparesCatalogViewService.php:219 
[0x7f5c542149c0] ZZZZZ\CatalogBundle\Controller\SpareDetailViewController->getSpareDetailViewData(object[0x7f5c54214a10], object[0x7f5c54214a20], object[0x7f5c54214a30], object[0x7f5c54214a40], object[0x7f5c54214a50], object[0x7f5c54214a60], object[0x7f5c54214a70], object[0x7f5c54214a80], object[0x7f5c54214a90], object[0x7f5c54214aa0], object[0x7f5c54214ab0], object[0x7f5c54214ac0], object[0x7f5c54214ad0], object[0x7f5c54214ae0], object[0x7f5c54214af0], object[0x7f5c54214b00], 30923983, 16050, NULL, NULL, NULL, 3, false, false, object[0x7f5c54214b90]) /...../Bundles/CatalogBundle/Controller/SpareDetailViewController.php:1200 
[0x7f5c54214420] ZZZZZ\CatalogBundle\Controller\SpareDetailViewController->indexAction(object[0x7f5c54214470], object[0x7f5c54214480], object[0x7f5c54214490], object[0x7f5c542144a0], object[0x7f5c542144b0], object[0x7f5c542144c0], object[0x7f5c542144d0], object[0x7f5c542144e0], object[0x7f5c542144f0], object[0x7f5c54214500], object[0x7f5c54214510], object[0x7f5c54214520], object[0x7f5c54214530], object[0x7f5c54214540], object[0x7f5c54214550], object[0x7f5c54214560], object[0x7f5c54214570], object[0x7f5c54214580], object[0x7f5c54214590], object[0x7f5c542145a0], object[0x7f5c542145b0], object[0x7f5c542145c0], object[0x7f5c542145d0], object[0x7f5c542145e0], 30923983, NULL, NULL, NULL, NULL) /...../Bundles/CatalogBundle/Controller/SpareDetailViewController.php:324 
[0x7f5c54214340] Symfony\Component\HttpKernel\HttpKernel->handleRaw(object[0x7f5c54214390], 1) /...../vendor/symfony/http-kernel/HttpKernel.php:163 
[0x7f5c54214270] Symfony\Component\HttpKernel\HttpKernel->handle(object[0x7f5c542142c0], 1, true) /...../vendor/symfony/http-kernel/HttpKernel.php:74 
[0x7f5c542141b0] Symfony\Component\HttpKernel\Kernel->handle(object[0x7f5c54214200]) /...../vendor/symfony/http-kernel/Kernel.php:184 
[0x7f5c54214100] (main) /...../web/app.php:10 
[0x7f5c54214020] (main) /...../index.php:53 

DiscountCalculator.php:155

$dataGeneral = cache_remember('_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 60*60, static function() use($conn) {
  $conn->setDebugData(__FILE__, __LINE__);
    return $conn->fetchAll('xxxxxxx', [DomainConf::getDomainId()]);
});

``

### PHP Version

8.2.5

### Operating System

OL8

[nielsdos]

It looks like a heap corruption, so the origin of the actual problem could be anywhere I'm afraid.

Some questions to begin with:

• Does this problem occur frequently, i.e. does it always happen, only sometimes, or rarely?
• When the problem happens, is it always in the same location it crashes?
• Do you use SSL/TLS-enabled database connections? I'm asking this because I did a change related to SSL database connections in 8.2.5...
• Are you able to compile PHP yourself? This would allow to get more info about the issue by using the address sanitizer and by enabling debug assertions.

[sitnikov]

1 - yes 30-50% requests will crash
2 - some location ok
3 - no
4 - yes, custom build

this is prod server and i can't run this version again without fix.

You can see screenshot and log from dnf

2023-06-02T00:07:01+0300 DEBUG ---> Package php82-fpm.x86_64 8.2.1-1 will be upgraded
2023-06-02T00:46:28+0300 DEBUG Downgraded: php82-fpm-8.2.1-1.x86_64

[nielsdos]

If you can give a way so we can reproduce the issue on our own systems, that would be great. Otherwise it's going to be difficult to debug this.

Alternatively if you are able to trigger the issue with a custom build in a test environment, this would allow you to get more info. If that's possible, then you can configure your PHP build with the ./configure options --enable-address-sanitizer and --enable-debug-assertions (besides the ones you already use). If you then set the environment variable USE_ZEND_ALLOC=0 then the address sanitizer will be able to report memory corruptions.

Alternatively, performing a bisect between the commits of 8.2.1 and 8.2.5 would also work I guess.

Of course I understand if this is not really possible in your situation. The problem right now is that there's too little information to figure out what goes wrong I'm afraid...

[github-actions]

No feedback was provided. The issue is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so. Thank you.

[sitnikov]

Crash still exist, please don't close ticket

[iluuu1994]

@sitnikov Can you try the steps above from @nielsdos?

[sitnikov]

the crash was observed on the prod, I'm looking for options to reproduce it in the dev environment

[sitnikov]

I made debug build 8.2.7 for dev environment

without debug - 502 / core / sigsegv
with debug - 502 error / no core / no sigsegv

phperror_log - empty

php-fpm.log has only this:
[27-Jun-2023 12:08:30] WARNING: [pool alvadi-debug-8.2] child 1603073 exited with code 1 after 1038.660347 seconds from start
[27-Jun-2023 12:08:30] NOTICE: [pool alvadi-debug-8.2] child 1606493 started

[sitnikov]

non-debug crash bt

(gdb) zbacktrace 
[0x7f8f79e158a0] Logistics\Rules\OrderRule->__toString() /.......//include/Logistics/Rules/OrderRule.php:47 
[0x7f8f79e15830] Logistics\RuleCollection->Logistics\{closure}(object[0x7f8f79e15880]) /.......//include/Logistics/RuleCollection.php:108 
[0x7f8f79e157c0] array_map(object[0x7f8f79e15810], array(7)[0x7f8f79e15820]) [internal function]
[0x7f8f79e156e0] Logistics\RuleCollection->__toString() /.......//include/Logistics/RuleCollection.php:108 
[0x7f8f79e15620] Logistics\RuleCollection->getHash() /.......//include/Logistics/RuleCollection.php:115 
[0x7f8f79e154f0] Logistics\Matcher->getDeliveryDateTo(object[0x7f8f79e15540], object[0x7f8f79e15550]) /.......//include/Logistics/Matcher.php:167 
[0x7f8f79e151e0] date_client_delivery(array(9)[0x7f8f79e15230]) /.......//include/alvadi.functions.php:1439 
[0x7f8f79e150d0] Order->calculate_date_client_delivery(3399576) /.......//include/Order.class.php:482 
[0x7f8f79e14ff0] Order->update_date_client_delivery(3399576) /.......//include/Order.class.php:498 
[0x7f8f79e14df0] Cart->checkProductDatesAndQty() /.......//include/Cart.class.php:271 
[0x7f8f79e14cc0] Alvadi\CatalogBundle\Controller\CartController->cartInit(object[0x7f8f79e14d10], 0, NULL) /.......//src/Bundles/CatalogBundle/Controller/CartController.php:374 
[0x7f8f79e14650] Alvadi\CatalogBundle\Controller\CartController->renderCartProducts(object[0x7f8f79e146a0], 0, NULL, object[0x7f8f79e146d0]) /.......//src/Bundles/CatalogBundle/Controller/CartController.php:434 
[0x7f8f79e14470] Alvadi\CatalogBundle\Controller\CartController->indexAction(object[0x7f8f79e144c0], object[0x7f8f79e144d0], object[0x7f8f79e144e0], 0, NULL) /.......//src/Bundles/CatalogBundle/Controller/CartController.php:248 
[0x7f8f79e14390] Symfony\Component\HttpKernel\HttpKernel->handleRaw(object[0x7f8f79e143e0], 1) /.......//vendor/symfony/http-kernel/HttpKernel.php:163 
[0x7f8f79e142c0] Symfony\Component\HttpKernel\HttpKernel->handle(object[0x7f8f79e14310], 1, true) /.......//vendor/symfony/http-kernel/HttpKernel.php:74 
[0x7f8f79e14200] Symfony\Component\HttpKernel\Kernel->handle(object[0x7f8f79e14250]) /.......//vendor/symfony/http-kernel/Kernel.php:184 
[0x7f8f79e14100] (main) /.......//web/app_dev.php:36 
[0x7f8f79e14020] (main) /.......//index.php:53 
(gdb) bt
#0  zend_mm_alloc_small (bin_num=8, heap=0x7f8f79e00040) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_alloc.c:1313
#1  zend_mm_realloc_heap (copy_size=<optimized out>, use_copy_size=false, size=<optimized out>, ptr=0x7f8f6848dd90, heap=0x7f8f79e00040) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_alloc.c:1625
#2  _erealloc (ptr=0x7f8f6848dd90, size=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_alloc.c:2615
#3  0x00005608d11bb121 in zend_string_extend (persistent=false, len=<optimized out>, s=0x7f8f6848dd90) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_string.h:249
#4  ZEND_FAST_CONCAT_SPEC_TMPVAR_TMPVAR_HANDLER () at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:17120
#5  0x00005608d11fd8d9 in execute_ex (ex=0x7f8f6848dd90) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:57717
#6  0x00005608d11835da in zend_call_function (fci_cache=<optimized out>, fci=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_execute_API.c:947
#7  zend_call_function (fci=<optimized out>, fci_cache=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_execute_API.c:749
#8  0x00005608d1183905 in zend_call_known_function (fn=0x5608d995cca0, object=object@entry=0x7f8f684aa930, called_scope=called_scope@entry=0x5608d995c870, retval_ptr=retval_ptr@entry=0x7ffc7e5ac4e0, param_count=param_count@entry=0, 
    params=params@entry=0x0, named_params=0x0) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_execute_API.c:1041
#9  0x00005608d1223e4a in zend_call_known_instance_method (params=0x0, param_count=0, retval_ptr=0x7ffc7e5ac4e0, object=0x7f8f684aa930, fn=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_API.h:759
#10 zend_call_known_instance_method_with_0_params (retval_ptr=0x7ffc7e5ac4e0, object=0x7f8f684aa930, fn=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_API.h:759
#11 zend_std_cast_object_tostring (type=6, writeobj=0x7ffc7e5ac530, readobj=0x7f8f684aa930) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_object_handlers.c:1870
#12 zend_std_cast_object_tostring (readobj=0x7f8f684aa930, writeobj=0x7ffc7e5ac530, type=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_object_handlers.c:1862
#13 0x00005608d1189f5d in __zval_get_string_func (try=false, op=0x7f8f79e15880) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_operators.c:975
#14 zval_get_string_func (op=op@entry=0x7f8f79e15880) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_operators.c:996
#15 0x00005608d11cef58 in zval_get_string (op=0x7f8f79e15880) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:38912
#16 ZEND_CAST_SPEC_CV_HANDLER () at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:38865
#17 0x00005608d11fc993 in execute_ex (ex=0x7f8f6848dd90) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:59391
#18 0x00005608d11835da in zend_call_function (fci_cache=<optimized out>, fci=0xa0975605dae62d00) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_execute_API.c:947
#19 zend_call_function (fci=fci@entry=0x7ffc7e5ac780, fci_cache=fci_cache@entry=0x7ffc7e5ac760) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_execute_API.c:749
#20 0x00005608d10b1078 in zif_array_map (execute_data=<optimized out>, return_value=0x7f8f79e15730) at /usr/src/debug/php82-8.2.7-1.x86_64/ext/standard/array.c:6193
#21 0x00005608d1205051 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:1637
#22 execute_ex (ex=0x7f8f6848dd90) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:56056
#23 0x00005608d1205932 in zend_execute (op_array=0x7f8f79e78000, return_value=0x0) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend_vm_execute.h:60396
#24 0x00005608d1192555 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php82-8.2.7-1.x86_64/Zend/zend.c:1827
#25 0x00005608d112c02a in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/main/main.c:2542
#26 0x00005608d0f2b1bc in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php82-8.2.7-1.x86_64/sapi/fpm/fpm/fpm_main.c:1920

[sitnikov]

bt from gdb & debug build

0x0000562812256f76 in zend_mm_alloc_small (heap=0x7f42cee00040, bin_num=10, __zend_filename=0x562812947680 "/builddir/build/BUILD/php-8.2.7/Zend/zend_string.h", __zend_lineno=249, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_alloc.c:1313
1313                    heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  0x0000562812256f76 in zend_mm_alloc_small (heap=0x7f42cee00040, bin_num=10, __zend_filename=0x562812947680 "/builddir/build/BUILD/php-8.2.7/Zend/zend_string.h", __zend_lineno=249, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_alloc.c:1313
#1  0x000056281225843f in zend_mm_realloc_heap (heap=0x7f42cee00040, ptr=0x7f42bc416f60, size=112, use_copy_size=false, copy_size=80, __zend_filename=0x562812947680 "/builddir/build/BUILD/php-8.2.7/Zend/zend_string.h", __zend_lineno=249, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_alloc.c:1625
#2  0x000056281225e033 in _erealloc (ptr=0x7f42bc416f60, size=80, __zend_filename=0x562812947680 "/builddir/build/BUILD/php-8.2.7/Zend/zend_string.h", __zend_lineno=249, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_alloc.c:2615
#3  0x00005628123790aa in zend_string_extend (s=0x7f42bc416f60, len=53, persistent=false) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_string.h:249
#4  0x00005628124160c2 in ZEND_FAST_CONCAT_SPEC_TMPVAR_TMPVAR_HANDLER () at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:17120
#5  0x00005628124feefe in execute_ex (ex=0x7f42cee088a0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:57717
#6  0x00005628122c1a71 in zend_call_function (fci=0x7fff78294030, fci_cache=0x7fff78293ff0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_execute_API.c:947
#7  0x00005628122c2c15 in zend_call_known_function (fn=0x562819f1ac80, object=0x7f42bc4214e0, called_scope=0x562819f1a850, retval_ptr=0x7fff782941e0, param_count=0, params=0x0, named_params=0x0)
    at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_execute_API.c:1041
#8  0x0000562812580087 in zend_call_known_instance_method (fn=0x562819f1ac80, object=0x7f42bc4214e0, retval_ptr=0x7fff782941e0, param_count=0, params=0x0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_API.h:753
#9  0x00005628125800c1 in zend_call_known_instance_method_with_0_params (fn=0x562819f1ac80, object=0x7f42bc4214e0, retval_ptr=0x7fff782941e0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_API.h:759
#10 0x000056281258e66d in zend_std_cast_object_tostring (readobj=0x7f42bc4214e0, writeobj=0x7fff782942a0, type=6) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_object_handlers.c:1870
#11 0x00005628122dd4c6 in __zval_get_string_func (op=0x7f42cee08880, try=false) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_operators.c:975
#12 0x00005628122dd765 in zval_get_string_func (op=0x7f42cee08880) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_operators.c:996
#13 0x000056281237a7e1 in zval_get_string (op=0x7f42cee08880) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_operators.h:291
#14 0x00005628124a055e in ZEND_CAST_SPEC_CV_HANDLER () at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:38865
#15 0x0000562812506012 in execute_ex (ex=0x7f42cee08830) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:59391
#16 0x00005628122c1a71 in zend_call_function (fci=0x7fff78294cf0, fci_cache=0x7fff78294cb0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_execute_API.c:947
#17 0x0000562811f912ae in zif_array_map (execute_data=0x7f42cee087c0, return_value=0x7f42cee08730) at /usr/src/debug/php82d-8.2.7-1.x86_64/ext/standard/array.c:6193
#18 0x00005628123a8621 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:1312
#19 0x00005628124f750b in execute_ex (ex=0x7f42cee07020) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:56032
#20 0x000056281250a57d in zend_execute (op_array=0x7f42cee68000, return_value=0x0) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend_vm_execute.h:60396
#21 0x0000562812303812 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php82d-8.2.7-1.x86_64/Zend/zend.c:1827
#22 0x000056281217ffd5 in php_execute_script (primary_file=0x7fff78296980) at /usr/src/debug/php82d-8.2.7-1.x86_64/main/main.c:2542
#23 0x000056281270b6b8 in main (argc=2, argv=0x7fff78296ef8) at /usr/src/debug/php82d-8.2.7-1.x86_64/sapi/fpm/fpm/fpm_main.c:1920
(gdb) zbacktrace 
[0x7f42cee088a0] Logistics\Rules\OrderRule->__toString() /......./include/Logistics/Rules/OrderRule.php:47 
[0x7f42cee08830] Logistics\RuleCollection->Logistics\{closure}(object[0x7f42cee08880]) /......./include/Logistics/RuleCollection.php:108 
[0x7f42cee087c0] array_map(object[0x7f42cee08810], array(7)[0x7f42cee08820]) [internal function]
[0x7f42cee086e0] Logistics\RuleCollection->__toString() /......./include/Logistics/RuleCollection.php:108 
[0x7f42cee08620] Logistics\RuleCollection->getHash() /......./include/Logistics/RuleCollection.php:116 
[0x7f42cee084f0] Logistics\Matcher->getDeliveryDateTo(object[0x7f42cee08540], object[0x7f42cee08550]) /......./include/Logistics/Matcher.php:167 
[0x7f42cee081e0] date_client_delivery(array(9)[0x7f42cee08230]) /......./include/alvadi.functions.php:1439 
[0x7f42cee080d0] Order->calculate_date_client_delivery(3399576) /......./include/Order.class.php:482 
[0x7f42cee07ff0] Order->update_date_client_delivery(3399576) /......./include/Order.class.php:498 
[0x7f42cee07df0] Cart->checkProductDatesAndQty() /......./include/Cart.class.php:271 
[0x7f42cee07cc0] Alvadi\CatalogBundle\Controller\CartController->cartInit(object[0x7f42cee07d10], 0, NULL) /......./src/Bundles/CatalogBundle/Controller/CartController.php:374 
[0x7f42cee07650] Alvadi\CatalogBundle\Controller\CartController->renderCartProducts(object[0x7f42cee076a0], 0, NULL, object[0x7f42cee076d0]) /......./src/Bundles/CatalogBundle/Controller/CartController.php:434 
[0x7f42cee07470] Alvadi\CatalogBundle\Controller\CartController->indexAction(object[0x7f42cee074c0], object[0x7f42cee074d0], object[0x7f42cee074e0], 0, NULL) /......./src/Bundles/CatalogBundle/Controller/CartController.php:248 
[0x7f42cee07390] Symfony\Component\HttpKernel\HttpKernel->handleRaw(object[0x7f42cee073e0], 1) /......./vendor/symfony/http-kernel/HttpKernel.php:166 
[0x7f42cee072c0] Symfony\Component\HttpKernel\HttpKernel->handle(object[0x7f42cee07310], 1, true) /......./vendor/symfony/http-kernel/HttpKernel.php:74 
[0x7f42cee07200] Symfony\Component\HttpKernel\Kernel->handle(object[0x7f42cee07250]) /......./vendor/symfony/http-kernel/Kernel.php:197 
[0x7f42cee07100] (main) /......./web/app_dev.php:36 
[0x7f42cee07020] (main) /......./index.php:53 
(gdb) quit

[iluuu1994]

@sitnikov Thank you! Can you try compiling with --enable-address-sanitizer? This might uncover the root cause. You will also have to set USE_ZEND_ALLOC=0.

[sitnikov]

address-sanitizer enabled.

[root] USE_ZEND_ALLOC=0 /usr/sbin/php82d-fpm --nodaemonize --force-stderr --allow-to-run-as-root
[27-Jun-2023 17:46:53] NOTICE: fpm is running, pid 1670291
[27-Jun-2023 17:46:53] NOTICE: ready to handle connections
[27-Jun-2023 17:46:53] NOTICE: systemd monitor interval set to 10000ms
[27-Jun-2023 17:48:10] WARNING: [pool alvadi-debug-8.2] child 1670293 exited with code 1 after 77.084592 seconds from start
[27-Jun-2023 17:48:11] NOTICE: [pool alvadi-debug-8.2] child 1670394 started

(gdb) attach 1670293
(gdb) handle SIGPIPE nostop
(gdb) c
[Inferior 1 (process 1670293) exited with code 01]

http - 502

[sitnikov]

What else can I do to help?

[nielsdos]

I'm surprised there's not output, afaict there should've been ASAN (Address SANitizer) output. @iluuu1994 any idea why there's no output?
Is it possible for you to run php-fpm under Valgrind (note: Valgrind is incompatible with ASAN, so you'll have to configure PHP without ASAN)?

[iluuu1994]

Unfortunately not no. I yet have to encounter a false negative in ASAN. Maybe the ASAN output is somewhere else? You could try setting the env variable ASAN_OPTIONS="log_path=asan.log". If that doesn't work, you could try Valgrind as @nielsdos suggested. Thank you for your patience. 🙂

[sitnikov]

[root@alvadi sitnikov]# valgrind --trace-children=yes --log-file=valgrind.log /usr/sbin/php82d-fpm --nodaemonize --force-stderr --allow-to-run-as-root
[02-Jul-2023 18:37:26] NOTICE: fpm is running, pid 3039807
[02-Jul-2023 18:37:26] NOTICE: ready to handle connections
[02-Jul-2023 18:37:26] NOTICE: systemd monitor interval set to 10000ms
[02-Jul-2023 18:39:24] WARNING: [pool alvadi-debug-8.2] child 3039870 exited on signal 6 (SIGABRT) after 118.600750 seconds from start

==3039807== Warning: set address range perms: large range [0x5a000000, 0xda000000) (defined)
==3039870== Conditional jump or move depends on uninitialised value(s)
==3039870==    at 0x1C1B24BB: ???
==3039870==    by 0x1DB6AC57: ???
==3039870==    by 0x1DB6AC57: ???
==3039870==    by 0x1DB6AC9C: ???
==3039870==    by 0xA1610CF: ???
==3039870==    by 0x1DB6AC57: ???
==3039870== 
==3039870== Conditional jump or move depends on uninitialised value(s)
==3039870==    at 0x40D7F8C: ???
==3039870==    by 0x20CB0B77: ???
==3039870==    by 0x20CB0B77: ???
==3039870==    by 0x20CB0BA1: ???
==3039870==    by 0xA1610CF: ???
==3039870==    by 0x20CB0B77: ???
==3039870== 
==3039870== 
==3039870== Process terminating with default action of signal 6 (SIGABRT): dumping core
==3039870==    at 0x7CCFB8F: raise (in /usr/lib64/libc-2.28.so)
==3039870==    by 0x7CA2EA4: abort (in /usr/lib64/libc-2.28.so)
==3039870==    by 0x7CA2D78: __assert_fail_base.cold.0 (in /usr/lib64/libc-2.28.so)
==3039870==    by 0x7CC84E5: __assert_fail (in /usr/lib64/libc-2.28.so)
==3039870==    by 0x72B325: gc_possible_root (zend_gc.c:647)
==3039870==    by 0x68545D: gc_check_possible_root (zend_gc.h:80)
==3039870==    by 0x6855EF: i_zval_ptr_dtor (zend_variables.h:46)
==3039870==    by 0x6912BF: i_free_compiled_variables (zend_execute.c:3753)
==3039870==    by 0x710FFD: execute_ex (zend_vm_execute.h:55891)
==3039870==    by 0x716E9B: zend_execute (zend_vm_execute.h:60396)
==3039870==    by 0x65545E: zend_execute_scripts (zend.c:1827)
==3039870==    by 0x5A5F02: php_execute_script (main.c:2542)
==3039870== 
==3039870== HEAP SUMMARY:
==3039870==     in use at exit: 5,725,454 bytes in 39,494 blocks
==3039870==   total heap usage: 52,836 allocs, 13,342 frees, 48,762,759 bytes allocated
==3039870== 
==3039870== LEAK SUMMARY:
==3039870==    definitely lost: 36,456 bytes in 1,134 blocks
==3039870==    indirectly lost: 2,230 bytes in 25 blocks
==3039870==      possibly lost: 3,713,242 bytes in 27,521 blocks
==3039870==    still reachable: 1,973,526 bytes in 10,814 blocks
==3039870==         suppressed: 0 bytes in 0 blocks
==3039870== Rerun with --leak-check=full to see details of leaked memory
==3039870== 
==3039870== Use --track-origins=yes to see where uninitialised values come from
==3039870== For lists of detected and suppressed errors, rerun with: -s
==3039870== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
==3039870== could not unlink /tmp/vgdb-pipe-from-vgdb-to-3039870-by-???-on-???
==3039870== could not unlink /tmp/vgdb-pipe-to-vgdb-from-3039870-by-???-on-???
==3039870== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-3039870-by-???-on-???
==3039873== Warning: set address range perms: large range [0x5a000000, 0xda000000) (noaccess)

[nielsdos]

I've seen crashes like that hitting that assertion, it's usually incorrect refcounting somewhere such that the refcount drops to 0 too early. This is going to be difficult to find the root cause and fix it without having a reproducer at hand.

[sitnikov]

The codebase is very large and the business logic is complex. I have no idea how to extract a sufficient piece of code to reproduce the problem.

[sitnikov]

As we know, version 8.2.1 works, 8.2.5 does not. If I check all the versions in between and we find the one where it broke, will that help in any way?

[nielsdos]

Yes that would help a lot.
And if the version is known, then a bisect also becomes doable, if you're okay with doing that.

[nielsdos]

If the first breaking version is 8.2.4 then I think it could be that one ext/date issue that I fixed recently (fix should be in 8.2.8). The behaviour is the same and the stacktrace looks similar with the same assert being hit. It's the only refcounting issue I'm aware of between 8.2.1 and 8.2.5.
But let's wait for results before jumping to conclusions :)

[sitnikov]

8.2.3 - OK
8.2.4 - SIGSEGV

[nielsdos]

@sitnikov I can't help but think it's the ext/date issue. Can you please retry with this patch 93becab. Alternatively, 8.2.8 should be fine too if that's the issue.

8.2.8 is not released yet, but you can checkout the branch PHP-8.2.8 if you build it yourself.

[nielsdos]

Thanks for your efforts btw!

[sitnikov]

@nielsdos - patch from 93becab fix sigsegv for 8.2.7

thanks !

[nielsdos]

Thanks! So this issue is actually a duplicate of #11455 . The fix for this will be included in the 8.2.8 release.