Crashes in zend_accel_inheritance_cache_find since upgrading to 8.1.3 due to corrupt on-disk file cache

[mbiebl]

Description

I dont't have a minimal reproducer for this but an application which is based on sabre/dav running on Windows Server 2016 using IIS

Since upgrading from 8.1.2 to 8.1.3 I get frequent 500 errors.
In the event log I find

Log Name:      Application
Source:        Application Error
Date:          23.02.2022 11:26:34
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      PSDEVMB.test.example.com
Description:
Faulting application name: php-cgi.exe, version: 8.1.3.0, time stamp: 0x62160b66
Faulting module name: php_opcache.dll, version: 8.1.3.0, time stamp: 0x62160b62
Exception code: 0xc0000005
Fault offset: 0x00000000000043a3
Faulting process id: 0xfd0
Faulting application start time: 0x01d8289fd314a2a7
Faulting application path: C:\Program Files\PHP\v8.1\php-cgi.exe
Faulting module path: C:\Program Files\PHP\v8.1\ext\php_opcache.dll
Report Id: f5dc9377-9cfc-46be-ad05-5ad40b0fafe7
Faulting package full name: 
Faulting package-relative application ID: 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2022-02-23T10:26:34.226734200Z" />
    <EventRecordID>44517</EventRecordID>
    <Channel>Application</Channel>
    <Computer>PSDEVMB.test.example.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>php-cgi.exe</Data>
    <Data>8.1.3.0</Data>
    <Data>62160b66</Data>
    <Data>php_opcache.dll</Data>
    <Data>8.1.3.0</Data>
    <Data>62160b62</Data>
    <Data>c0000005</Data>
    <Data>00000000000043a3</Data>
    <Data>fd0</Data>
    <Data>01d8289fd314a2a7</Data>
    <Data>C:\Program Files\PHP\v8.1\php-cgi.exe</Data>
    <Data>C:\Program Files\PHP\v8.1\ext\php_opcache.dll</Data>
    <Data>f5dc9377-9cfc-46be-ad05-5ad40b0fafe7</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

The relevant opcache configuration from php.ini:

[opcache]
zend_extension=php_opcache.dll
opcache.enable_cli=1
opcache.enable=1
opcache.enable_file_override=1
opcache.file_cache="C:\Windows\temp\"
opcache.file_cache_fallback=1

I ran a git bisect since 8.1.2 was working fine.
The first faulty commit is 78fd573

Attaching a debugger to a running php-cgi.exe process, I see

Exception thrown at 0x00007FF992294F38 in php-cgi.exe: Microsoft C++ exception: std::out_of_range at memory location 0x00000013415FB250.
Exception thrown at 0x00007FF992294F38 in php-cgi.exe: Microsoft C++ exception: std::out_of_range at memory location 0x00000013415FB250.
Exception thrown at 0x00007FF992294F38 in php-cgi.exe: Microsoft C++ exception: std::out_of_range at memory location 0x00000013415FB250.
Exception thrown at 0x00007FF992294F38 in php-cgi.exe: Microsoft C++ exception: std::out_of_range at memory location 0x00000013415FB250.
Exception thrown at 0x00007FF956D743A3 (php_opcache.dll) in php-cgi.exe: 0xC0000005: Access violation reading location 0x0000015600000012.

PHP Version

PHP 8.1.3

Operating System

Windows Server 2016 / IIS

[mbiebl]

Disabling the PHP opcache file_cache by commenting out the line

;opcache.file_cache="C:\Windows\temp\"

seems to avoid the issue.

[cmb69]

The first faulty commit is 78fd573

That's somewhat unlikely, since that commit only changed some version numbers (it can be tricky to use git bisect, if the file cache is enabled). Anyhow, please provide a stack backtrace.

[mbiebl]

That's somewhat unlikely, since that commit only changed some version numbers

Correct, but it's reproducible. I'm also puzzled by that. I was wondering if the build system uses different flags when built with a -dev version?

[cmb69]

I was wondering if the build system uses different flags when built with a -dev version?

Ah, a -dev version produces a different zend_system_id, so that uses different OPcache SHM and file cache.

Anyhow, please provide a stack backtrace. :)

[mbiebl]

[Inline Frame] php_opcache.dll!zend_accel_inheritance_cache_find(_zend_inheritance_cache_entry * entry, _zend_class_entry *) Line 2252
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\ext\opcache\ZendAccelerator.c(2252)
php_opcache.dll!zend_accel_inheritance_cache_get(_zend_class_entry * ce, _zend_class_entry * parent, _zend_class_entry * * traits_and_interfaces) Line 2293
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\ext\opcache\ZendAccelerator.c(2293)
php8.dll!zend_do_link_class(_zend_class_entry * ce, _zend_string * lc_parent_name, _zend_string * key) Line 2781
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_inheritance.c(2781)
php8.dll!zend_bind_class_in_slot(_zval_struct * class_table_slot, _zval_struct * lcname, _zend_string * lc_parent_name) Line 1132
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_compile.c(1132)
php8.dll!do_bind_class(_zval_struct * lcname, _zend_string * lc_parent_name) Line 1165
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_compile.c(1165)
php8.dll!ZEND_DECLARE_CLASS_SPEC_CONST_HANDLER(_zend_execute_data * execute_data) Line 5320
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(5320)
php8.dll!execute_ex(_zend_execute_data * ex) Line 55210
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(55210)
php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 897
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(897)
php8.dll!zend_call_known_function(_zend_function * fn, _zend_object * object, _zend_class_entry * called_scope, _zval_struct * retval_ptr, unsigned int param_count, _zval_struct * params, _zend_array * named_params) Line 986
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(986)
php8.dll!spl_perform_autoload(_zend_string * class_name, _zend_string * lc_name) Line 434
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\ext\spl\php_spl.c(434)
php8.dll!zend_lookup_class_ex(_zend_string * name, _zend_string * key, unsigned int flags) Line 1129
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(1129)
php8.dll!zend_fetch_class_by_name(_zend_string * class_name, _zend_string * key, int fetch_type) Line 1590
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(1590)
php8.dll!zend_do_link_class(_zend_class_entry * ce, _zend_string * lc_parent_name, _zend_string * key) Line 2758
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_inheritance.c(2758)
php8.dll!zend_bind_class_in_slot(_zval_struct * class_table_slot, _zval_struct * lcname, _zend_string * lc_parent_name) Line 1132
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_compile.c(1132)
php8.dll!do_bind_class(_zval_struct * lcname, _zend_string * lc_parent_name) Line 1165
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_compile.c(1165)
php8.dll!ZEND_DECLARE_CLASS_SPEC_CONST_HANDLER(_zend_execute_data * execute_data) Line 5320
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(5320)
php8.dll!execute_ex(_zend_execute_data * ex) Line 55210
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(55210)
php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 897
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(897)
php8.dll!zend_call_known_function(_zend_function * fn, _zend_object * object, _zend_class_entry * called_scope, _zval_struct * retval_ptr, unsigned int param_count, _zval_struct * params, _zend_array * named_params) Line 986
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(986)
php8.dll!spl_perform_autoload(_zend_string * class_name, _zend_string * lc_name) Line 434
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\ext\spl\php_spl.c(434)
php8.dll!zend_lookup_class_ex(_zend_string * name, _zend_string * key, unsigned int flags) Line 1129
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(1129)
php8.dll!zend_fetch_class_by_name(_zend_string * class_name, _zend_string * key, int fetch_type) Line 1590
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(1590)
php8.dll!zend_do_link_class(_zend_class_entry * ce, _zend_string * lc_parent_name, _zend_string * key) Line 2713
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_inheritance.c(2713)
php8.dll!zend_bind_class_in_slot(_zval_struct * class_table_slot, _zval_struct * lcname, _zend_string * lc_parent_name) Line 1132
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_compile.c(1132)
php8.dll!ZEND_DECLARE_CLASS_DELAYED_SPEC_CONST_CONST_HANDLER(_zend_execute_data * execute_data) Line 7381
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(7381)
php8.dll!execute_ex(_zend_execute_data * ex) Line 55210
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(55210)
php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 897
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(897)
php8.dll!zend_call_known_function(_zend_function * fn, _zend_object * object, _zend_class_entry * called_scope, _zval_struct * retval_ptr, unsigned int param_count, _zval_struct * params, _zend_array * named_params) Line 986
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(986)
php8.dll!spl_perform_autoload(_zend_string * class_name, _zend_string * lc_name) Line 434
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\ext\spl\php_spl.c(434)
php8.dll!zend_lookup_class_ex(_zend_string * name, _zend_string * key, unsigned int flags) Line 1129
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(1129)
php8.dll!zend_fetch_class_by_name(_zend_string * class_name, _zend_string * key, int fetch_type) Line 1590
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_execute_API.c(1590)
php8.dll!ZEND_NEW_SPEC_CONST_UNUSED_HANDLER(_zend_execute_data * execute_data) Line 10147
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(10147)
php8.dll!execute_ex(_zend_execute_data * ex) Line 55210
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(55210)
php8.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 59773
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend_vm_execute.h(59773)
php8.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1762
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\Zend\zend.c(1762)
php8.dll!php_execute_script(_zend_file_handle * primary_file) Line 2535
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\main\main.c(2535)
php-cgi.exe!main(int argc, char * * argv) Line 2554
	at D:\a\php-ftw\php-ftw\php\vs16\x64\php-8.1.3\sapi\cgi\cgi_main.c(2554)
[External Code]

[cmb69]

Thanks for the stack backtrace! According to that and the PHP version, the segfault occurs on this line:

php-src/ext/opcache/ZendAccelerator.c

Line 2252 in 9bc17e4

if (entry->parent != parent) {

Can you please confirm?

If so, that hints at a memory corruption, since entry can't be null there, but apparently entry->parent is not set to valid memory.

[mbiebl]

looks like some kind of memory corruption

[cmb69]

Indeed! I have no idea, though, where that might have happened.

[mbiebl]

I did one more experiment: I recompiled 8.1.3 with the following patch

diff --git a/Zend/zend.h b/Zend/zend.h
index e129fb9c81..7f152a8591 100644
--- a/Zend/zend.h
+++ b/Zend/zend.h
@@ -20,7 +20,7 @@
 #ifndef ZEND_H
 #define ZEND_H

-#define ZEND_VERSION "4.1.3"
+#define ZEND_VERSION "4.1.4"

 #define ZEND_ENGINE_3

diff --git a/configure.ac b/configure.ac
index 86721f6b57..b54abe326b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice.
 dnl ----------------------------------------------------------------------------

 AC_PREREQ([2.68])
-AC_INIT([PHP],[8.1.3],[https://bugs.php.net],[php],[https://www.php.net])
+AC_INIT([PHP],[8.1.4],[https://bugs.php.net],[php],[https://www.php.net])
 AC_CONFIG_SRCDIR([main/php_version.h])
 AC_CONFIG_AUX_DIR([build])
 AC_PRESERVE_HELP_ORDER
diff --git a/main/php_version.h b/main/php_version.h
index 5748409bf0..d87c013026 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.ac to change version number */
 #define PHP_MAJOR_VERSION 8
 #define PHP_MINOR_VERSION 1
-#define PHP_RELEASE_VERSION 3
+#define PHP_RELEASE_VERSION 4
 #define PHP_EXTRA_VERSION ""
-#define PHP_VERSION "8.1.3"
-#define PHP_VERSION_ID 80103
+#define PHP_VERSION "8.1.4"
+#define PHP_VERSION_ID 80104

No crash happening with this change.
Very odd. Is there some kind of state php stores (on disk) somewhere which is tied to version 8.1.3 which might explain this issue?

[mbiebl]

I found a directory C:\Windows\Temp\a988dea0ccab6bc2fc34dfff91a65bb9 containing a lot of subdirectories. Each of those dirs contained lots of *.bin files.
After removing that complete directory, the problem is gone. So I guess one of that subdirs confused 8.1.3
If it helps, I could try to remove those subdirs one by one to find out which one it was.

That said, this still smells like a bug. I don't think the php file opcache should get confused like this and trigger such a memory corruption.

[cmb69]

These folders are the file_cache. There are separate file caches for different PHP versions (and different users, SAPIs, etc.) Obviously, at least one of these caches has been corrupted causing the segfault. And yes, that would be a bug, but it's hard to figure out what is wrong exactly.

[larsgregersen]

I'm researching a similar bug I'm seeing in another program. We see similar crashes on computers that run Symantec Endpoint Protection. Do you have Symantec Endpoint Protection installed?
Disabling Symantec Endpoint Protection doesn't solve the problem for us. A full uninstall is required.

[mbiebl]

We don't have Symantec Endpoint Protection installed.
On the particular system I encountered this issue, there is only Windows Defender running.

[larsgregersen]

Thanks for the fast reply. Then it is not the type of fault I'm trying to track.

[cristicotet]

This also occurs on CentOS Linux release 7.9.2009 (Core)
Linux vm 3.10.0-1160.59.1.el7.x86_64 # 1 SMP Wed Feb 23 16:47:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
php81-php-fpm-8.1.3-1.el7.remi.x86_64

Core was generated by `php-fpm: pool deploy352                            '.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f640a749387 in __GI_raise (sig=11) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
55        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007f640a749387 in __GI_raise (sig=11) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f63f7cf159f in skgesigOSCrash () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#2  0x00007f63f83e5e8d in kpeDbgSignalHandler () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#3  0x00007f63f7cf1882 in skgesig_sigactionHandler () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#4  <signal handler called>
#5  zend_accel_inheritance_cache_find (needs_autoload_ptr=<optimized out>, traits_and_interfaces=<optimized out>, parent=<optimized out>, ce=<optimized out>, entry=0x7fdd28f8e890)
    at /usr/src/debug/php-8.1.3/ext/opcache/ZendAccelerator.c:2252
#6  zend_accel_inheritance_cache_get () at /usr/src/debug/php-8.1.3/ext/opcache/ZendAccelerator.c:2293
#7  0x0000559c707542d6 in zend_try_early_bind () at /usr/src/debug/php-8.1.3/Zend/zend_inheritance.c:3007
#8  0x0000559c7069af53 in zend_do_delayed_early_binding (op_array=op_array@entry=0x7f6408202400, first_early_binding_opline=<optimized out>) at /usr/src/debug/php-8.1.3/Zend/zend_compile.c:1380
#9  0x00007f640d373714 in zend_accel_load_script () at /usr/src/debug/php-8.1.3/ext/opcache/zend_accelerator_util_funcs.c:255
#10 0x00007f640d2f79bb in xdebug_compile_file (file_handle=<optimized out>, type=<optimized out>) at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:83
#11 0x0000559c70682bb9 in compile_filename (type=type@entry=2, filename=filename@entry=0x7f6408277300) at /usr/src/debug/php-8.1.3/Zend/zend_language_scanner.c:707
#12 0x0000559c706f260a in zend_include_or_eval (inc_filename_zv=<optimized out>, type=2) at /usr/src/debug/php-8.1.3/Zend/zend_execute.c:4617
#13 0x0000559c706ff92a in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:38537
#14 0x0000559c707250b3 in execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55516
#15 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#16 0x0000559c7072d765 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:1728
#17 execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55432
#18 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#19 0x0000559c706b2354 in zend_call_function () at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:896
#20 0x0000559c706b2745 in zend_call_known_function () at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:985
#21 0x0000559c705b8400 in spl_perform_autoload (class_name=0x7f63b3d51860, lc_name=0x7f6408258370) at /usr/src/debug/php-8.1.3/ext/spl/php_spl.c:433
#22 0x0000559c706b162c in zend_lookup_class_ex (name=<optimized out>, key=key@entry=0x0, flags=<optimized out>) at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:1129
#23 0x0000559c706d8262 in zif_class_alias () at /usr/src/debug/php-8.1.3/Zend/zend_builtin_functions.c:1068
#24 0x00007f640d2f9a5d in xdebug_execute_internal () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:897
#25 0x0000559c7072a93c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:1763
#26 execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55432
#27 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#28 0x0000559c706ffba4 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:38579
#29 0x0000559c707250b3 in execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55516
#30 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#31 0x0000559c7072d765 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:1728
#32 execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55432
#33 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#34 0x0000559c7072d0a6 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:1837
#35 execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55436
#36 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#37 0x0000559c706ff7bc in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:14483
#38 0x0000559c707250b3 in execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55516
#39 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#40 0x0000559c706ff7bc in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:14483
#41 0x0000559c707250b3 in execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55516
#42 0x00007f640d2f91c2 in xdebug_execute_ex () at /usr/src/debug/php81-php-pecl-xdebug3-3.1.3/NTS/src/base/base.c:779
#43 0x0000559c7072e1dd in zend_execute (op_array=0x7f6408202000, return_value=0x0) at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:59771
#44 0x0000559c706c0ab0 in zend_execute_scripts () at /usr/src/debug/php-8.1.3/Zend/zend.c:1761
#45 0x0000559c7065c6d1 in php_execute_script () at /usr/src/debug/php-8.1.3/main/main.c:2535
#46 0x0000559c704a9a3d in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php-8.1.3/sapi/fpm/fpm/fpm_main.c:1914

[cmb69]

@cristicotet, please try without Xdebug.

[cristicotet]

It works fine after disabling xdebug.
This only happened on the staging server (where xdebug is enabled) with php 8.1, it's not the first time.
Last time it was resolved by upgrading from a previous minor version 8.1.x to 8.1.3. Probably this also triggered clearing of cached files?!?
Disabling xdebug maybe also triggered clearing of cached files and may occur again? If it does I will come back with a new backtrace.

[cmb69]

Running with and without Xdebug is supposed to use two distinct file caches.

[cristicotet]

It happened again with xdebug disabled:

Core was generated by `php-fpm: pool deploy479                            '.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fb99b85c387 in __GI_raise (sig=11) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
55        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007fb99b85c387 in __GI_raise (sig=11) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007fb988e6259f in skgesigOSCrash () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#2  0x00007fb989556e8d in kpeDbgSignalHandler () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#3  0x00007fb988e62882 in skgesig_sigactionHandler () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#4  <signal handler called>
#5  zend_accel_inheritance_cache_find (needs_autoload_ptr=<optimized out>, traits_and_interfaces=<optimized out>, parent=<optimized out>, ce=<optimized out>, entry=0x7f899d137b20)
    at /usr/src/debug/php-8.1.3/ext/opcache/ZendAccelerator.c:2252
#6  zend_accel_inheritance_cache_get () at /usr/src/debug/php-8.1.3/ext/opcache/ZendAccelerator.c:2293
#7  0x000055e351289e2f in zend_do_link_class () at /usr/src/debug/php-8.1.3/Zend/zend_inheritance.c:2781
#8  0x000055e3511d170e in zend_bind_class_in_slot () at /usr/src/debug/php-8.1.3/Zend/zend_compile.c:1131
#9  0x000055e3511d17d8 in do_bind_class () at /usr/src/debug/php-8.1.3/Zend/zend_compile.c:1164
#10 0x000055e35122a7c5 in ZEND_DECLARE_CLASS_SPEC_CONST_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:5319
#11 0x000055e35125c2fd in execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55843
#12 0x000055e3511e9354 in zend_call_function () at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:896
#13 0x000055e3511e9745 in zend_call_known_function () at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:985
#14 0x000055e3510ef400 in spl_perform_autoload (class_name=0x7fb944fe82f0, lc_name=0x7fb93ad90a20) at /usr/src/debug/php-8.1.3/ext/spl/php_spl.c:433
#15 0x000055e3511e862c in zend_lookup_class_ex (name=<optimized out>, key=key@entry=0x0, flags=flags@entry=0) at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:1129
#16 0x000055e3511e8849 in zend_lookup_class (name=<optimized out>) at /usr/src/debug/php-8.1.3/Zend/zend_execute_API.c:1150
#17 0x000055e35120ee55 in class_exists_impl () at /usr/src/debug/php-8.1.3/Zend/zend_builtin_functions.c:990
#18 0x000055e351262b46 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:1558
#19 execute_ex () at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:55424
#20 0x000055e3512651dd in zend_execute (op_array=0x7fb999402000, return_value=0x0) at /usr/src/debug/php-8.1.3/Zend/zend_vm_execute.h:59771
#21 0x000055e3511f7ab0 in zend_execute_scripts () at /usr/src/debug/php-8.1.3/Zend/zend.c:1761
#22 0x000055e3511936d1 in php_execute_script () at /usr/src/debug/php-8.1.3/main/main.c:2535
#23 0x000055e350fe0a3d in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php-8.1.3/sapi/fpm/fpm/fpm_main.c:1914

strace

[pid 12862] stat("/home/deploy479/[...]/BackEnd/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/Annotation.php", {st_mode=S_IFREG|0674, st_size=91, ...}) = 0
[pid 12862] access("/home/deploy479/[...]/BackEnd/vendor/composer/../doctrine/orm/lib/Doctrine/ORM/Mapping/Entity.php", F_OK) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../doctrine/orm/lib/Doctrine/ORM/Mapping/Entity.php", {st_mode=S_IFREG|0674, st_size=804, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/Entity.php", {st_mode=S_IFREG|0674, st_size=804, ...}) = 0
[pid 12862] access("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer/src/Annotation/ExclusionPolicy.php", F_OK) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer/src/Annotation/ExclusionPolicy.php", {st_mode=S_IFREG|0674, st_size=772, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer/src/Annotation", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer/src", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer", {st_mode=S_IFDIR|0775, st_size=217, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/vendor/jms/serializer/src/Annotation/ExclusionPolicy.php", {st_mode=S_IFREG|0674, st_size=772, ...}) = 0
[pid 12862] access("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer/src/Annotation/AnnotationUtilsTrait.php", F_OK) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../jms/serializer/src/Annotation/AnnotationUtilsTrait.php", {st_mode=S_IFREG|0674, st_size=1041, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/vendor/jms/serializer/src/Annotation/AnnotationUtilsTrait.php", {st_mode=S_IFREG|0674, st_size=1041, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/Modules/Tools/src/Entity/Application.php", {st_mode=S_IFREG|0674, st_size=7390, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/C/X/FxMwNdFI2pJyRSvX8LRw", {st_mode=S_IFREG|0666, st_size=114, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/C/X", {st_mode=S_IFDIR|0777, st_size=62, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/C", {st_mode=S_IFDIR|0777, st_size=294, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/C/X/FxMwNdFI2pJyRSvX8LRw", {st_mode=S_IFREG|0666, st_size=114, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/R/Q/nZHAakHMEdy5EXprWJhA", {st_mode=S_IFREG|0666, st_size=1118, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/R/Q", {st_mode=S_IFDIR|0777, st_size=90, ...}) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/R", {st_mode=S_IFDIR|0777, st_size=276, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/var/cache/dev/pools/system/uFgQmc50k8/R/Q/nZHAakHMEdy5EXprWJhA", {st_mode=S_IFREG|0666, st_size=1118, ...}) = 0
[pid 12862] access("/home/deploy479/[...]/BackEnd/vendor/composer/../doctrine/orm/lib/Doctrine/ORM/Mapping/Column.php", F_OK) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../doctrine/orm/lib/Doctrine/ORM/Mapping/Column.php", {st_mode=S_IFREG|0674, st_size=2579, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/Column.php", {st_mode=S_IFREG|0674, st_size=2579, ...}) = 0
[pid 12862] access("/home/deploy479/[...]/BackEnd/vendor/composer/../doctrine/orm/lib/Doctrine/ORM/Mapping/Id.php", F_OK) = 0
[pid 12862] lstat("/home/deploy479/[...]/BackEnd/vendor/composer/../doctrine/orm/lib/Doctrine/ORM/Mapping/Id.php", {st_mode=S_IFREG|0674, st_size=210, ...}) = 0
[pid 12862] stat("/home/deploy479/[...]/BackEnd/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/Id.php", {st_mode=S_IFREG|0674, st_size=210, ...}) = 0
[pid 12862] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7f899d137b30} ---
[pid 12862] rt_sigprocmask(SIG_UNBLOCK, [SEGV], NULL, 8) = 0
[pid 12862] open("/proc/self/cmdline", O_RDONLY) = 8
[pid 12862] read(8, "php-fpm: pool deploy479\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 255) = 52
[pid 12862] close(8)                    = 0

[mbiebl]

One more finding how I managed to corrupt the cache:
I was using fiddler https://www.telerik.com/fiddler to debug the php application.
Once I stopped using fiddler, the segfaults started to happen.
So I assume by using fiddler I managed to corrupt / break the opcode cache.

[cristicotet]

For version 8.1.6 it happens a lot more often and it doesn't go away if I clear opcache

Program terminated with signal 11, Segmentation fault.
b#0  0x00007fbf83127387 in __GI_raise (sig=11) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
55        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007fbf83127387 in __GI_raise (sig=11) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007fbf7071859f in skgesigOSCrash () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#2  0x00007fbf70e0ce8d in kpeDbgSignalHandler () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#3  0x00007fbf70718882 in skgesig_sigactionHandler () from /opt/oracle/instantclient_21_4/libclntsh.so.21.1
#4  <signal handler called>
#5  zend_accel_inheritance_cache_find (needs_autoload_ptr=<optimized out>, traits_and_interfaces=<optimized out>, parent=<optimized out>, ce=<optimized out>, entry=0x7f1fab550948)
    at /usr/src/debug/php-8.1.6/ext/opcache/ZendAccelerator.c:2254
#6  zend_accel_inheritance_cache_get () at /usr/src/debug/php-8.1.6/ext/opcache/ZendAccelerator.c:2295
#7  0x000055a60a2b54bb in zend_do_link_class () at /usr/src/debug/php-8.1.6/Zend/zend_inheritance.c:2781
#8  0x000055a60a1fc96e in zend_bind_class_in_slot () at /usr/src/debug/php-8.1.6/Zend/zend_compile.c:1131
#9  0x000055a60a1fca38 in do_bind_class () at /usr/src/debug/php-8.1.6/Zend/zend_compile.c:1164
#10 0x000055a60a255ba5 in ZEND_DECLARE_CLASS_SPEC_CONST_HANDLER () at /usr/src/debug/php-8.1.6/Zend/zend_vm_execute.h:5319
#11 0x000055a60a2876fd in execute_ex () at /usr/src/debug/php-8.1.6/Zend/zend_vm_execute.h:56195
#12 0x000055a60a214624 in zend_call_function () at /usr/src/debug/php-8.1.6/Zend/zend_execute_API.c:908
#13 0x000055a60a214a15 in zend_call_known_function () at /usr/src/debug/php-8.1.6/Zend/zend_execute_API.c:997
#14 0x000055a60a11a500 in spl_perform_autoload (class_name=0x7fbf2cb5e220, lc_name=0x7fbf2cb5e260) at /usr/src/debug/php-8.1.6/ext/spl/php_spl.c:433
#15 0x000055a60a2138fc in zend_lookup_class_ex (name=name@entry=0x7fbf2cb5e220, key=0x7fbf2cb5e260, flags=flags@entry=512) at /usr/src/debug/php-8.1.6/Zend/zend_execute_API.c:1141
#16 0x000055a60a214d62 in zend_fetch_class_by_name () at /usr/src/debug/php-8.1.6/Zend/zend_execute_API.c:1601
#17 0x000055a60a25edbf in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /usr/src/debug/php-8.1.6/Zend/zend_vm_execute.h:10147
#18 0x000055a60a2878a4 in execute_ex () at /usr/src/debug/php-8.1.6/Zend/zend_vm_execute.h:56659
#19 0x000055a60a2905dd in zend_execute (op_array=0x7fbf80c02000, return_value=0x0) at /usr/src/debug/php-8.1.6/Zend/zend_vm_execute.h:60123
#20 0x000055a60a222e20 in zend_execute_scripts () at /usr/src/debug/php-8.1.6/Zend/zend.c:1792
#21 0x000055a60a1be8b1 in php_execute_script () at /usr/src/debug/php-8.1.6/main/main.c:2538
#22 0x000055a60a00b80d in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php-8.1.6/sapi/fpm/fpm/fpm_main.c:1914

[turchanov]

We also experience crashes due to segmentation fault in zend_accel_inheritance_cache_find in php 8.1.12 (also in 8.1.10, 8.1.8, 8.1.6).
Previous attempts to debug this issue showed that entry paramenter to zend_accel_inheritance_cache_find is valid upon the entry to the function, but during iteration over chain links, a corrupted entry encountered at some point.

Execution environment

We use php-fpm with opcache and opcache filecache. This bug happens erratically (and thus is very difficult to reproduce) when we deploy a new code release using the following scheme: we pre-warm opcache by referencing files in a new code release (which creates opcache filecache entries), and then we switch current revision symlink to a new release and do php-fpm reload (that is opcache is populated from filecache).
This bug is not specific to a single host, but to a lot of machines (20+ hosts)

     2256
     2257            while (entry) {
     2258                    bool found = 1;
     2259                    bool needs_autoload = 0;
     2260
---> 2261                    if (entry->parent != parent) {  <----
     2262                            found = 0;
     2263                    } else {
     2264                            for (i = 0; i < ce->num_traits + ce->num_interfaces; i++) {
     2265                                    if (entry->traits_and_interfaces[i] != traits_and_interfaces[i]) {

(gdb) bt
#0  zend_accel_inheritance_cache_find (needs_autoload_ptr=<optimized out>, traits_and_interfaces=<optimized out>, parent=<optimized out>,
    ce=<optimized out>, entry=0x695f746e65726170) at /usr/src/debug/php-8.1.12/ext/opcache/ZendAccelerator.c:2261
#1  zend_accel_inheritance_cache_get () at /usr/src/debug/php-8.1.12/ext/opcache/ZendAccelerator.c:2302
#2  0x000000000085cb5f in zend_try_early_bind () at /usr/src/debug/php-8.1.12/Zend/zend_inheritance.c:3021
#3  0x0000000000799f9d in zend_do_delayed_early_binding (op_array=op_array@entry=0x7f83a8823c00,
    first_early_binding_opline=<optimized out>) at /usr/src/debug/php-8.1.12/Zend/zend_compile.c:1381
#4  0x00007f83ba88521b in zend_accel_load_script () at /usr/src/debug/php-8.1.12/ext/opcache/zend_accelerator_util_funcs.c:255
#5  0x000000000077bb78 in compile_filename (type=type@entry=2, filename=filename@entry=0x4279ef78)
    at /usr/src/debug/php-8.1.12/Zend/zend_language_scanner.c:707
#6  0x00000000007f4edb in zend_include_or_eval (inc_filename_zv=<optimized out>, type=2)
    at /usr/src/debug/php-8.1.12/Zend/zend_execute.c:4623
#7  0x000000000080364b in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at /usr/src/debug/php-8.1.12/Zend/zend_vm_execute.h:38731

[cristicotet]

We also switch to new releases by updating a symlink, maybe this confuses opcache.

After updating symlink we call opcache_clear() by making an curl api call (to make sure that opcache_clear() is called in the correct context: nginx + php-fpm).

From what I remember, the crash is not happening immediately after deploying new version but much later (even days later).

Currently at version 8.1.12, it happens less often than 8.1.6 (don't know exactly when it started to happen less often).

[GreenReaper]

I ran into what seems to be this while upgrading between Debian-compatible builds of 8.1.15 provided by the Sury repository. Clearing out the file cache fixed the segmentation fault, which seems to have arisen on the 'entry->parent` line mentioned.

[strngr]

Here are the steps to reproduce that work for my php-fpm:

• put some traffic to the website, for example, with siege: siege -b -c 50 http://endpoint/
• reload php-fpm: kill -USR2 <PID of php-fpm master process>
• here are your segfaults:

[20-Apr-2023 18:56:43] NOTICE: Reloading in progress ...
[20-Apr-2023 18:56:43] NOTICE: reloading: execvp("php-fpm", {"php-fpm", "--nodaemonize"})
[20-Apr-2023 18:56:43] NOTICE: using inherited socket fd=8, ":::9000"
[20-Apr-2023 18:56:43] NOTICE: using inherited socket fd=8, ":::9000"
[20-Apr-2023 18:56:43] NOTICE: fpm is running, pid 1
[20-Apr-2023 18:56:43] NOTICE: ready to handle connections
[20-Apr-2023 18:56:44] WARNING: [pool worker] child 141 exited on signal 11 (SIGSEGV - core dumped) after 1.184849 seconds from start
[20-Apr-2023 18:56:44] NOTICE: [pool worker] child 144 started
[20-Apr-2023 18:56:44] WARNING: [pool worker] child 142 exited on signal 11 (SIGSEGV - core dumped) after 1.232448 seconds from start
[20-Apr-2023 18:56:44] NOTICE: [pool worker] child 145 started

My PHP version:

# php -v
PHP 8.1.16 (cli) (built: Apr 20 2023 14:55:08) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.1.16, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.16, Copyright (c), by Zend Technologies

Backtrace:

(gdb) bt
#0  0x00007fa727e8124b in zend_accel_inheritance_cache_find () from /usr/local/lib/php/extensions/debug-non-zts-20210902/opcache.so
#1  0x00007fa727e813c9 in zend_accel_inheritance_cache_get () from /usr/local/lib/php/extensions/debug-non-zts-20210902/opcache.so
#2  0x0000562f6fe561cd in zend_do_link_class (ce=0x46e1f760, lc_parent_name=0x43959b40, key=0x43a77e70) at /usr/src/php/Zend/zend_inheritance.c:2784
#3  0x0000562f6fd1c6c6 in zend_bind_class_in_slot (class_table_slot=0x7fa724bd04f0, lcname=0x46e202a0, lc_parent_name=0x43959b40) at /usr/src/php/Zend/zend_compile.c:1131
#4  0x0000562f6fd1c88c in do_bind_class (lcname=0x46e202a0, lc_parent_name=0x43959b40) at /usr/src/php/Zend/zend_compile.c:1164
#5  0x0000562f6fda3ea1 in ZEND_DECLARE_CLASS_SPEC_CONST_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:5339
#6  0x0000562f6fe10506 in execute_ex (ex=0x7fa728016a20) at /usr/src/php/Zend/zend_vm_execute.h:56220
#7  0x0000562f6fd3e9dc in zend_call_function (fci=0x7fff07a52850, fci_cache=0x7fff07a52830) at /usr/src/php/Zend/zend_execute_API.c:912
#8  0x0000562f6fd3eecb in zend_call_known_function (fn=0x462d2ef0, object=0x7fa728002000, called_scope=0x462cd8a0, retval_ptr=0x0, param_count=1, params=0x7fff07a52900, named_params=0x0) at /usr/src/php/Zend/zend_execute_API.c:1001
#9  0x0000562f6faf342b in spl_perform_autoload (class_name=0x43280548, lc_name=0x43a77e70) at /usr/src/php/ext/spl/php_spl.c:446
#10 0x0000562f6fd3f5a1 in zend_lookup_class_ex (name=0x43280548, key=0x43a77e70, flags=512) at /usr/src/php/Zend/zend_execute_API.c:1145
#11 0x0000562f6fd403ba in zend_fetch_class_by_name (class_name=0x43280548, key=0x43a77e70, fetch_type=512) at /usr/src/php/Zend/zend_execute_API.c:1605
#12 0x0000562f6fdad07f in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:10167
#13 0x0000562f6fe10c46 in execute_ex (ex=0x7fa728016940) at /usr/src/php/Zend/zend_vm_execute.h:56684
#14 0x0000562f6fd3e9dc in zend_call_function (fci=0x7fff07a52e30, fci_cache=0x7fff07a52e10) at /usr/src/php/Zend/zend_execute_API.c:912
#15 0x0000562f6fb65e31 in zif_call_user_func (execute_data=0x7fa7280168d0, return_value=0x7fa7280168b0) at /usr/src/php/ext/standard/basic_functions.c:1566
#16 0x0000562f6fd97b7c in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:1558
#17 0x0000562f6fe0fb3a in execute_ex (ex=0x7fa728016020) at /usr/src/php/Zend/zend_vm_execute.h:55799
#18 0x0000562f6fe14418 in zend_execute (op_array=0x7fa728069000, return_value=0x0) at /usr/src/php/Zend/zend_vm_execute.h:60151
#19 0x0000562f6fd5814d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/Zend/zend.c:1799
#20 0x0000562f6fcabb4d in php_execute_script (primary_file=0x7fff07a55620) at /usr/src/php/main/main.c:2542
#21 0x0000562f6fee55db in main (argc=2, argv=0x7fff07a559f8) at /usr/src/php/sapi/fpm/fpm/fpm_main.c:1917

Strace of failing worker:

mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fca8de5c000
munmap(0x7fca8de5c000, 16384)           = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fca8de5c000
munmap(0x7fca8de5c000, 16384)           = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fca8de5c000
munmap(0x7fca8de5c000, 16384)           = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fca8de5c000
munmap(0x7fca8de5c000, 16384)           = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fca8de5c000
munmap(0x7fca8de5c000, 16384)           = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xffffffff00000016} ---
+++ killed by SIGSEGV (core dumped) +++

[dstogov]

This should be fixed via 90f2e76