PHP :: Bug #35751 :: using date with a timestamp makes httpd segfault

Bug #35751

using date with a timestamp makes httpd segfault

Submitted:

2005-12-20 19:11 UTC

Modified:

2005-12-29 13:00 UTC

Votes:	5
Avg. Score:	4.2 ± 1.6
Reproduced:	2 of 3 (66.7%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

lehmann at ans-netz dot de

Assigned:

derick (profile)

Status:

Closed

Package:

Date/time related

PHP Version:

5.1.1

OS:

FreeBSD 6.0/alpha

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	lehmann at ans-netz dot de
New email:
PHP Version:		OS:

New Comment:

[2005-12-20 19:11 UTC] lehmann at ans-netz dot de

Description:
------------
Using date() in combination with a timestamp makes my httpd segfault on FreeBSD 5.0/alpha - it worked with PHP 5.0.5 like a charm.
Using just date() with a format string, but w/o a timestamp works w/o problems.

Reproduce code:
---------------
<?echo date('Y',10000)?>

Expected result:
----------------
it should work?

Actual result:
--------------
root@dill php5> ktrace httpd -X
pid 30132 (httpd): unaligned access: va=0x11ffc72c pc=0x160a59720 ra=0x160a59e44 op=stq
Segmentation fault
Exit 139
root@dill php5> 

last part of the ktrace:

 27732 httpd    RET   read 487/0x1e7
 27732 httpd    CALL  stat(0x1605da495,0x11ffe658)
 27732 httpd    NAMI  "/etc/nsswitch.conf"
 27732 httpd    RET   stat 0
 27732 httpd    CALL  stat(0x1605da495,0x11ffe658)
 27732 httpd    Events dropped.
 27732 httpd    RET   stat 0
 27732 httpd    Events dropped.
 27732 httpd    CALL  open(0x1202e43c0,0,0x1b6)
 27732 httpd    Events dropped.
 27732 httpd    RET   lstat 0
 27732 httpd    Events dropped.
 27732 httpd    RET   open 23/0x17
 27732 httpd    Events dropped.
 27732 httpd    RET   open 23/0x17
 27732 httpd    Events dropped.
 27732 httpd    RET   stat 0
 27732 httpd    Events dropped.
 27732 httpd    RET   lstat 0
 27732 httpd    Events dropped.
 27732 httpd    RET   lstat 0
 27732 httpd    Events dropped.
 27732 httpd    RET   lstat 0
 27732 httpd    Events dropped.
 27732 httpd    RET   lstat 0
 27732 httpd    Events dropped.
 27732 httpd    CALL  gettimeofday(0x11ffc548,0)
root@dill php5>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-20 20:25 UTC] lehmann at ans-netz dot de

I'm not able to get a working backtrace, i compiled php with --enable-debug during configure:

root@dill php-5.1.1> gdb /usr/local/sbin/httpd /tmp/httpd.core 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "alpha-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `httpd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libz.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.3
Reading symbols from /usr/lib/libssl.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libssl.so.4
[...]
Loaded symbols for /usr/local/libexec/apache2/libphp5.so
Reading symbols from /usr/local/lib/libxml2.so.5...done.
Loaded symbols for /usr/local/lib/libxml2.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0000000160953668 in ?? () from /usr/local/libexec/apache2/libphp5.so
(gdb) bt
#0  0x0000000160953668 in ?? () from /usr/local/libexec/apache2/libphp5.so
#1  0x0000000000000002 in ?? ()
Cannot access memory at address 0xfffffffffffffffe
(gdb)

[2005-12-20 20:33 UTC] derick@php.net

Instead of running it through your webserver, try the command line... (with GDB too).

[2005-12-20 20:53 UTC] lehmann at ans-netz dot de

here is the backtrace:

(gdb) bt
#0  0x00000001200297c8 in php_format_date (format=0x120132fd8 "\036", format_len=540212224, ts=10000, localtime=46)
    at /usr/obj/alpha-ev56-6.0/usr/ports/lang/php5/work/php-5.1.1/ext/date/php_date.c:467
#1  0x0000000000000000 in ?? ()
Previous frame identical to this frame (corrupt stack?)
(gdb) up 0
#0  0x00000001200297c8 in php_format_date (format=0x120132fd8 "\036", format_len=540212224, ts=10000, localtime=46)
    at /usr/obj/alpha-ev56-6.0/usr/ports/lang/php5/work/php-5.1.1/ext/date/php_date.c:467
467                     switch (format[i]) {
(gdb) list
462             }
463             buffer[32] = '\0';
464             timelib_isoweek_from_date(t->y, t->m, t->d, &isoweek, &isoyear);
465     
466             for (i = 0; i < format_len; i++) {
467                     switch (format[i]) {
468                             /* day */
469                             case 'd': snprintf(buffer, 32, "%02d", (int) t->d); break;
470                             case 'D': snprintf(buffer, 32, "%s", day_short_names[timelib_day_of_week(t->y, t->m, t->d)]); break;
471                             case 'j': snprintf(buffer, 32, "%d", (int) t->d); break;
(gdb)

[2005-12-20 23:00 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip

[2005-12-21 15:04 UTC] lehmann at ans-netz dot de

here is the backtrace from the latest cvs snapshot (please don't be iretated by the path i renamed php5-CVS... to php-5.1.1)

#0  0x0000000120029ce8 in php_format_date (
    format=0x2 <Address 0x2 out of bounds>, format_len=1, ts=10000,
    localtime=1)
    at /usr/obj/alpha-ev56-6.0/usr/ports/lang/php5/work/php-5.1.1/ext/date/php_date.c:465
465                     switch (format[i]) {
(gdb) bt
#0  0x0000000120029ce8 in php_format_date (
    format=0x2 <Address 0x2 out of bounds>, format_len=1, ts=10000,
    localtime=1)
    at /usr/obj/alpha-ev56-6.0/usr/ports/lang/php5/work/php-5.1.1/ext/date/php_date.c:465
#1  0x0000000000000002 in ?? ()
Cannot access memory at address 0xfffffffffffffffe
(gdb) up 0
#0  0x0000000120029ce8 in php_format_date (
    format=0x2 <Address 0x2 out of bounds>, format_len=1, ts=10000,
    localtime=1)
    at /usr/obj/alpha-ev56-6.0/usr/ports/lang/php5/work/php-5.1.1/ext/date/php_date.c:465
465                     switch (format[i]) {
(gdb) list
460             }
461             buffer[32] = '\0';
462             timelib_isoweek_from_date(t->y, t->m, t->d, &isoweek, &isoyear);
463
464             for (i = 0; i < format_len; i++) {
465                     switch (format[i]) {
466                             /* day */
467                             case 'd': snprintf(buffer, 32, "%02d", (int) t->d); break;
468                             case 'D': snprintf(buffer, 32, "%s", day_short_names[timelib_day_of_week(t->y, t->m, t->d)]); break;
469                             case 'j': snprintf(buffer, 32, "%d", (int) t->d); break;
(gdb)

[2005-12-21 15:12 UTC] tony2001@php.net

Works perfectly fine on Linux, both i386 and x86_64.

[2005-12-21 22:50 UTC] lehmann at ans-netz dot de

As far as I could checked, it also works with FreeBSD/i386 and FreeBSD/amd64, but not with FreeBSD/alpha. Since 5.0.5 worked with the ext/standard/datetime.[ch] code on FreeBSD/alpha before I doubt that this is a problem with my OS

[2005-12-21 22:56 UTC] tony2001@php.net

This only means that you're on your own with the rare platform you have.
I guess the only solution is to try to debug it and tell us what's the problem, since it works fine for us.

[2005-12-27 20:22 UTC] pablomh at gmail dot com

I'd like to say I'm seeing a similar behaviour in OpenBSD/sparc64 -current with php 5.1.1:

$ php -r "echo date('Y',10000);"
Segmentation fault (core dumped)
$ gdb /usr/local/bin/php -c php.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc64-unknown-openbsd3.8"...(no debugging symbols found)

Core was generated by `php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libstdc++.so.40.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libstdc++.so.40.0
Reading symbols from /usr/lib/libm.so.2.1...done.
Loaded symbols for /usr/lib/libm.so.2.1
Reading symbols from /usr/local/lib/libintl.so.3.0...done.
Loaded symbols for /usr/local/lib/libintl.so.3.0
Reading symbols from /usr/lib/libssl.so.10.0...done.
Loaded symbols for /usr/lib/libssl.so.10.0
Reading symbols from /usr/lib/libcrypto.so.12.0...done.
Loaded symbols for /usr/lib/libcrypto.so.12.0
Reading symbols from /usr/lib/libz.so.4.1...done.
Loaded symbols for /usr/lib/libz.so.4.1
Reading symbols from /usr/local/lib/libxml2.so.9.0...done.
Loaded symbols for /usr/local/lib/libxml2.so.9.0
Reading symbols from /usr/local/lib/libiconv.so.4.0...done.
Loaded symbols for /usr/local/lib/libiconv.so.4.0
Reading symbols from /usr/lib/libc.so.38.4...done.
Loaded symbols for /usr/lib/libc.so.38.4
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
Reading symbols from /var/www/lib/php/modules/mysql.so...done.
Loaded symbols for /var/www/lib/php/modules/mysql.so
Reading symbols from /usr/local/lib/libmysqlclient.so.14.0...done.
Loaded symbols for /usr/local/lib/libmysqlclient.so.14.0
#0 0x000000000017b2e4 in get_timezone_info ()
(gdb) backtrace
#0 0x000000000017b2e4 in get_timezone_info ()
#1 0x000000000017bd78 in php_format_date ()
#2 0x000000000017bcd8 in get_timezone_info ()
#3 0x000000000031eb3c in execute ()
#4 0x000000000031e2f0 in execute ()
#5 0x00000000002e8bb4 in zend_eval_string ()
#6 0x00000000002e8d20 in zend_eval_string_ex ()
#7 0x0000000000378bd8 in main ()
(gdb)

This error began when I upgraded from 5.0.4 to 5.1.1.

It can be an endianness bug, so it's no exposed in i386/x86_64, and I don't think it's our "rare platform".

[2005-12-27 20:51 UTC] derick@php.net

Please provide a backtrace with full debugging symbols...

[2005-12-28 08:33 UTC] pablomh at gmail dot com

Here's the backtrace:

# php -r "echo date('Y',10000);"
Segmentation fault (core dumped)
# gdb /usr/local/bin/php -c php.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc64-unknown-openbsd3.8"...
Core was generated by `php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libstdc++.so.40.0...done.
Loaded symbols for /usr/lib/libstdc++.so.40.0
Reading symbols from /usr/lib/libm.so.2.1...done.
Loaded symbols for /usr/lib/libm.so.2.1
Reading symbols from /usr/local/lib/libintl.so.3.0...done.
Loaded symbols for /usr/local/lib/libintl.so.3.0
Reading symbols from /usr/lib/libssl.so.10.0...done.
Loaded symbols for /usr/lib/libssl.so.10.0
Reading symbols from /usr/lib/libcrypto.so.12.0...done.
Loaded symbols for /usr/lib/libcrypto.so.12.0
Reading symbols from /usr/lib/libz.so.4.1...done.
Loaded symbols for /usr/lib/libz.so.4.1
Reading symbols from /usr/local/lib/libxml2.so.9.0...done.
Loaded symbols for /usr/local/lib/libxml2.so.9.0
Reading symbols from /usr/local/lib/libiconv.so.4.0...done.
Loaded symbols for /usr/local/lib/libiconv.so.4.0
Reading symbols from /usr/lib/libc.so.38.4...done.
Loaded symbols for /usr/lib/libc.so.38.4
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0  0x000000000017b324 in date_format (format=0x4e2046d8 "Y", format_len=10000, t=0x4909dd00, localtime=1)
    at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/ext/date/php_date.c:467
467                     switch (format[i]) {
(gdb) bt
#0  0x000000000017b324 in date_format (format=0x4e2046d8 "Y", format_len=10000, t=0x4909dd00, localtime=1)
    at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/ext/date/php_date.c:467
#1  0x000000000017bdb8 in php_format_date (format=0x4e2046d8 "Y", format_len=10000, ts=0, localtime=1)
    at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/ext/date/php_date.c:590
#2  0x000000000017bd18 in php_date (ht=2, return_value=0x4dd938d8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, localtime=1)
    at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/ext/date/php_date.c:568
#3  0x000000000031ecdc in zend_do_fcall_common_helper_SPEC (execute_data=0xffffffffffff0b30) at zend_vm_execute.h:188
#4  0x000000000031e490 in execute (op_array=0x4909d018) at zend_vm_execute.h:88
#5  0x00000000002e8d14 in zend_eval_string (str=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, retval_ptr=0x0,
    string_name=0x4909d018 "\004???????") at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/Zend/zend_execute_API.c:1056
#6  0x00000000002e8e80 in zend_eval_string_ex (str=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, retval_ptr=0x0,
    string_name=0x4909d018 "\004???????", handle_exceptions=1)
    at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/Zend/zend_execute_API.c:1090
#7  0x0000000000378d78 in main (argc=3, argv=0xffffffffffff1148)
    at /home/ciph3r/OpenBSD/ports/mystuff/php5/core/w-php5-core-5.1.1/php-5.1.1/sapi/cli/php_cli.c:1078
(gdb)


Hope it helps.

[2005-12-28 10:28 UTC] derick@php.net

An account on your machine would be helpful for debugging and fixing this. Can you provide this? (Use derick@php.net to send details to)

[2005-12-28 16:49 UTC] lehmann at ans-netz dot de

If there are some problems with getting an account on that machine I could give you one on mine as well.

[2005-12-28 17:13 UTC] tony2001@php.net

Please send account details to Derick, you got the email.

[2005-12-29 13:00 UTC] derick@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 02:00:01 2025 UTC