php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73521 date('O') cause coredump
Submitted: 2016-11-15 06:10 UTC Modified: 2016-12-11 04:22 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: 804368954 at qq dot com Assigned:
Status: No Feedback Package: Date/time related
PHP Version: 7.0Git-2016-11-15 (Git) OS: CentOS Linux release 6.2 (Final)
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: 804368954 at qq dot com
New email:
PHP Version: OS:

 

 [2016-11-15 06:10 UTC] 804368954 at qq dot com 
Description:
------------
service environment:
PHP: PHP 7.0.6 (fpm-fcgi) (built: Aug 19 2016 19:19:41)
System: CentOS Linux release 6.2 (Final)

sometimes coredump like "/core.php-fpm.2114.1475062344",but not offten.

Because in production env, so the gdb result not debug:

Core was generated by `php-fpm: pool www                                                             '.
Program terminated with signal 11, Segmentation fault.
#0  zend_mm_alloc_small (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1295
1295    /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c: No such file or directory.
        in /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c
Missing separate debuginfos, use: debuginfo-install php7-7.0.6-20160819192101.x86_64
(gdb) bt
#0  zend_mm_alloc_small (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1295
#1  zend_mm_alloc_heap (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1366
#2  _emalloc (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:2450
#3  0x00000000008415d1 in zend_string_alloc (str=0x7fff99d6fd20, len=<value optimized out>) at Zend/zend_string.h:121
#4  smart_str_erealloc (str=0x7fff99d6fd20, len=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.c:41
#5  0x000000000043ed89 in smart_str_alloc (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:61
#6  smart_str_appendl_ex (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:89
#7  date_format (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1218
#8  0x0000000000442032 in php_format_date (format=0x7f4eba8e7968 "O", format_len=1, ts=1479163515, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1265
#9  0x000000000044276e in php_date (execute_data=0x7f4eca4155a0, return_value=0x7f4eca4154b0, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1243
#10 0x00000000008675f3 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7f4eca415320) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:586
#11 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#12 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415290) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
#13 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#14 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415130) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
#15 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#16 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415030) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
#17 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#18 0x00000000007f5348 in zend_call_function (fci=0x7fff99d700d0, fci_cache=0x7fff99d70050) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:866
#19 0x00000000007f58da in call_user_function_ex (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>, no_separation=1, symbol_table=0x0) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:685
#20 0x00000000007f58f9 in call_user_function (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:667
#21 0x0000000000709bb7 in user_shutdown_function_call (zv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:4923
#22 0x000000000080f573 in zend_hash_apply (ht=0x7f4eca466498, apply_func=0x709af0 <user_shutdown_function_call>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_hash.c:1534
#23 0x0000000000709ae6 in php_call_shutdown_functions () at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:5007
#24 0x00000000007a57b5 in php_request_shutdown (dummy=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/main/main.c:1775
#25 0x00000000008a290b in main (argc=<value optimized out>, argv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/sapi/fpm/fpm/fpm_main.c:1996
(gdb) bt full
#0  zend_mm_alloc_small (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1295
        p = 0x7f4eca459c00003d
#1  zend_mm_alloc_heap (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1366
        ptr = <value optimized out>
#2  _emalloc (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:2450
No locals.
#3  0x00000000008415d1 in zend_string_alloc (str=0x7fff99d6fd20, len=<value optimized out>) at Zend/zend_string.h:121
        ret = <value optimized out>
#4  smart_str_erealloc (str=0x7fff99d6fd20, len=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.c:41
No locals.
#5  0x000000000043ed89 in smart_str_alloc (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:61
No locals.
#6  smart_str_appendl_ex (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:89
        new_len = <value optimized out>
#7  date_format (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1218
        string = {s = 0x0, a = 231}
        i = 0
        length = 5
        buffer = "+0800\000\000\000@\223\025\001\000\000\000\000\060PA\312N\177\000\000z?\000\000\000\000\000 \000\000\000\060\000\000\000\260\375?\377\177\000\000\360\374?\377\177\000\000\376\232E\312N\177\000\000p\020@\312N\177\000\000\323\024~\000\000\000\000\000\376\232E\312N\177\000\000p\020@\312N\177\000\000\003"
        offset = <value optimized out>
        rfc_colon = <value optimized out>
        weekYearSet = 0
#8  0x0000000000442032 in php_format_date (format=0x7f4eba8e7968 "O", format_len=1, ts=1479163515, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1265
        t = 0x7f4eca459afe
        tzi = <value optimized out>
        string = <value optimized out>
#9  0x000000000044276e in php_date (execute_data=0x7f4eca4155a0, return_value=0x7f4eca4154b0, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1243
        __z = 0x7f4eca4154b0
        __s = <value optimized out>
        format = 0x7f4eba8e7968 "O"
        format_len = 1
        ts = 1479163515
#10 0x00000000008675f3 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7f4eca415320) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:586
        opline = 0x7f4ebb228be8
        call = 0x7f4eca4155a0
        fbc = <value optimized out>
        ret = <value optimized out>
#11 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
---Type <return> to continue, or q <return> to quit---
        ret = <value optimized out>
        execute_data = 0x7f4eca415320
#12 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415290) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
        opline = 0x7f4ebb22a128
        call = 0x7f4eca415320
        fbc = 0x7f4eca40d308
        object = <value optimized out>
        ret = <value optimized out>
#13 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = <value optimized out>
        execute_data = 0x7f4eca415290
#14 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415130) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
        opline = 0x7f4ebb2111a8
        call = 0x7f4eca415290
        fbc = 0x7f4eca40d648
        object = <value optimized out>
        ret = <value optimized out>
#15 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = <value optimized out>
        execute_data = 0x7f4eca415130
#16 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415030) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
        opline = 0x7f4ebb20e3e0
        call = 0x7f4eca415130
        fbc = 0x7f4eca49e600
        object = <value optimized out>
        ret = <value optimized out>
#17 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = <value optimized out>
        execute_data = 0x7f4eca415030
#18 0x00000000007f5348 in zend_call_function (fci=0x7fff99d700d0, fci_cache=0x7fff99d70050) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:866
        call_via_handler = 0
        i = <value optimized out>
        calling_scope = <value optimized out>
        call = 0x7f4eca415030
        dummy_execute_data = {opline = 0x0, call = 0x0, return_value = 0x0, func = 0x0, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, 
              ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', 
                reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 0, next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0}}, called_scope = 0x0, 
          prev_execute_data = 0x0, symbol_table = 0x0, run_time_cache = 0x0, literals = 0x0}
        fci_cache_local = {initialized = 1 '\001', function_handler = 0x7f4eca49ea10, calling_scope = 0x0, called_scope = 0x0, object = 0x0}
        func = 0x7f4eca49ea10
        orig_scope = 0x0
---Type <return> to continue, or q <return> to quit---
#19 0x00000000007f58da in call_user_function_ex (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>, no_separation=1, symbol_table=0x0) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:685
        fci = {size = 72, function_table = 0x245b4e0, function_name = {value = {lval = 139976114599224, dval = 6.9157389461813945e-310, counted = 0x7f4eba967538, str = 0x7f4eba967538, 
              arr = 0x7f4eba967538, obj = 0x7f4eba967538, res = 0x7f4eba967538, ref = 0x7f4eba967538, ast = 0x7f4eba967538, zv = 0x7f4eba967538, ptr = 0x7f4eba967538, ce = 0x7f4eba967538, 
              func = 0x7f4eba967538, ww = {w1 = 3130422584, w2 = 32590}}, u1 = {v = {type = 6 '\006', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 6}, 
            u2 = {var_flags = 32590, next = 32590, cache_slot = 32590, lineno = 32590, num_args = 32590, fe_pos = 32590, fe_iter_idx = 32590}}, symbol_table = 0x0, 
          retval = 0x7fff99d70150, params = 0x7f4eca46c120, object = 0x0, no_separation = 1 '\001', param_count = 0}
#20 0x00000000007f58f9 in call_user_function (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:667
No locals.
#21 0x0000000000709bb7 in user_shutdown_function_call (zv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:4923
        shutdown_function_entry = 0x7f4eca46c120
        retval = {value = {lval = 18192736, dval = 8.9884058614592963e-317, counted = 0x1159960, str = 0x1159960, arr = 0x1159960, obj = 0x1159960, res = 0x1159960, ref = 0x1159960, 
            ast = 0x1159960, zv = 0x1159960, ptr = 0x1159960, ce = 0x1159960, func = 0x1159960, ww = {w1 = 18192736, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', 
              const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 0, next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0}}
        function_name = 0x7f4eba967538
#22 0x000000000080f573 in zend_hash_apply (ht=0x7f4eca466498, apply_func=0x709af0 <user_shutdown_function_call>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_hash.c:1534
        idx = <value optimized out>
        p = 0x7f4eca45c928
        result = <value optimized out>
#23 0x0000000000709ae6 in php_call_shutdown_functions () at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:5007
        __orig_bailout = 0x7fff99d702f0
        __bailout = {{__jmpbuf = {18191168, 4168535194149327155, 41067202, 0, 0, 139976377376768, -4168454012177477325, 4168537093102637363}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 0, 0, 0, 0, 0, 0, 65536, 150323855361, 0, 0, 0, 0, 18189464, 18189152, 41067202}}}}
#24 0x00000000007a57b5 in php_request_shutdown (dummy=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/main/main.c:1775
        __orig_bailout = 0x7fff99d70610
        __bailout = {{__jmpbuf = {18191168, 4168535194149327155, 41067202, 0, 0, 139976377376768, -4168454012208934605, 4168537150679552307}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 140735774393168, 140735774976567, 140735774393216, 139976463416902, 140735774393280, 41068236, 41067202, 9023407, 2097152, 41068236, 41067202, 1479163515, 408, 
                18189824, 41068236}}}}
        report_memleaks = 1 '\001'
#25 0x00000000008a290b in main (argc=<value optimized out>, argv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/sapi/fpm/fpm/fpm_main.c:1996
        primary_script = <value optimized out>
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -4168454011912187597, 7, 70, 18166784, 0, -4168454012238294733, 4168538384012153139}, __mask_was_saved = 0, __saved_mask = {__val = {139976470078262, 
                139976471083240, 140735774394128, 139976439517314, 140735774394128, 39, 139976471086832, 4131212846, 139976470080642, 139976439519287, 64550200, 140733193388078, 
                139976425716308, 0, 140735774394512, 139976425716808}}}}
        exit_status = 0
        c = <value optimized out>
        use_extended_info = 0
        file_handle = {handle = {fd = -1713960736, fp = 0x7fff99d708e0, stream = {handle = 0x7fff99d708e0, isatty = -1713960696, mmap = {len = 139976472273288, pos = 139976471087216, 
                map = 0xf63d4e2e, buf = 0x7f4ecfc6af0a "\205\300~\232H\213E\260H\205\300\017\204-\003", old_handle = 0x0, old_closer = 0x7f4ecfd60870}, reader = 0x1, fsizer = 0, 
---Type <return> to continue, or q <return> to quit---
              closer = 0x1}}, filename = 0x7f4eca404000 "\004", opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <value optimized out>
        max_requests = 10000
        requests = 293
        fcgi_fd = 18189824
        request = 0x272f170
        fpm_config = 0x7fff99d72c2c ""
        fpm_prefix = 0x7fff99d72c52 ""
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = -1
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"


In the gdb bt full result we can see #7  date_format (format=0x7f4eba8e7968 "O", so we check our code find the "register_shutdown_function" include date("O"), so I think this is the reason。

thanks

Test script:
---------------
date("O")

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-30 02:27 UTC] bwoebi@php.net
-Status: Open +Status: Feedback
 [2016-11-30 02:27 UTC] bwoebi@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

The date("O") call only triggers the SEGV (due to previously corrupted memory), the real issue is before.

Can you please include a full reproduce script actually giving a SEGV?
 [2016-12-11 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Nov 03 18:00:01 2025 UTC