Segmentation Fault - Null Pointer #2157
Description
What happened? How did it happen?
I originally noticed this issue in production as a rare, intermittent segmentation fault that would occur roughly once every few weeks. It almost always coincided with bursts of traffic from AI-related bots aggressively scanning the website (large numbers of concurrent requests and JavaScript/Livewire-heavy responses).
In production, the FrankenPHP process would usually restart and recover within the same minute. Because the issue was infrequent and partially mitigated by blocking traffic at the WAF level, I did not initially investigate it further.
More recently, while ramping up activity for the business, I was able to reliably reproduce the crash by running an SEO spider with JavaScript rendering enabled against the development environment. This produces sustained concurrent requests and large HTML responses, closely resembling the traffic pattern that previously triggered the sporadic production crashes.
Under these conditions, FrankenPHP consistently segfaults after a consistent period of sustained load.
The application is running Laravel with Octane on FrankenPHP.
I have removed Sentry and OTLP
Crash details
The crash occurs in a PHP worker thread (php-2) with the following signature:
- Segmentation fault in
memcpy(dest=0x0, ...) - Called from
zend_stack_push() - Triggered during PHP output handling / output buffering
This stack trace was captured using the latest FrankenPHP debug build (v1.11.1).
Observed state at crash time
At the point of failure, the Zend output handler stack appears to be partially initialized but invalid:
stack->size = 8stack->max = 16stack->top = 0stack->elements = NULL
This results in zend_stack_push() attempting to write to a NULL buffer, leading directly to the segmentation fault.
Additional observations
- The crash frequency does not change when adjusting worker count or min/max thread settings.
- The only configuration change that consistently delays the crash is increasing
--max-requests. - Reducing worker/thread counts does not prevent the issue; it only affects how quickly it reproduces under sustained load.
- This segfault looks suspiciously similar to Segmentation fault during runtime #1841
Binary / build information
/var/www/html/frankenphp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
static-pie linked, BuildID[sha1]=d4345b5320add1832b4bb2841a12a128c0d238d1,
with debug_info, not stripped
Build Type
Docker (Debian Trixie)
Worker Mode
Yes
Operating System
GNU/Linux
CPU Architecture
x86_64
PHP configuration
System => Linux 0caf603fcd24 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64
Build Date => Jan 16 2026 23:26:21
Build System => Linux - Docker
Build Provider => https://github.com/docker-library/php
Configure Command => './configure' '--build=x86_64-linux-gnu' '--sysconfdir=/usr/local/etc' '--with-config-file-path=/usr/local/etc/php' '--with-config-file-scan-dir=/usr/local/etc/php/conf.d' '--enable-option-checking=fatal' '--with-mhash' '--with-pic' '--enable-mbstring' '--enable-mysqlnd' '--with-password-argon2' '--with-sodium=shared' '--with-pdo-sqlite=/usr' '--with-sqlite3=/usr' '--with-curl' '--with-iconv' '--with-openssl' '--with-readline' '--with-zlib' '--enable-phpdbg' '--enable-phpdbg-readline' '--with-pear' '--with-libdir=lib/x86_64-linux-gnu' '--enable-embed' '--enable-zts' '--disable-zend-signals' 'build_alias=x86_64-linux-gnu'
Server API => Command Line Interface
Virtual Directory Support => enabled
Configuration File (php.ini) Path => /usr/local/etc/php
Loaded Configuration File => /usr/local/etc/php/php.ini
Scan this dir for additional .ini files => /usr/local/etc/php/conf.d
Additional .ini files parsed => /usr/local/etc/php/conf.d/99-octane.ini,
/usr/local/etc/php/conf.d/docker-php-ext-bcmath.ini,
/usr/local/etc/php/conf.d/docker-php-ext-bz2.ini,
/usr/local/etc/php/conf.d/docker-php-ext-exif.ini,
/usr/local/etc/php/conf.d/docker-php-ext-gd.ini,
/usr/local/etc/php/conf.d/docker-php-ext-gmp.ini,
/usr/local/etc/php/conf.d/docker-php-ext-igbinary.ini,
/usr/local/etc/php/conf.d/docker-php-ext-imagick.ini,
/usr/local/etc/php/conf.d/docker-php-ext-intl.ini,
/usr/local/etc/php/conf.d/docker-php-ext-ldap.ini,
/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini,
/usr/local/etc/php/conf.d/docker-php-ext-pcntl.ini,
/usr/local/etc/php/conf.d/docker-php-ext-pdo_mysql.ini,
/usr/local/etc/php/conf.d/docker-php-ext-pdo_pgsql.ini,
/usr/local/etc/php/conf.d/docker-php-ext-pgsql.ini,
/usr/local/etc/php/conf.d/docker-php-ext-protobuf.ini,
/usr/local/etc/php/conf.d/docker-php-ext-rdkafka.ini,
/usr/local/etc/php/conf.d/docker-php-ext-redis.ini,
/usr/local/etc/php/conf.d/docker-php-ext-sockets.ini,
/usr/local/etc/php/conf.d/docker-php-ext-sodium.ini,
/usr/local/etc/php/conf.d/docker-php-ext-uv.ini,
/usr/local/etc/php/conf.d/docker-php-ext-vips.ini,
/usr/local/etc/php/conf.d/docker-php-ext-zip.ini,
/usr/local/etc/php/conf.d/xx-php-ext-memcached.ini
PHP API => 20230831
PHP Extension => 20230831
Zend Extension => 420230831
Zend Extension Build => API420230831,TS
PHP Extension Build => API20230831,TS
Debug Build => no
Thread Safety => enabled
Thread API => POSIX Threads
Zend Signal Handling => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => provided by mbstring
Zend Max Execution Timers => enabled
IPv6 Support => enabled
DTrace Support => disabledRelevant log output
#0 0x00007f81e4d32173 in memcpy (dest=0x0, src=<optimized out>, n=8) at src/string/memcpy.c:33
#1 0x00007f81e228e986 in zend_stack_push (stack=0x7f819727db10, element=0x7f81976e8f48)
at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend_stack.c:40
#2 0x00007f81e1f79fb6 in php_output_handler_start (handler=0x7f8190df8fa0) at /go/src/app/dist/static-php-cli/source/php-src/main/output.c:557
#3 0x00007f81e1f796df in php_output_start_user (output_handler=0x0, chunk_size=0, flags=112)
at /go/src/app/dist/static-php-cli/source/php-src/main/output.c:441
#4 0x00007f81e1f7c9df in zif_ob_start (execute_data=0x7f8196a149e0, return_value=0x7f81976ecbc0)
at /go/src/app/dist/static-php-cli/source/php-src/main/output.c:1318
#5 0x00007f81e2193d29 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER ()
at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend_vm_execute.h:1584
#6 execute_ex (ex=0x7f8196a14020) at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend_vm_execute.h:58917
#7 0x00007f81e2052ea7 in zend_call_function (fci=0x7f81976ed140, fci_cache=0x7f81976ed070)
at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend_execute_API.c:998
#8 0x00007f81e2051203 in _call_user_function_impl (object=0x0, function_name=0x7f81976ed220, retval_ptr=0x7f81976ed230, param_count=1,
params=0x7f81976ed240, named_params=0x0) at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend_execute_API.c:790
#9 0x00007f81e22aaa21 in zend_user_exception_handler () at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend.c:1905
#10 0x00007f81e22aae01 in zend_execute_script (type=8, retval=0x0, file_handle=0x7f81976ef620)
at /go/src/app/dist/static-php-cli/source/php-src/Zend/zend.c:1938
#11 0x00007f81e1f776cc in php_execute_script_ex (primary_file=0x7f81976ef620, retval=0x0)
at /go/src/app/dist/static-php-cli/source/php-src/main/main.c:2593
#12 0x00007f81e1f77927 in php_execute_script (primary_file=0x7f81976ef620) at /go/src/app/dist/static-php-cli/source/php-src/main/main.c:2633
#13 0x00007f81e1f1f2b1 in frankenphp_execute_script (file_name=0xc00005a720 "//js/filament/notifications/notifications.js") at frankenphp.c:1079
#14 0x00007f81e1f1f358 in php_thread (arg=<optimized out>) at frankenphp.c:948
#15 0x00007f81e4d34958 in start (p=<optimized out>) at src/thread/pthread_create.c:207
#16 0x00007f81e4d361c2 in __clone () at src/thread/x86_64/clone.s:22