Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79132 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95079 invoked from network); 24 Nov 2014 21:52:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Nov 2014 21:52:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=ericsten@microsoft.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ericsten@microsoft.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain microsoft.com designates 207.46.100.101 as permitted sender) X-PHP-List-Original-Sender: ericsten@microsoft.com X-Host-Fingerprint: 207.46.100.101 mail-by2on0101.outbound.protection.outlook.com Received: from [207.46.100.101] ([207.46.100.101:3554] helo=na01-by2-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1E/E0-21335-A88A3745 for ; Mon, 24 Nov 2014 16:52:16 -0500 Received: from BL2PR03MB132.namprd03.prod.outlook.com (10.255.230.24) by BL2PR03MB132.namprd03.prod.outlook.com (10.255.230.24) with Microsoft SMTP Server (TLS) id 15.1.26.15; Mon, 24 Nov 2014 21:52:06 +0000 Received: from BL2PR03MB132.namprd03.prod.outlook.com ([169.254.9.103]) by BL2PR03MB132.namprd03.prod.outlook.com ([169.254.9.103]) with mapi id 15.01.0026.003; Mon, 24 Nov 2014 21:52:05 +0000 To: "internals@lists.php.net" Thread-Topic: AV on PHP 5.5.18 + Zend Opcache in accel_chdir Thread-Index: AdAIMAnudyxbAK5mT5uGizj9WbPang== Date: Mon, 24 Nov 2014 21:52:05 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:4898:80e8:ee31::2] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB132; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB132; x-forefront-prvs: 040513D301 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(5423002)(189002)(199003)(229853001)(74316001)(575784001)(99286002)(54356999)(95666004)(105586002)(92566001)(54606007)(50986999)(92726001)(31966008)(86612001)(107046002)(106356001)(101416001)(19580395003)(2351001)(120916001)(99396003)(107886001)(86362001)(46102003)(110136001)(4396001)(2656002)(21056001)(87936001)(97736003)(76576001)(64706001)(2501002)(54206007)(122556002)(62966003)(77096003)(450100001)(77156002)(20776003)(40100003)(33656002)(3826002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR03MB132;H:BL2PR03MB132.namprd03.prod.outlook.com;FPR:;SPF:None;MLV:sfv;PTR:InfoNoRecords;MX:1;A:1;LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.onmicrosoft.com Subject: AV on PHP 5.5.18 + Zend Opcache in accel_chdir From: ericsten@microsoft.com (Eric Stenson) Internals folks-- Who owns Zend Opcache these days? I've got a crash dump that appears to be= a double-free of ZCG(cwd) during accel_chdir on PHP 5.5.18. =20 Does this crash look familiar to anyone? [windbg output] 0:000> .ecxr eax=3D00000000 ebx=3D01b47cb0 ecx=3D77b12240 edx=3D01b00000 esi=3D01b12f08 = edi=3D01e6e6d0 eip=3D6bdab9e7 esp=3D0194ef2c ebp=3D0cff53b0 iopl=3D0 nv up ei pl z= r na pe nc cs=3D0023 ss=3D002b ds=3D002b es=3D002b fs=3D0053 gs=3D002b = efl=3D00210246 php5!_efree+0x27: 6bdab9e7 8b57f8 mov edx,dword ptr [edi-8] ds:002b:01e6e6c8=3D?= ??????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it # ChildEBP RetAddr =20 00 0194ef34 6bd52647 php5!_efree+0x27 [c:\php-sdk\php55\vc11\x86\php-5.5.18= \zend\zend_alloc.c @ 2440] 01 0194f044 6bda6ee6 php_opcache!zif_accel_chdir+0x67 [c:\php-sdk\php55\vc1= 1\x86\php-5.5.18\ext\opcache\zendaccelerator.c @ 158] 02 0194f0a4 6bda6645 php5!zend_do_fcall_common_helper_SPEC+0x176 [c:\php-sd= k\php55\vc11\x86\php-5.5.18\zend\zend_vm_execute.h @ 550] 03 0194f0dc 6bdc11c1 php5!execute_ex+0x295 [c:\php-sdk\php55\vc11\x86\php-5= .5.18\zend\zend_vm_execute.h @ 363] 04 0194f184 6bde68d0 php5!zend_call_function+0x3c1 [c:\php-sdk\php55\vc11\x= 86\php-5.5.18\zend\zend_execute_api.c @ 937] 05 0194f1b8 6bde6808 php5!call_user_function_ex+0x50 [c:\php-sdk\php55\vc11= \x86\php-5.5.18\zend\zend_execute_api.c @ 725] 06 0194f1f0 6bee5ae9 php5!call_user_function+0x58 [c:\php-sdk\php55\vc11\x8= 6\php-5.5.18\zend\zend_execute_api.c @ 699] 07 0194f224 6bdbf51b php5!user_shutdown_function_call+0x79 [c:\php-sdk\php5= 5\vc11\x86\php-5.5.18\ext\standard\basic_functions.c @ 5001] 08 0194f238 6bee17e8 php5!zend_hash_apply+0x1b [c:\php-sdk\php55\vc11\x86\p= hp-5.5.18\zend\zend_hash.c @ 716] 09 0194f290 6bdba9dc php5!php_call_shutdown_functions+0x48 [c:\php-sdk\php5= 5\vc11\x86\php-5.5.18\ext\standard\basic_functions.c @ 5088] 0a 0194f5d0 01141443 php5!php_request_shutdown+0x6c [c:\php-sdk\php55\vc11\= x86\php-5.5.18\main\main.c @ 1746] 0b 0194f764 0114420c php_cgi!main+0x443 [c:\php-sdk\php55\vc11\x86\php-5.5.= 18\sapi\cgi\cgi_main.c @ 2505] 0c 0194f7a4 75f086e3 php_cgi!__tmainCRTStartup+0xfd [f:\dd\vctools\crt_bld\= self_x86\crt\src\crtexe.c @ 536] 0d 0194f7b0 77b1be99 kernel32!BaseThreadInitThunk+0xe [d:\win8_gdr\base\win= 32\client\thread.c @ 65] 0e 0194f7f4 77b1be6c ntdll!__RtlUserThreadStart+0x72 [d:\win8_gdr\minkernel= \ntdll\rtlstrt.c @ 1024] 0f 0194f80c 00000000 ntdll!_RtlUserThreadStart+0x1b [d:\win8_gdr\minkernel\= ntdll\rtlstrt.c @ 939] 0:000> .frame 1 01 0194f044 6bda6ee6 php_opcache!zif_accel_chdir+0x67 [c:\php-sdk\php55\vc1= 1\x86\php-5.5.18\ext\opcache\zendaccelerator.c @ 158] 0:000> dv ht =3D 0n1 return_value =3D 0x0cf8e670 return_value_ptr =3D 0x00000000 this_ptr =3D 0x00000000 return_value_used =3D 0n0 cwd =3D char [260] "D:\home\site\wwwroot" 0:000> dt php_opcache!accel_globals +0x000 function_table : _hashtable +0x028 internal_functions_count : 0n1774 +0x02c counted : 0n0 +0x030 enabled : 0 '' +0x031 locked : 0 '' +0x034 bind_hash : _hashtable +0x060 accel_directives : _zend_accel_directives +0x0b0 cwd : 0x01e6e6d0 "--- memory read error at address = 0x01e6e6d0 ---" +0x0b4 cwd_len : 0n20 [end windbg output] Looks like accel_globals.cwd is pointing at free'd memory. I looked through the existing bugs on Opcache, and I didn't see any that ma= tched this crash. I wanted to check with the internals alias before I open= ed the bug. This is 5.5.18 NTS x86. Thx! --E.