sw_zend_call_function_ex segfault on 4.5.4

[ajurgensen]

Please answer these questions before submitting your issue. Thanks!

1. What did you do? If possible, provide a simple script for reproducing the error.

Quite a complex application, using HTTP Server with many nested coroutines, loads of table use and yielding.

2. What did you expect to see?

no segfaults :)

3. What did you see instead?

Thread 7 "php" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f45f5efe700 (LWP 1815)]
0x000055e9438cae1d in execute_ex ()
(gdb) bt
#0 0x000055e9438cae1d in execute_ex ()
#1 0x000055e943836023 in zend_call_function ()
#2 0x00007f45ff30d2a5 in sw_zend_call_function_ex (retval=0x7f45f5efd840, params=0x7f45f5efd890, param_count=, fci_cache=0x7f45fe6cc160, function_name=0x0)
at /tmp/swoole-4.5.4/php_swoole.h:1004
#3 0x00007f45ff30d2a5 in php_swoole_server_dispatch_func(swoole::Server*, swConnection*, swSendData*) (serv=0x55e944192eb0, conn=, data=)
at /tmp/swoole-4.5.4/swoole_server.cc:1878
#4 0x00007f45ff2a0160 in swoole::Server::schedule_worker(int, swoole::SendData*) (data=0x7f45f5efd960, fd=245, this=0x55e944192eb0)
at /tmp/swoole-4.5.4/include/swoole_server.h:1136
#5 0x00007f45ff2a0160 in swFactoryProcess_dispatch(swoole::Factory*, swoole::SendData*) (factory=, task=0x7f45f5efd960)
at /tmp/swoole-4.5.4/src/server/process.cc:204
#6 0x00007f45ff2a415e in swoole::Server::dispatch_task(swoole::Protocol*, swoole::network::Socket*, char const*, unsigned int) (proto=proto@entry=0x55e944193790, _socket=_socket@entry=0x55e944782ef0, data=0x7f45dc1751d0 "GET /extt/2/4567/susie51@mclaughlin.net/7843d795103dba358f300fe08397c24a?pid=1 HTTP/1.0\r\nHost: webserver\r\nScheme: http\r\nSERVER_PORT: 81\r\nREMOTE_ADDR: 172.21.0.7\r\nX-Forwarded-For: 172.21.0.7\r\nX-hash-ha"..., length=369) at /tmp/swoole-4.5.4/src/server/reactor_thread.cc:1033
#7 0x00007f45ff29d152 in swoole::Port_onRead_http(swoole::Reactor*, swoole::ListenPort*, swoole::Event*) (reactor=0x7f45dc014d00, port=0x55e944193610, event=0x7f45f5efdb40) at /tmp/swoole-4.5.4/src/server/port.cc:495
#8 0x00007f45ff2a4e1e in ReactorThread_onRead(swoole::Reactor*, swoole::Event*) (reactor=0x7f45dc014d00, event=0x7f45f5efdb40)
at /tmp/swoole-4.5.4/src/server/reactor_thread.cc:607
#9 0x00007f45ff290a1b in swReactorEpoll_wait(swoole::Reactor*, timeval*) (reactor=0x7f45dc014d00, timeo=) at /tmp/swoole-4.5.4/src/reactor/epoll.cc:229
#10 0x00007f45ff2aaa9e in swoole_event_wait() () at /tmp/swoole-4.5.4/src/wrapper/event.cc:77
#11 0x00007f45ff2a3d53 in ReactorThread_loop(swoole::Server*, int) (serv=0x55e944192eb0, reactor_id=) at /tmp/swoole-4.5.4/src/server/reactor_thread.cc:958
#12 0x00007f46148ab6df in () at /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#13 0x00007f4616d056db in start_thread (arg=0x7f45f5efe700) at pthread_create.c:463
#14 0x00007f461703ea3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

4. What version of Swoole are you using (show your php --ri swoole)?
   swoole

Swoole => enabled
Author => Swoole Team team@swoole.com
Version => 4.5.4
Built => Sep 22 2020 14:21:50
coroutine => enabled
epoll => enabled
eventfd => enabled
signalfd => enabled
cpu_affinity => enabled
spinlock => enabled
rwlock => enabled
openssl => OpenSSL 1.1.1g 21 Apr 2020
pcre => enabled
zlib => 1.2.11
mutex_timedlock => enabled
pthread_barrier => enabled
futex => enabled
mysqlnd => enabled
async_redis => enabled

Directive => Local Value => Master Value
swoole.enable_coroutine => On => On
swoole.enable_library => On => On
swoole.enable_preemptive_scheduler => Off => Off
swoole.display_errors => On => On
swoole.use_shortname => On => On
swoole.unixsock_buffer_size => 8388608 => 8388608

5. What is your machine environment used (show your uname -a & php -v & gcc -v) ?

Linux 55392e011f19 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

PHP 7.4.10 (cli) (built: Sep 9 2020 06:36:14) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.10, Copyright (c), by Zend Technologies

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 7.5.0-3ubuntu118.04' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu118.04)

[matyhtf]

Please provide reproducible PHP code, and use valgrind to analyze memory errors.

USE_ZEND_ALLOC=0 valgrind php your_code.php

[compwright]

I also encountered this issue, and was able to narrow it to this line:

$obj = clone $this;

Refactoring to remove that line fixed the crash.