PHP :: Bug #71910 :: Too many concatinations in a single statement crashes Apache

Bug #71910	Too many concatinations in a single statement crashes Apache
Submitted:	2016-03-28 17:38 UTC	Modified:	2016-04-17 04:22 UTC
From:	ksours at internebrands dot com	Assigned:
Status:	No Feedback	Package:	Apache2 related
PHP Version:	7.0.4	OS:	Windows7 64bit
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ksours at internebrands dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-03-28 17:38 UTC] ksours at internebrands dot com

Description:
------------
This only seems to happen on windows and only with php7.  I'm using mod_php on Apache 2.4.18 from apache lounge and the php binaries from http://windows.php.net I've encountered the problem on both 32 bit and 64 bit versions of 7.0.3 and the 64 bit version of 7.0.4  It does not occur with the 32bit version of 5.6.14. I've only run the precise sample script against 7.0.4 64bit.

The result of the script is that apache crashes when the script is run.  Note that it doesn't require the code actually run (note the exit statement in the same script), it just has to be in the script.  Commenting it out eliminates the problem as expected.  Running the code via the CLI works just fine.

PHP Command line:
cscript /nologo configure.js "--enable-snapshot-build" "--enable-debug-pack" "--with-pdo-oci=c:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8-12c=c:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet=shared" "--with-mcrypt=static" "--without-analyzer" "--with-pgo" 


Test script:
---------------
<?php
/*
Note that this script *generates* the script to reproduce
The problem might be environment related in terms of how many
concatenations reproduce
*/

$text = '
<?php


exit;
$out =
';


for($i = 0; $i<2000; $i++)
{
 $text .= "'a' . ";
}

$text .= "'a';";


file_put_contents('sample.php', $text);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-29 12:38 UTC] ab@php.net

-Status: Open +Status: Feedback

[2016-03-29 12:38 UTC] ab@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Please note also that your generator writes an exit; before anything in the script happens.

Thanks.

[2016-03-29 14:40 UTC] ksours at internetbrands dot com

The exit is intentional, as I noted in my initial report.  The script, as generated, will crash Apache. It also doesn't matter if there are parse errors or non existent functions -- at least in certain places -- within the script.  I didn't spend a lot of time investigating that, it was just something I noticed while simplifying the script.

[2016-03-29 15:04 UTC] ksours at internebrands dot com

-Status: Feedback +Status: Open

[2016-03-29 15:04 UTC] ksours at internebrands dot com

Attempted to download the diagnostic tool from the link your provided.  Got directed here.
https://www.microsoft.com/library/errorpages/smarterror.aspx

[2016-03-29 16:28 UTC] ab@php.net

-Status: Open +Status: Feedback

[2016-03-29 16:28 UTC] ab@php.net

Yeah, it was linking to an older tool version. I've just updated it, it should be https://www.microsoft.com/en-us/download/details.aspx?id=49924 .

Ok, so you mean the presence of exit; is explicitly required to reproduce the crash. I reproduced no issue neither with nor without it, that's why i mentioned it. So it'd be better to see the backtrace it shows for you.

Thanks.

[2016-03-29 16:33 UTC] ksours at internetbrands dot com

It doesn't seem to matter if its there or not.  I left it in because it's weirder that way. I will attempt to download the tool and get the stacktrace.

[2016-04-04 22:41 UTC] ksours at internetbrands dot com

Note that I've removed a large number of repeated lines because its quite long and I think you get the message.  Total line count of the traces is 2508.

Entry point   libhttpd!ap_run_generate_log_id+3db0 
Create time   4/4/2016 6:15:01 PM 
Time spent in user mode   0 Days 00:00:00.000 
Time spent in kernel mode   0 Days 00:00:00.031 


This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.

php7ts!zend_compile_binary_op+10 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
...
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_binary_op+33 
php7ts!zend_compile_expr+155 
php7ts!zend_compile_assign+a5 
php7ts!zend_compile_expr+125 
php7ts!zend_compile_stmt+162 
php7ts!zend_compile_top_stmt+23 
php7ts!zend_compile_top_stmt+9c 
php7ts!compile_file+17e 
php7ts!phar_compile_file+30c 
php7ts!zend_execute_scripts+86 
php7ts!php_execute_script+4c6 
php7apache2_4!php_handler+579 
libhttpd!ap_run_handler+35 
libhttpd!ap_invoke_handler+110 
libhttpd!ap_internal_redirect_handler+29a 
libhttpd!ap_process_request+17 
libhttpd!ap_byterange_filter+152f 
libhttpd!ap_run_process_connection+35 
libhttpd!ap_run_generate_log_id+3f24 
kernel32!BaseThreadInitThunk+d 
ntdll!RtlUserThreadStart+1d 



Exception Information


PHP7TS!ZEND_COMPILE_BINARY_OP+10In httpd__PID__11296__Date__04_04_2016__Time_06_16_39PM__900__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php7ts!zend_compile_binary_op+10 in C:\programming\applications\php704_64\php7ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x02643ff8 on thread 3

[2016-04-04 22:42 UTC] ksours at internebrands dot com

-Status: Feedback +Status: Open

[2016-04-04 22:42 UTC] ksours at internebrands dot com

Also note that the screen shots in your debug doc are out of date.  The new tool has a separate analysis app (and you need to set the debug symbols in both)

[2016-04-05 06:37 UTC] ab@php.net

-Status: Open +Status: Feedback

[2016-04-05 06:37 UTC] ab@php.net

Thanks for the check. It is most likely not an issue in PHP. I've two suggestions how to fix it

- set TheadStackSize directive as described here https://httpd.apache.org/docs/current/en/mod/mpm_common.html#threadstacksize , or
- if you have Visual Studio installed, use the editbin tool to increase the stack size in httpd.exe

With the screenshots - yeah, most of them are still compatible, but not all :(. Would you be interested to contribute? If so, a PR can be provided here https://github.com/php/web-bugs/blob/master/www/bugs-generating-backtrace-win32.php 

Thanks.

[2016-04-05 14:32 UTC] ksours at internetbrands dot com

Fair enough.  I mainly reported it because it was a regression from PHP5 -- something definitely changed from PHP5 to PHP7 to cause this or to make it worse. (Both my program and the sample script run just fine on PHP5 in the same environment).

It would be nice if we could get some kind of graceful error rather than just a crash, but that's not always possible.

[2016-04-17 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2020-11-17 10:14 UTC] daniel dot neuman at prowledge dot com

I have the same issue on PHP 7.4.12:
A long string concatenation causes a stack overflow in ZEND_COMPILE_BINARY_OP.

Increasing the ThreadStackSize mitigates the issue.

Would it be possible to anticipate that the thread stack will overflow and have ZEND_COMPILE_BINARY_OP handle it accordingly?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 11:01:30 2024 UTC