Apache24 segfault when OPcache + Suhosin are enabled

[dan42]

This may be a duplicate of #114 but it's hard to tell.

FreeBSD 11.1
Apache 2.4.33_1
PHP 5.6.36
Suhosin v0.9.38

After apache start or restart everything works fine. But after a graceful, every request results in segfault with log output like this:

[Mon Jul 16 14:36:03.256561 2018] [core:notice] [pid 53222] AH00051: child pid 53298 exit signal Segmentation fault (11), possible coredump in /tmp/apache24-core-dump

This only happens when both OPcache and Suhosin are enabled; there is no issue when only one of them is enabled.

If I set opcache.enable=0 then the problem only occurs after two graceful restarts.

Based on these:
https://bugs.php.net/bug.php?id=75573
https://bugs.php.net/bug.php?id=75579
https://bugs.php.net/bug.php?id=75621
Maybe the problem is related to the combination of these two extensions using up all available memory for interned strings? (speculation)

Stack trace of the coredump gives me this:

#0  0x0000000809de4610 in ?? ()
No symbol table info available.
#1  0x000000080f9369ff in suhosin_treat_data () from /usr/local/lib/php/ext_dir/suhosin.so
No symbol table info available.
#2  0x00000008055d5253 in php_hash_environment () from /usr/local/libexec/apache24/libphp5.so
No symbol table info available.
#3  0x0000000805616a42 in zend_activate_auto_globals () from /usr/local/libexec/apache24/libphp5.so
No symbol table info available.
#4  0x00000008056368d7 in zend_hash_apply () from /usr/local/libexec/apache24/libphp5.so
No symbol table info available.
#5  0x00000008055d4d7a in php_hash_environment () from /usr/local/libexec/apache24/libphp5.so
No symbol table info available.
#6  0x00000008055c327a in php_request_startup () from /usr/local/libexec/apache24/libphp5.so
No symbol table info available.
#7  0x00000008056b22d1 in zend_get_zval_ptr_ptr () from /usr/local/libexec/apache24/libphp5.so
No symbol table info available.
#8  0x0000000000459787 in ap_invoke_handler ()
No symbol table info available.
#9  0x0000000000470143 in ap_process_async_request ()
No symbol table info available.
#10 0x00000000004701e4 in ap_process_request ()
No symbol table info available.
#11 0x000000000046cd12 in ap_process_http_connection ()
No symbol table info available.
#12 0x0000000000464636 in ap_process_connection ()
No symbol table info available.
#13 0x0000000802404b75 in ?? () from /usr/local/libexec/apache24/mod_mpm_prefork.so
No symbol table info available.
#14 0x0000000802404692 in ?? () from /usr/local/libexec/apache24/mod_mpm_prefork.so
No symbol table info available.
#15 0x0000000802403e0f in ?? () from /usr/local/libexec/apache24/mod_mpm_prefork.so
No symbol table info available.
#16 0x000000000043be5b in ap_run_mpm ()
No symbol table info available.
#17 0x00000000004345cc in main ()
No symbol table info available.

[bef]

Thank you for reporting this bug.
Could you provide a PHP script that triggered the core dump, please.

[dan42]

Sure, this is enough to core dump:

<?
phpinfo();

[bef]

Would it be possible for you to retry using the current master branch (version v0.9.39dev2), compiled with debug symbols, please.

E.g.:

git clone https://github.com/sektioneins/suhosin
cd suhosin
phpize
./configure
make -j2 CFLAGS="-DSUHOSIN_DEBUG=1 -O0 -g"
make install

While trying to recreate the bug my setup appears to be stable.

[dan42]

I still get a coredump with the master branch and this is the backtrace.

I recompiled suhosin, opcache, apache24, php56, and mod_php56 with debugging symbols, but there's still no symbol table info available for #0. Is that normal or what?

#0  0x0000000809fe4610 in ?? ()
No symbol table info available.
#1  0x000000080fb446d9 in suhosin_input_filter_wrapper (arg=5, var=0x8050774c9 "SCRIPT_URL", val=0x7fffffffba58, val_len=21, new_val_len=0x7fffffffba54)
    at /home/dan42/suhosin/ifilter.c:311
        already_scanned = 0 '\000'
#2  0x0000000805880494 in php_apache_sapi_register_variables (track_vars_array=0x8023a3400) at sapi/apache2handler/sapi_apache2.c:279
        elts = 0x810177028
        i = 0
        ctx = 0x810175868
        arr = 0x81016f8c8
        key = 0x8050774c9 "SCRIPT_URL"
        val = 0x810170628 "/suhosin-test.php"
        new_val_len = 21
#3  0x000000080fb43e02 in suhosin_register_server_variables (track_vars_array=0x8023a3400) at /home/dan42/suhosin/ifilter.c:219
        svars = 0x0
        retval = 0
        failure = 0
#4  0x00000008056a3972 in php_register_server_variables () at main/php_variables.c:639
        array_ptr = 0x8023a3400
#5  0x00000008056a2dfd in php_auto_globals_create_server (name=0x810525570 "_SERVER", name_len=7) at main/php_variables.c:833
No locals.
#6  0x00000008056f160f in zend_is_auto_global_quick (name=0x805941f5d "_SERVER", name_len=7, hash=7572043519435131) at Zend/zend_compile.c:6862
        auto_global = 0x802310660
#7  0x00000008056f86e0 in zend_is_auto_global (name=0x805941f5d "_SERVER", name_len=7) at Zend/zend_compile.c:6872
No locals.
#8  0x00000008055cc8be in php_print_gpcse_array (name=0x805941f5d "_SERVER", name_length=7) at ext/standard/info.c:202
        data = 0x80239bd38
        tmp = 0xc1a4437ef94920a4
        tmp2 = {value = {lval = 34451222579, dval = 1.702116553351417e-313, str = {
              val = 0x80573f033 <zend_hash_find+35> "H\211E\320H\213E\320H\213M\360\213Q\004\211\321H!\310\211\302\211U\314H\213E\360H\213@0\213U\314\211\321H\213\004\310H\211E\300H\203}\300", len = 0}, ht = 0x80573f033 <zend_hash_find+35>, obj = {handle = 91484211, handlers = 0x0}, ast = 0x80573f033 <zend_hash_find+35>}, refcount__gc = 89961788, 
          type = 36 '$', is_ref__gc = 0 '\000'}
        string_key = 0x7fffffffbd30 "\320\277\377\377\377\177"
        string_len = 8
        num_key = 17273507308
#9  0x00000008055cc19a in php_print_info (flag=-1) at ext/standard/info.c:1126
        data = 0xe
        env = 0x7fffffffed68
        tmp1 = 0x8023a4ef8 "\250O:\002\b"
        tmp2 = 0x8023a4eff ""
        php_uname = 0x80239cd20 ""
#10 0x00000008055cd3a6 in zif_phpinfo (ht=0, return_value=0x80239d810, return_value_ptr=0x80236b8d0, this_ptr=0x0, return_value_used=0) at ext/standard/info.c:1389
        flag = 4294967295
#11 0x0000000805770e53 in execute_internal (execute_data_ptr=0x80236b8e8, fci=0x0, return_value_used=0) at Zend/zend_execute.c:1525
        return_value_ptr = 0x80236b8d0
#12 0x000000080fb51037 in suhosin_execute_internal (execute_data_ptr=0x80236b8e8, fci=0x0, return_value_used=0) at /home/dan42/suhosin/execute.c:1762
        return_value = 0x80239d810
        return_value_ptr = 0x0
        this_ptr = 0x0
        ht = 0
        lcname = 0x80593db5a "phpinfo"
        function_name_strlen = 7
        free_lcname = 0
        ce = 0x0
        ih = 0x2
#13 0x0000000805830024 in zend_do_fcall_common_helper_SPEC (execute_data=0x80236b8e8) at Zend/zend_vm_execute.h:560
        ret = 0x80236b8c8
        opline = 0x81093e488
        should_change_scope = 0 '\000'
        fbc = 0x810036500
        num_args = 0
#14 0x00000008057ae625 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x80236b8e8) at Zend/zend_vm_execute.h:2602
        opline = 0x81093e488
        fname = 0x81093e438
        call = 0x80236b970
#15 0x0000000805772414 in execute_ex (execute_data=0x80236b8e8) at Zend/zend_vm_execute.h:363
        ret = 30431296
        original_in_execution = 0 '\000'
#16 0x000000080fb50a6f in suhosin_execute_ex (execute_data=0x80236b8e8) at /home/dan42/suhosin/execute.c:608
        op_array = 0x80239c3f8
        new_op_array = 0x8
        op_array_type = 11
        len = 71
        fn = 0x81093e3f0 "/path/to/app/ror/public/suhosin-test.php"
        cs = {value = {lval = 140737488340928, dval = 6.9533558071235498e-310, str = {val = 0x7fffffffc7c0 "@\311\377\377\377\177", len = 91151188}, ht = 0x7fffffffc7c0, obj = {
              handle = 4294952896, handlers = 0x8056edb54 <_ecalloc+164>}, ast = 0x7fffffffc7c0}, refcount__gc = 37338920, type = 8 '\b', is_ref__gc = 0 '\000'}
        orig_code_type = 0
        suhosin_flags = 0x80239c4d0
#17 0x0000000805772eb3 in zend_execute (op_array=0x80239c3f8) at Zend/zend_vm_execute.h:388
No locals.
#18 0x000000080572a9a9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1341
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffcbc0, reg_save_area = 0x7fffffffca80}}
        i = 1
        file_handle = 0x7fffffffe2c0
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
#19 0x000000080568b634 in php_execute_script (primary_file=0x7fffffffe2c0) at main/main.c:2613
        realfile = "\017\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000~OE\f\b\000\000\000\207\200\373\v\000\000\000\000A\260\034c", '\000' <repeats 12 times>, "\001", '\000' <repeats 15 times>, "\217[\311\r\b\000\000\000(\365\307\000\000\000\000\000'\031T8\b", '\000' <repeats 11 times>, "\001\000\000\000\377\177", '\000' <repeats 18 times>, "x\337\377\377\377\177\000\000\000\000\000\000\000\000\000\000\210\337\377\377\377\177\000\000\220\332\377\377\377\177\000\000h\000\000\000#\000\000\000\270\336\377\377\377\177\000\000x\337\377\377\377\177\000\000\025\000\000\000\000\000\000\000\000\314r\000\b", '\000' <repeats 11 times>...
        __orig_bailout = 0x7fffffffe360
        __bailout = {{_sjb = {34450485843, 0, 140737488341944, 140737488347616, 140737488350504, 140737488350528, 140737488350512, 1, 34367210111, 34367220736, 34367233024, 
              34359738368}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, 
                pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, 
                map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, free_filename = 0 '\000'}
        old_cwd = 0x7fffffffcbc0 "/"
        use_heap = 0 '\000'
        retval = 0
#20 0x000000080587f90a in php_handler (r=0x81016f0a0) at sapi/apache2handler/sapi_apache2.c:667
        zfd = {type = ZEND_HANDLE_MAPPED, filename = 0x810173910 "/path/to/app/php/public/suhosin-test.php", opened_path = 0x0, handle = {fd = 37339112, 
            fp = 0x80239bfe8, stream = {handle = 0x80239bfe8, isatty = 0, mmap = {len = 16, pos = 0, map = 0x0, 
                buf = 0x8006e1000 <error: Cannot access memory at address 0x8006e1000>, old_handle = 0x0, old_closer = 0x0}, reader = 0x8056ac580 <_php_stream_read>, 
              fsizer = 0x805687b00 <php_zend_stream_fsizer>, closer = 0x805687b50 <php_zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{_sjb = {34452534922, 0, 140737488347624, 140737488348176, 140737488350504, 140737488350528, 140737488350512, 1, 34395849599, 34629677992, 34629702848, 
              34359738368}}}
        ctx = 0x810175868
        conf = 0x8101756c0
        brigade = 0x810177d80
        bucket = 0xffffffffffffe410
        rv = 8
        parent_req = 0x0
#21 0x000000000046b795 in ap_run_handler (r=0x81016f0a0) at config.c:170
        pHook = 0x8022e6ee0
        n = 4
        rv = -1
#22 0x000000000046bfec in ap_invoke_handler (r=0x81016f0a0) at config.c:444
        handler = 0x8022e3920 "application/x-httpd-php"
        p = 0x0
        result = 0
        old_handler = 0x0
        ignore = 0x200000001 <error: Cannot access memory at address 0x200000001>
#23 0x0000000000490d35 in ap_process_async_request (r=0x81016f0a0) at http_request.c:436
        c = 0x810155290
        access_status = 0
#24 0x0000000000490e01 in ap_process_request (r=0x81016f0a0) at http_request.c:471
        bb = 0x810153380
        b = 0x410155290
        c = 0x810155290
        rv = 5
#25 0x000000000048c590 in ap_process_http_sync_connection (c=0x810155290) at http_core.c:210
        keep_alive_timeout = 5000000
        r = 0x81016f0a0
        cs = 0x0
        csd = 0x0
        mpm_state = 0
#26 0x000000000048c12d in ap_process_http_connection (c=0x810155290) at http_core.c:251
No locals.
#27 0x000000000047c6c5 in ap_run_process_connection (c=0x810155290) at connection.c:42
        pHook = 0x8022e7510
        n = 1
        rv = -1
#28 0x000000000047cea5 in ap_process_connection (c=0x810155290, csd=0x8101550a0) at connection.c:226
        rc = -2
#29 0x00000008024064f3 in child_main (child_num_arg=5, child_bucket=0) at prefork.c:615
        current_conn = 0x810155290
        csd = 0x8101550a0
        thd = 0x8101530a0
        osthd = 0x802216000
        ptrans = 0x810155028
        allocator = 0x80221c2a0
        status = 0
        i = -1
        lr = 0x802251198
        pollset = 0x810153388
        sbh = 0x810153380
        bucket_alloc = 0x81016d028
        last_poll_idx = 1
        lockfile = 0x7fffffffe880 "\020\351\377\377\377\177"
#30 0x00000008024054eb in make_child (s=0x802252110, slot=5, bucket=0) at prefork.c:716
        pid = 0
#31 0x00000008024048a0 in prefork_run (_pconf=0x802229028, plog=0x802258028, s=0x802252110) at prefork.c:979
        status = 0
        pid = {pid = 81788, in = 0x0, out = 0x7fffffffed28, err = 0x7fffffffed40}
        child_slot = 5
        exitwhy = APR_PROC_EXIT
        processed_status = 0
        index = 8
        remaining_children_to_start = 5
        i = 32767
#32 0x0000000000441245 in ap_run_mpm (pconf=0x802229028, plog=0x802258028, s=0x802252110) at mpm_common.c:94
        pHook = 0x8022e7610
        n = 0
        rv = -1
#33 0x0000000000434e5c in main (argc=1, argv=0x7fffffffed30) at main.c:818
        c = 0 '\000'
        showcompile = 0
        showdirectives = 0
        confname = 0x49aab0 "etc/apache24/httpd.conf"
        def_server_root = 0x49aac8 "/usr/local"
        temp_error_log = 0x0
        error = 0x0
        process = 0x802227118
        pconf = 0x802229028
        plog = 0x802258028
        ptemp = 0x802260028
        pcommands = 0x80224e028
        opt = 0x80224e118
        rv = 0
        mod = 0x6b9df8 <ap_prelinked_modules+24>
        opt_arg = 0x7fffffffed28 "\001"
        signal_server = 0x4818e0 <ap_signal_server>
        rc = 0

[NewEraCracker]

Maybe this could help?
freebsd/freebsd-ports@79fcb46

[dan42]

Thanks, but that patch was already part of my ports tree. Since it's about clang v6 and I have clang v4, I tried to remove that patch and recompile mod_php56, but there was no change. So the segfault happens with or without that patch.