PHP :: Bug #73521 :: date('O') cause coredump

Bug #73521

date('O') cause coredump

Submitted:

2016-11-15 06:10 UTC

Modified:

2016-12-11 04:22 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	2 (66.7%)

From:

804368954 at qq dot com

Assigned:

Status:

No Feedback

Package:

Date/time related

PHP Version:

7.0Git-2016-11-15 (Git)

OS:

CentOS Linux release 6.2 (Final)

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	804368954 at qq dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-15 06:10 UTC] 804368954 at qq dot com

Description:
------------
service environment：
PHP: PHP 7.0.6 (fpm-fcgi) (built: Aug 19 2016 19:19:41)
System: CentOS Linux release 6.2 (Final)

sometimes coredump like "/core.php-fpm.2114.1475062344",but not offten.

Because in production env, so the gdb result not debug:

Core was generated by `php-fpm: pool www                                                             '.
Program terminated with signal 11, Segmentation fault.
#0  zend_mm_alloc_small (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1295
1295    /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c: No such file or directory.
        in /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c
Missing separate debuginfos, use: debuginfo-install php7-7.0.6-20160819192101.x86_64
(gdb) bt
#0  zend_mm_alloc_small (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1295
#1  zend_mm_alloc_heap (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1366
#2  _emalloc (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:2450
#3  0x00000000008415d1 in zend_string_alloc (str=0x7fff99d6fd20, len=<value optimized out>) at Zend/zend_string.h:121
#4  smart_str_erealloc (str=0x7fff99d6fd20, len=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.c:41
#5  0x000000000043ed89 in smart_str_alloc (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:61
#6  smart_str_appendl_ex (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:89
#7  date_format (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1218
#8  0x0000000000442032 in php_format_date (format=0x7f4eba8e7968 "O", format_len=1, ts=1479163515, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1265
#9  0x000000000044276e in php_date (execute_data=0x7f4eca4155a0, return_value=0x7f4eca4154b0, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1243
#10 0x00000000008675f3 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7f4eca415320) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:586
#11 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#12 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415290) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
#13 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#14 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415130) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
#15 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#16 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415030) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
#17 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
#18 0x00000000007f5348 in zend_call_function (fci=0x7fff99d700d0, fci_cache=0x7fff99d70050) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:866
#19 0x00000000007f58da in call_user_function_ex (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>, no_separation=1, symbol_table=0x0) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:685
#20 0x00000000007f58f9 in call_user_function (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:667
#21 0x0000000000709bb7 in user_shutdown_function_call (zv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:4923
#22 0x000000000080f573 in zend_hash_apply (ht=0x7f4eca466498, apply_func=0x709af0 <user_shutdown_function_call>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_hash.c:1534
#23 0x0000000000709ae6 in php_call_shutdown_functions () at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:5007
#24 0x00000000007a57b5 in php_request_shutdown (dummy=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/main/main.c:1775
#25 0x00000000008a290b in main (argc=<value optimized out>, argv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/sapi/fpm/fpm/fpm_main.c:1996
(gdb) bt full
#0  zend_mm_alloc_small (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1295
        p = 0x7f4eca459c00003d
#1  zend_mm_alloc_heap (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:1366
        ptr = <value optimized out>
#2  _emalloc (size=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_alloc.c:2450
No locals.
#3  0x00000000008415d1 in zend_string_alloc (str=0x7fff99d6fd20, len=<value optimized out>) at Zend/zend_string.h:121
        ret = <value optimized out>
#4  smart_str_erealloc (str=0x7fff99d6fd20, len=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.c:41
No locals.
#5  0x000000000043ed89 in smart_str_alloc (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:61
No locals.
#6  smart_str_appendl_ex (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_smart_str.h:89
        new_len = <value optimized out>
#7  date_format (format=0x7f4eba8e7968 "O", format_len=1, t=0x7f4eca459afe, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1218
        string = {s = 0x0, a = 231}
        i = 0
        length = 5
        buffer = "+0800\000\000\000@\223\025\001\000\000\000\000\060PA\312N\177\000\000z?\000\000\000\000\000 \000\000\000\060\000\000\000\260\375?\377\177\000\000\360\374?\377\177\000\000\376\232E\312N\177\000\000p\020@\312N\177\000\000\323\024~\000\000\000\000\000\376\232E\312N\177\000\000p\020@\312N\177\000\000\003"
        offset = <value optimized out>
        rfc_colon = <value optimized out>
        weekYearSet = 0
#8  0x0000000000442032 in php_format_date (format=0x7f4eba8e7968 "O", format_len=1, ts=1479163515, localtime=1)
    at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1265
        t = 0x7f4eca459afe
        tzi = <value optimized out>
        string = <value optimized out>
#9  0x000000000044276e in php_date (execute_data=0x7f4eca4155a0, return_value=0x7f4eca4154b0, localtime=1) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/date/php_date.c:1243
        __z = 0x7f4eca4154b0
        __s = <value optimized out>
        format = 0x7f4eba8e7968 "O"
        format_len = 1
        ts = 1479163515
#10 0x00000000008675f3 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7f4eca415320) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:586
        opline = 0x7f4ebb228be8
        call = 0x7f4eca4155a0
        fbc = <value optimized out>
        ret = <value optimized out>
#11 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
---Type <return> to continue, or q <return> to quit---
        ret = <value optimized out>
        execute_data = 0x7f4eca415320
#12 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415290) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
        opline = 0x7f4ebb22a128
        call = 0x7f4eca415320
        fbc = 0x7f4eca40d308
        object = <value optimized out>
        ret = <value optimized out>
#13 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = <value optimized out>
        execute_data = 0x7f4eca415290
#14 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415130) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
        opline = 0x7f4ebb2111a8
        call = 0x7f4eca415290
        fbc = 0x7f4eca40d648
        object = <value optimized out>
        ret = <value optimized out>
#15 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = <value optimized out>
        execute_data = 0x7f4eca415130
#16 0x000000000087961a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f4eca415030) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:800
        opline = 0x7f4ebb20e3e0
        call = 0x7f4eca415130
        fbc = 0x7f4eca49e600
        object = <value optimized out>
        ret = <value optimized out>
#17 0x0000000000841ae0 in execute_ex (ex=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = <value optimized out>
        execute_data = 0x7f4eca415030
#18 0x00000000007f5348 in zend_call_function (fci=0x7fff99d700d0, fci_cache=0x7fff99d70050) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:866
        call_via_handler = 0
        i = <value optimized out>
        calling_scope = <value optimized out>
        call = 0x7f4eca415030
        dummy_execute_data = {opline = 0x0, call = 0x0, return_value = 0x0, func = 0x0, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, 
              ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', 
                reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 0, next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0}}, called_scope = 0x0, 
          prev_execute_data = 0x0, symbol_table = 0x0, run_time_cache = 0x0, literals = 0x0}
        fci_cache_local = {initialized = 1 '\001', function_handler = 0x7f4eca49ea10, calling_scope = 0x0, called_scope = 0x0, object = 0x0}
        func = 0x7f4eca49ea10
        orig_scope = 0x0
---Type <return> to continue, or q <return> to quit---
#19 0x00000000007f58da in call_user_function_ex (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>, no_separation=1, symbol_table=0x0) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:685
        fci = {size = 72, function_table = 0x245b4e0, function_name = {value = {lval = 139976114599224, dval = 6.9157389461813945e-310, counted = 0x7f4eba967538, str = 0x7f4eba967538, 
              arr = 0x7f4eba967538, obj = 0x7f4eba967538, res = 0x7f4eba967538, ref = 0x7f4eba967538, ast = 0x7f4eba967538, zv = 0x7f4eba967538, ptr = 0x7f4eba967538, ce = 0x7f4eba967538, 
              func = 0x7f4eba967538, ww = {w1 = 3130422584, w2 = 32590}}, u1 = {v = {type = 6 '\006', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 6}, 
            u2 = {var_flags = 32590, next = 32590, cache_slot = 32590, lineno = 32590, num_args = 32590, fe_pos = 32590, fe_iter_idx = 32590}}, symbol_table = 0x0, 
          retval = 0x7fff99d70150, params = 0x7f4eca46c120, object = 0x0, no_separation = 1 '\001', param_count = 0}
#20 0x00000000007f58f9 in call_user_function (function_table=<value optimized out>, object=<value optimized out>, function_name=<value optimized out>, retval_ptr=<value optimized out>, 
    param_count=<value optimized out>, params=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_execute_API.c:667
No locals.
#21 0x0000000000709bb7 in user_shutdown_function_call (zv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:4923
        shutdown_function_entry = 0x7f4eca46c120
        retval = {value = {lval = 18192736, dval = 8.9884058614592963e-317, counted = 0x1159960, str = 0x1159960, arr = 0x1159960, obj = 0x1159960, res = 0x1159960, ref = 0x1159960, 
            ast = 0x1159960, zv = 0x1159960, ptr = 0x1159960, ce = 0x1159960, func = 0x1159960, ww = {w1 = 18192736, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', 
              const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 0, next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0}}
        function_name = 0x7f4eba967538
#22 0x000000000080f573 in zend_hash_apply (ht=0x7f4eca466498, apply_func=0x709af0 <user_shutdown_function_call>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/Zend/zend_hash.c:1534
        idx = <value optimized out>
        p = 0x7f4eca45c928
        result = <value optimized out>
#23 0x0000000000709ae6 in php_call_shutdown_functions () at /data/jenkins/jobs/php7/workspace/php-7.0.6/ext/standard/basic_functions.c:5007
        __orig_bailout = 0x7fff99d702f0
        __bailout = {{__jmpbuf = {18191168, 4168535194149327155, 41067202, 0, 0, 139976377376768, -4168454012177477325, 4168537093102637363}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 0, 0, 0, 0, 0, 0, 65536, 150323855361, 0, 0, 0, 0, 18189464, 18189152, 41067202}}}}
#24 0x00000000007a57b5 in php_request_shutdown (dummy=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/main/main.c:1775
        __orig_bailout = 0x7fff99d70610
        __bailout = {{__jmpbuf = {18191168, 4168535194149327155, 41067202, 0, 0, 139976377376768, -4168454012208934605, 4168537150679552307}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 140735774393168, 140735774976567, 140735774393216, 139976463416902, 140735774393280, 41068236, 41067202, 9023407, 2097152, 41068236, 41067202, 1479163515, 408, 
                18189824, 41068236}}}}
        report_memleaks = 1 '\001'
#25 0x00000000008a290b in main (argc=<value optimized out>, argv=<value optimized out>) at /data/jenkins/jobs/php7/workspace/php-7.0.6/sapi/fpm/fpm/fpm_main.c:1996
        primary_script = <value optimized out>
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -4168454011912187597, 7, 70, 18166784, 0, -4168454012238294733, 4168538384012153139}, __mask_was_saved = 0, __saved_mask = {__val = {139976470078262, 
                139976471083240, 140735774394128, 139976439517314, 140735774394128, 39, 139976471086832, 4131212846, 139976470080642, 139976439519287, 64550200, 140733193388078, 
                139976425716308, 0, 140735774394512, 139976425716808}}}}
        exit_status = 0
        c = <value optimized out>
        use_extended_info = 0
        file_handle = {handle = {fd = -1713960736, fp = 0x7fff99d708e0, stream = {handle = 0x7fff99d708e0, isatty = -1713960696, mmap = {len = 139976472273288, pos = 139976471087216, 
                map = 0xf63d4e2e, buf = 0x7f4ecfc6af0a "\205\300~\232H\213E\260H\205\300\017\204-\003", old_handle = 0x0, old_closer = 0x7f4ecfd60870}, reader = 0x1, fsizer = 0, 
---Type <return> to continue, or q <return> to quit---
              closer = 0x1}}, filename = 0x7f4eca404000 "\004", opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <value optimized out>
        max_requests = 10000
        requests = 293
        fcgi_fd = 18189824
        request = 0x272f170
        fpm_config = 0x7fff99d72c2c ""
        fpm_prefix = 0x7fff99d72c52 ""
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = -1
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"


In the gdb bt full result we can see #7  date_format (format=0x7f4eba8e7968 "O", so we check our code find the "register_shutdown_function" include date("O"), so I think this is the reason。

thanks

Test script:
---------------
date("O")

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-30 02:27 UTC] bwoebi@php.net

-Status: Open +Status: Feedback

[2016-11-30 02:27 UTC] bwoebi@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

The date("O") call only triggers the SEGV (due to previously corrupted memory), the real issue is before.

Can you please include a full reproduce script actually giving a SEGV?

[2016-12-11 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 09:01:28 2024 UTC