php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48752 SIGSEGV during date parsing with new timelib
Submitted: 2009-07-01 10:52 UTC Modified: 2009-12-07 19:54 UTC
From: thetaphi@php.net Assigned: pajoye
Status: Closed Package: Date/time related
PHP Version: 5.3 OS: * (ZTS build only!)
Private report: No CVE-ID:
 [2009-07-01 10:52 UTC] thetaphi@php.net
Description:
------------
I found a second problem with our PHP installation. Sometimes, not everytime, the server crashes with sigsegv when parsing date/times. I cannot reproduce the crash, I only can post the code that most times crash.

Reproduce code:
---------------
This code crashes not always, but often. The $mindate initially contains as noted in the core dump: 1998-01-01

This is enetered by a user any may look different. The code is used to fomat any input from the users to an ATOM timestamp.

$mindate=new DateTime($mindate,new DateTimeZone('UTC'));
$search->dateTimeCoverage->min=$mindate->format(DateTime::ATOM);


Expected result:
----------------
The server should not crash.

Actual result:
--------------
Core was generated by `webservd -d /pangaea/webserver70/https-panwebserver/config -r /pangaea/webserve'.
Program terminated with signal 11, Segmentation fault.
#0  0xfc2b5a44 in timelib_error_container_dtor (errors=0x6d) at /pangaea/install/php-5.3.0/ext/date/lib/timelib.c:153
153             for (i = 0; i < errors->warning_count; i++) {

(gdb) where
#0  0xfc2b5a44 in timelib_error_container_dtor (errors=0x6d) at /pangaea/install/php-5.3.0/ext/date/lib/timelib.c:153
#1  0xfc29636d in date_initialize (dateobj=0xa963cd0, time_str=0xa9620a0 "1998-01-01", time_str_len=179481560, 
    format=0xfca4e4e8 "\v", timezone_object=0xa963bb8, ctor=1, tsrm_ls=0xaa57068)
    at /pangaea/install/php-5.3.0/ext/date/php_date.c:2339
#2  0xfc296728 in zim_DateTime___construct (ht=2, return_value=0xa963d28, return_value_ptr=0x0, this_ptr=0xa963b6c, 
    return_value_used=0, tsrm_ls=0xaa57068) at /pangaea/install/php-5.3.0/ext/date/php_date.c:2479
#3  0xfc56ce5d in zend_do_fcall_common_helper_SPEC (execute_data=0xa9694a0, tsrm_ls=0xaa57068)
    at /pangaea/install/php-5.3.0/Zend/zend_vm_execute.h:313
#4  0xfc56bce2 in execute (op_array=0xa950570, tsrm_ls=0xaa57068) at /pangaea/install/php-5.3.0/Zend/zend_vm_execute.h:104
#5  0xfc54a103 in zend_execute_scripts (type=8, tsrm_ls=0xaa57068, retval=0x0, file_count=3)
    at /pangaea/install/php-5.3.0/Zend/zend.c:1188
#6  0xfc4f5562 in php_execute_script (primary_file=0xeabe7cb8, tsrm_ls=0xaa57068) at /pangaea/install/php-5.3.0/main/main.c:2196
#7  0xfc5d5916 in php5_execute (pb=0xa818228, sn=0x9e761dc, rq=0x9e76254) at /pangaea/install/php-5.3.0/sapi/nsapi/nsapi.c:1040
#8  0xfecfb147 in func_exec_str () from /pangaea/webserver70/lib/libns-httpd40.so
#9  0xfecfbd2a in INTfunc_exec_directive () from /pangaea/webserver70/lib/libns-httpd40.so
#10 0xfed009d6 in INTservact_service () from /pangaea/webserver70/lib/libns-httpd40.so
#11 0xfed01a39 in INTservact_handle_processed () from /pangaea/webserver70/lib/libns-httpd40.so
#12 0xfed5e358 in __1cLHttpRequestUUnacceleratedRespond6M_v_ () from /pangaea/webserver70/lib/libns-httpd40.so
#13 0xfed5d5ba in __1cLHttpRequestNHandleRequest6MpnGnetbuf_I_i_ () from /pangaea/webserver70/lib/libns-httpd40.so
#14 0xfed5be90 in __1cNDaemonSessionDrun6M_v_ () from /pangaea/webserver70/lib/libns-httpd40.so
#15 0xfeb861fc in ThreadMain () from /pangaea/webserver70/lib/libnsprwrap.so
#16 0xfe0bb6c9 in _pt_root () from /pangaea/webserver70/lib/libnspr4.so
#17 0xfd37fd36 in _thr_setup () from /lib/libc.so.1
#18 0xfd380020 in L3_doit () from /lib/libc.so.1
#19 0xfb321400 in ?? ()
#20 0x00000000 in ?? ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-01 11:29 UTC] derick@php.net
Is this a threaded SAPI? (I think I see what the problem is, just need a confirmation).
 [2009-07-01 11:39 UTC] thetaphi@php.net
Yes it is threaded! (Sun Java System Webserver using NSAPI as SAPI module is a one-process webserver with pthreads).

In 5.2.x we never had such problems, the PHP userland code did not change.
 [2009-07-01 11:48 UTC] thetaphi@php.net
By the way, this seems to be the only problem left for our PHP 5.3 tests in production :). The server "only" crashes and is restarted by watchdog once per 15 minutes and always with exactly that crashdump only with the parameter time_str_len slighly different and of course other date string values.

Thanks Derick for looking after this!
Uwe
 [2009-10-24 20:08 UTC] Brian dot White at foxfire74 dot com
Is anyone looking into this.  This also happens in the 5.3.0 Windows build, and, oftentimes, happens a LOT more than 15 minutes.  The PHP date_create() function calls timelib_error_container_dtor() which crashes Apache frequently but not on every execution.

Reproduce code:
---------------
<?php
function wp_timezone_override_offset() {
	$timezone_string = 'America/New_York';

	@date_default_timezone_set( $timezone_string );
	$timezone_object = timezone_open( $timezone_string );
	$datetime_object = date_create();
	if ( false === $timezone_object || false === $datetime_object ) {
		return false;
	}
	return round( timezone_offset_get( $timezone_object, $datetime_object ) / 3600, 2 );
}

$gmt_offset = wp_timezone_override_offset();

echo "$gmt_offset\n";
?>

Expected result:
----------------
-4

Actual result: (When it crashes)
--------------
Thread 75 - System ID 2180
Entry point   msvcr90!_endthreadex+6f 
Create time   10/24/2009 3:18:56 AM 
Time spent in user mode   0 Days 0:0:0.991 
Time spent in kernel mode   0 Days 0:0:0.140 

Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!timelib_error_container_dtor+9     00000044     1118e380     0f10aed8   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\ext\date\lib\timelib.c @ 153 + 6 
php5ts!date_object_period_get_iterator+835     0f1718e0     00000000     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\ext\date\php_date.c @ 2364 + 1f 
php5ts!zif_date_create+9a     00000000     0f10aed8     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\ext\date\php_date.c @ 2441 + 30 
php5ts!execute+10b9     0eca318c     1118e300     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 313 + 41 
php5ts!execute+57ea     0eca2894     1118e380     093ff7a8   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 1601 + e 
php5ts!execute+298     1137a5b0     1118e301     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 104 + a 
php5ts!zend_call_function+7b0     00000000     093ff794     0eca2ca4   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_execute_api.c @ 936 + 1b 
php5ts!zif_call_user_func_array+63     00000002     0f169ca0     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\ext\standard\basic_functions.c @ 4755 + 18 
php5ts!execute+10b9     0eca2ca4     1118e300     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 313 + 41 
php5ts!execute+57ea     0eca213c     1118e380     093ff920   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 1601 + e 
php5ts!execute+298     11474c88     1118e301     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 104 + a 
php5ts!zend_call_function+7b0     00000000     093ff90c     0eca221c   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_execute_api.c @ 936 + 1b 
php5ts!zif_call_user_func_array+63     00000002     0f168cf8     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\ext\standard\basic_functions.c @ 4755 + 18 
php5ts!execute+10b9     0eca221c     1118e300     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 313 + 41 
php5ts!execute+57ea     0eca1484     1118e380     093ffa98   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 1601 + e 
php5ts!execute+298     0f0b7f38     1118e301     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 104 + a 
php5ts!zend_call_function+7b0     00000000     093ffa84     0eca1578   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_execute_api.c @ 936 + 1b 
php5ts!zif_call_user_func_array+63     00000002     0f16b940     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\ext\standard\basic_functions.c @ 4755 + 18 
php5ts!execute+10b9     0eca1578     1118e300     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 313 + 41 
php5ts!execute+57ea     1118e380     093ffb9c     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 1601 + e 
php5ts!execute+298     0ec6dea8     1118e300     1118e380   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend_vm_execute.h @ 104 + a 
php5ts!zend_execute_scripts+fe     00000008     1118e380     00000000   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\zend\zend.c @ 1189 
php5ts!php_execute_script+231     093ffe28     1118e380     00000005   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\main\main.c @ 2196 + 12 
php5apache2_2!zm_info_apache+1744     0bfb9e00     012522a8     0bfb9e00   d:\php-sdk\snap_5_3\vc9\x86\php-5.3.0\sapi\apache2handler\sapi_apache2.c @ 648 + e 
libhttpd!ap_run_handler+25     00000000     00000000     00000000    


PHP5TS!TIMELIB_ERROR_CONTAINER_DTOR+9In httpd__PID__5760__Date__10_24_2009__Time_05_25_07AM__374__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!timelib_error_container_dtor+9 in C:\PHP\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000044 on thread 75
 [2009-10-24 20:34 UTC] thetaphi@php.net
Apache2 Windows builds are multithreaded (php5__ts__.dll) and therefore have the same problems.

The problem: Multithread bugs do not have enough priority in PHP as most people use apache on unix in prefork moder or use FastCGI :(

I would look after this, but I have no deep knowledge of the extension.
 [2009-10-24 22:52 UTC] pajoye@php.net
Simply script:
$datetime_object = date_create("d");

with the timezone set in php.ini.

The crashes occur only with an invalid date. For some reason the global last_errors is not NULL anymore (but it is set to NULL during MINIT) but freed somewhere.

By the way, I do not understand the need to store the warning in a GLOBALS (for all applications running on the same server) when we work with object. That's a design flaw as other applications using the same API at the same time may generate warnings, defeating the whole point of the warnings (if they did not crash php before). That could affect NTS server as well.




 [2009-10-24 23:36 UTC] pajoye@php.net
here is a patch: http://pastie.org/668460

It makes the last_errors request specific as well as it should be.

However the problem is not completely solved as we need a lock before the 1st operation on last_errors until we are done. It is not sufficent to lock it before calling a function or setting it a value. Other threads may affect it during two calls.

I consider this last_errors as a design mistake, but if you like to keep it this way then we will need this global lock.
 [2009-10-27 10:41 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=289981
Log: - #48752, crash during date parsing with invalid date
 [2009-10-27 10:44 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=289982
Log: - #48752
 [2009-10-27 10:45 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-12-06 18:59 UTC] srinatar@php.net
the fix for this issue has been rolled back. 
http://svn.php.net/viewvc/?view=revision&revision=289991

[sriramn@sriramn]'PHP_5_2'>svn diff -r 289982:289991 ext/date/php_date.c
Index: ext/date/php_date.c
===================================================================
--- ext/date/php_date.c (revision 289982)
+++ ext/date/php_date.c (revision 289991)
@@ -371,7 +371,6 @@
        }
        DATEG(timezone) = NULL;
        DATEG(tzcache) = NULL;
-       DATEG(last_errors) = NULL;
 
        return SUCCESS;
 }
@@ -389,10 +388,6 @@
                FREE_HASHTABLE(DATEG(tzcache));
                DATEG(tzcache) = NULL;
        }
-       if (DATEG(last_errors)) {
-               timelib_error_container_dtor(DATEG(last_errors));
-               DATEG(last_errors) = NULL;
-       }
 
        return SUCCESS;
 }

accordingly, this bug has been moved to open status. 

The corresponding NEWS entry for this bug will also need to be rolled back as well. 
 [2009-12-06 22:31 UTC] derick@php.net
This has been rolled back for 5.2 only, because it doesn't have last_errors in the first place.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC