Segmentation fault, probaby on string operation

[tobihille]

Description

Hi,

when running a lenghty process I encounter an issue in PHP 8.3.21.
I can confirm, that in PHP 8.3.19 (with ddev 1.24.4) everything was fine.

As the process takes time (roughly one hour until it crashes) I sadly can not exactly pinpoint the location of the issue in my PHP-Code.
To hopefully make up for that I investigated the issue with gdb, I hope this can help you find out what is happening.

This is the backtrace I got:

thille@shop-web:/var/www/html$ gdb --args php shell/integernet-solr.php -reindex -stores 1 -types all -emptyindex
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...
Reading symbols from /usr/lib/debug/.build-id/fa/09641e6ffcc22ab1527a6ab25e5188ce46c6df.debug...
(gdb) run
Starting program: /usr/bin/php shell/integernet-solr.php -reindex -stores 1 -types all -emptyindex
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after vfork from child process 3878]

Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=3, heap=0x722bcc600040) at ./Zend/zend_alloc.c:1312
1312    ./Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (bin_num=3, heap=0x722bcc600040) at ./Zend/zend_alloc.c:1312
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x722bcc600040) at ./Zend/zend_alloc.c:1383
#2  _emalloc (size=<optimized out>) at ./Zend/zend_alloc.c:2613
#3  0x00005aebb50c061e in zend_string_alloc (persistent=false, len=<optimized out>) at ./Zend/zend_string.h:174
#4  zend_string_init (persistent=false, len=<optimized out>, str=0x4107986b "Store") at ./Zend/zend_string.h:196
#5  zend_string_init_fast (len=<optimized out>, str=0x4107986b "Store") at ./Zend/zend_string.h:206
#6  zif_substr (execute_data=0x722bcc615270, return_value=0x722bcc6151a0) at ./ext/standard/string.c:2086
#7  0x00005aebb51d364d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at ./Zend/zend_vm_execute.h:1337
#8  execute_ex (ex=0x15cd2420) at ./Zend/zend_vm_execute.h:57246
#9  0x00005aebb51d86c5 in zend_execute (op_array=0x722bcc68e000, return_value=0x0) at ./Zend/zend_vm_execute.h:61634
#10 0x00005aebb5164118 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1895
#11 0x00005aebb50f82ee in php_execute_script (primary_file=primary_file@entry=0x7ffdf2dcda00) at ./main/main.c:2529
#12 0x00005aebb52507dd in do_cli (argc=8, argv=0x5aebc82129f0) at ./sapi/cli/php_cli.c:966
#13 0x00005aebb4f85b77 in main (argc=8, argv=0x5aebc82129f0) at ./sapi/cli/php_cli.c:1341
(gdb)

I don't know if this is relevant but I'm using PHP inside of ddev (https://github.com/ddev/ddev). The used version there is 1.24.6.

To be able to provide a (hopefully) meaningful stack I altered the provided ddev container with these command: sudo apt install gdb php8.3-cli-dbgsym

I am by no means an expert in debugging C or running something with GDB so if I missed something and you need further information please let me know.

Sadly the code I'm using is not open source so I feel not comfortable to provide any code examples here (in addition to it being a time consuming process to even provide this information). But in essence what is running is a modified version of OpenMage (https://github.com/OpenMage/magento-lts/tree/v21.0.0-beta2) together with a modified commercial version of the Integernet Solr Module (https://github.com/integer-net/solr-magento1). Would it be helpful to try triggering the issue with this open source setup?

PHP Version

PHP 8.3.21 (cli) (built: May  9 2025 06:38:45) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.21, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.21, Copyright (c), by Zend Technologies

Operating System

Debian GNU/Linux 12 (bookworm) in ddev

[devnexen]

Hi @tobihille what would be your list of enabled modules ? i.e. php -m

[tobihille]

Oh sorry, I missed that. This is the list:

thille@shop-web:/var/www/html$ php -m
[PHP Modules]
apcu
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
FFI
fileinfo
filter
ftp
gd
gettext
hash
http
iconv
igbinary
imagick
intl
json
ldap
libxml
mbstring
memcached
msgpack
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
pgsql
Phar
posix
random
raphf
readline
redis
Reflection
session
shmop
SimpleXML
soap
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
uploadprogress
xml
xmlreader
xmlrpc
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

[devnexen]

Thanks ! it would be nice to try to disable non builtin php extensions (aka PECL) e.g. igbinary, raphf, redis, ... and see if it has the same effect.

[tobihille]

I will try and report back. But to manage the expextation: I will probably not finish today with this, I first will need to figure out how to remove them in ddev and then trigger the process and see if it still works.

[devnexen]

Take your time no worries :) Cheers.

[tobihille]

Hi. I managed to get rid of many extensions while also keeping the process running, sadly it still crashes.
This is the current stack on crash:

thille@shop-web:/var/www/html$ gdb --args php shell/integernet-solr.php -reindex -stores 1 -types all -emptyindex
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...
Reading symbols from /usr/lib/debug/.build-id/fa/09641e6ffcc22ab1527a6ab25e5188ce46c6df.debug...
(gdb) run
Starting program: /usr/bin/php shell/integernet-solr.php -reindex -stores 1 -types all -emptyindex
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
PHP Warning:  PHP Startup: Unable to load dynamic library 'xsl.so' (tried: /usr/lib/php/20230831/xsl.so (/usr/lib/php/20230831/xsl.so: undefined symbol: dom_node_class_entry), /usr/lib/php/20230831/xsl.so.so (/usr/lib/php/20230831/xsl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

Warning: PHP Startup: Unable to load dynamic library 'xsl.so' (tried: /usr/lib/php/20230831/xsl.so (/usr/lib/php/20230831/xsl.so: undefined symbol: dom_node_class_entry), /usr/lib/php/20230831/xsl.so.so (/usr/lib/php/20230831/xsl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
[Detaching after vfork from child process 3546]
PHP Warning:  PHP Startup: Unable to load dynamic library 'xsl.so' (tried: /usr/lib/php/20230831/xsl.so (/usr/lib/php/20230831/xsl.so: undefined symbol: dom_node_class_entry), /usr/lib/php/20230831/xsl.so.so (/usr/lib/php/20230831/xsl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=3, heap=0x7f4252400040) at ./Zend/zend_alloc.c:1312
1312    ./Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0  zend_mm_alloc_small (bin_num=3, heap=0x7f4252400040) at ./Zend/zend_alloc.c:1312
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7f4252400040) at ./Zend/zend_alloc.c:1383
#2  _emalloc (size=<optimized out>) at ./Zend/zend_alloc.c:2613
#3  0x00005c44da0c361e in zend_string_alloc (persistent=false, len=<optimized out>) at ./Zend/zend_string.h:174
#4  zend_string_init (persistent=false, len=<optimized out>, str=0x413fc75b "Store") at ./Zend/zend_string.h:196
#5  zend_string_init_fast (len=<optimized out>, str=0x413fc75b "Store") at ./Zend/zend_string.h:206
#6  zif_substr (execute_data=0x7f4252415270, return_value=0x7f42524151a0) at ./ext/standard/string.c:2086
#7  0x00005c44da1d664d in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at ./Zend/zend_vm_execute.h:1337
#8  execute_ex (ex=0x15cbe9a0) at ./Zend/zend_vm_execute.h:57246
#9  0x00005c44da1db6c5 in zend_execute (op_array=0x7f425248e000, return_value=0x0) at ./Zend/zend_vm_execute.h:61634
#10 0x00005c44da167118 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1895
#11 0x00005c44da0fb2ee in php_execute_script (primary_file=primary_file@entry=0x7ffc9fcd3ce0) at ./main/main.c:2529
#12 0x00005c44da2537dd in do_cli (argc=8, argv=0x5c45129419f0) at ./sapi/cli/php_cli.c:966
#13 0x00005c44d9f88b77 in main (argc=8, argv=0x5c45129419f0) at ./sapi/cli/php_cli.c:1341
(gdb)

I hope the message about xsl.so is not relevant, I removed the modules a bit sloppy but I got no further error messages as you can see 😅

and php -m outputs now these modules:

[PHP Modules]
bcmath
calendar
Core
ctype
curl
date
fileinfo
filter
ftp
gd
hash
iconv
intl
json
libxml
mbstring
msgpack
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
posix
random
Reflection
session
SimpleXML
sockets
sodium
SPL
standard
tokenizer
xml
xmlrpc
xmlwriter
Zend OPcache
zlib

[Zend Modules]
Zend OPcache

I tried to follow this page when deciding what to remove while also keeping in mind what is neccessary to let the process in the shop still run:
https://www.php.net/manual/en/extensions.membership.php

[devnexen]

Ok, would it be possible to have a reproducer ? If you can't share the actual code fine but we would need at least a code triggering the same cause (seems using substr, possibly pointing out of the bounds of the inputs, but we ll see).

[tobihille]

I understand and will take a look but I can't promise anything currently, sorry 😢

I will enable xdebug (disabled it in the first place to reduce the time the process takes) and litter the code with breakpoints where string operations take place and try to step through until it fails but this might take quite some time.

I will report back if either I find something and can provide a minimal case or my time ran out (I'm working in a company context).

[devnexen]

Thanks for your help ! Looking forward to it.