php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79307 httpd crash when combine strings in php
Submitted: 2020-02-25 14:40 UTC Modified: 2020-06-18 15:03 UTC
Votes:3
Avg. Score:3.7 ± 1.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: idzjy at live dot cn Assigned:
Status: Open Package: Apache2 related
PHP Version: 7.3.15 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: idzjy at live dot cn
New email:
PHP Version: OS:

 

 [2020-02-25 14:40 UTC] idzjy at live dot cn 
Description:
------------
when trying to combine thousands of strings using concatenation operator ('.'), httpd crash.

like:
https://github.com/laminas/laminas-validator/blob/master/src/Hostname/Biz.php
https://github.com/laminas/laminas-validator/blob/master/src/Hostname/Cn.php

the php package was downloaded directly from https://windows.php.net/downloads/releases/php-7.3.15-Win32-VC15-x64.zip

apache version: 2.4.37 on windows with wampserver 3.1.7 64bit.
crash on 7.2.14 / 7.3.9 / 7.3.15, not on 5.6.40 as I tested.
crash on apache, not cli.

// logs
apache log:
[Tue Feb 25 22:04:01.612217 2020] [mpm_winnt:notice] [pid 273704:tid 764] AH00428: Parent: child process 282396 exited with status 3221225725 -- Restarting.

php logs nothing.

Windows Event Viewer:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2020-02-25T14:03:58.936699400Z" /> 
  <EventRecordID>49477</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>***</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>httpd.exe</Data> 
  <Data>2.4.37.0</Data> 
  <Data>5bf538f3</Data> 
  <Data>php7ts.dll</Data> 
  <Data>7.3.15.0</Data> 
  <Data>5e4bea74</Data> 
  <Data>c00000fd</Data> 
  <Data>0000000000011f92</Data> 
  <Data>44f1c</Data> 
  <Data>01d5ebe4613b26c1</Data> 
  <Data>D:\wamp64\bin\apache\apache2.4.37\bin\httpd.exe</Data> 
  <Data>D:\wamp64\bin\apache\apache2.4.37\bin\php7ts.dll</Data> 
  <Data>caca7d2d-d7d9-4478-a028-6429e916ab68</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>


Test script:
---------------
<?php
// test1.php
$a =
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890';
// ... 2000 lines in total, crash
var_dump($a);

//////////////////////////////////////////////////
<?php
// test2.php
$a =
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890';
// ... 1000 lines in total, ok

$b =
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890';
// ... 1000 lines in total, ok

$c = $a + $b;
var_dump($c);
// everything is fine

//////////////////////////////////////////////////
// same thing happens even if reduce the length of the single string to '123'.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-25 17:29 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-02-25 17:29 UTC] cmb@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
 [2020-02-25 20:30 UTC] nikic@php.net 
Just going by the description, I'd assume this is a stack overflow in the compiler due to a very deeply nested AST.

Could be addressed by converting concat into a list node with some special handling, not sure if that's worth the bother.
 [2020-02-26 03:25 UTC] idzjy at live dot cn
-Status: Feedback +Status: Assigned
 [2020-02-26 03:25 UTC] idzjy at live dot cn 
Thread 4 - System ID 291428

Entry point   libhttpd!ap_run_generate_log_id+3b10 
Create time   2020-02-26 10:36:00 
Time spent in user mode   0 Days 00:00:00.000 
Time spent in kernel mode   0 Days 00:00:00.000 

This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.

php7ts!zend_compile_binary_op+c [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7128 + c]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7128 + c
php7ts!zend_compile_binary_op+3f [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135
// 1143 same lines here
php7ts!zend_compile_binary_op+3f [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135
php7ts!zend_compile_assign+1ea [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 2985]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 2985
php7ts!zend_compile_stmt+178 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8318]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8318
php7ts!zend_compile_top_stmt+23 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8205]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8205
php7ts!zend_compile_top_stmt+a5 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8198 + c]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8198 + c
php7ts!zend_compile+168 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 604]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 604
php7ts!compile_file+3c [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 637 + 8]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 637 + 8
php7ts!phar_compile_file+33c [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\ext\phar\phar.c @ 3348 + 1d]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\ext\phar\phar.c @ 3348 + 1d
php_xdebug_2_8_0_7_3_vc15_x86_64+5bbc
php7ts!zend_execute_scripts+88 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend.c @ 1563]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend.c @ 1563
php7ts!php_execute_script+261 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\main\main.c @ 2641]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\main\main.c @ 2641
php7apache2_4!php_handler+591 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\sapi\apache2handler\sapi_apache2.c @ 700]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\sapi\apache2handler\sapi_apache2.c @ 700
libhttpd!ap_run_handler+35
libhttpd!ap_invoke_handler+10f
libhttpd!ap_internal_redirect_handler+29a
libhttpd!ap_process_request+f
libhttpd!ap_byterange_filter+1581
libhttpd!ap_run_process_connection+35
libhttpd!ap_process_connection+45
libhttpd!ap_run_generate_log_id+3da0
kernel32!BaseThreadInitThunk+14
ntdll!RtlUserThreadStart+21
 [2020-02-26 07:56 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2020-02-26 07:56 UTC] cmb@php.net 
Thanks for the backtrace!  So @nikic was spot-on.
 [2020-06-18 15:03 UTC] cmb@php.net
-Operating System: Windows 10 +Operating System: *
 [2021-01-23 21:45 UTC] requinix@php.net 
Related To: Bug #80662
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 17:01:32 2024 UTC