php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74789 Built in webserver crashes on successive requests
Submitted: 2017-06-21 07:12 UTC Modified: 2017-07-02 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: kmq at omfa dot de Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: master-Git-2017-06-21 (Git) OS: Linux 4.10.13-1-ARCH
Private report: No CVE-ID: None
 [2017-06-21 07:12 UTC] kmq at omfa dot de
Description:
------------
Running a PHP application under the PHP development webserver (coomandline php -S 0.0.0.0:8080) causes a segfault under 7.1.6 and under master as of d561aa7cb1567657a34b8dbae75619f816b07352 .

The problem occurs when multiple requests are initiated by a website in quick succession. I managed to reliably reproduce it like this by taking the actual requests from the Firefox development tools.


curl 'http://localhost:8080/async/makeuri?title=&contenttypeslug=pages&id=&slugfield=slug&fulluri=false' -H 'Host: localhost:8080' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost:8080/bolt/editcontent/pages' -H 'Cookie: bolt_session_9f5ffc7a10e0bad054458b089947ce2f=caP6kZWmjLhfcct99TqvrgPXowTol9xx; bolt_authtoken_9f5ffc7a10e0bad054458b089947ce2f=85a633128932322e569a7d843d68c117' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' & curl 'http://localhost:8080/app/view/js/ckeditor/config.js?t=G14E' -H 'Host: localhost:8080' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://localhost:8080/bolt/editcontent/pages' -H 'Cookie: bolt_session_9f5ffc7a10e0bad054458b089947ce2f=caP6kZWmjLhfcct99TqvrgPXowTol9xx; bolt_authtoken_9f5ffc7a10e0bad054458b089947ce2f=85a633128932322e569a7d843d68c117' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0'


Note that this is two requests running almost simultaneously. The second request to  "/app/view/js/ckeditor/config.js", which is a file that exists in the filesystem, is the one that causes the crash.
If it's run without the preceding dynamic request it completes correctly.

I ran under a debugger and it seems that the first call to

> 517       idx = Z_NEXT(p->val);

sets idx to a value around 32767 which is much larger than the ht->nTableSize of 8 that the assertion 

> 509         ZEND_ASSERT(idx < HT_IDX_TO_HASH(ht->nTableSize));

is checking.



Test script:
---------------
There is no testscript. The crash occurs when serving a javascript file from the filesystem.

Expected result:
----------------
The PHP development webserver should serve a javascript file from the filesystem.

Actual result:
--------------

#0  0x00007fb2a691b670 in raise () from /usr/lib/libc.so.6
#1  0x00007fb2a691cd00 in abort () from /usr/lib/libc.so.6
#2  0x00007fb2a691445a in __assert_fail_base () from /usr/lib/libc.so.6
#3  0x00007fb2a69144d2 in __assert_fail () from /usr/lib/libc.so.6
#4  0x00000000008e0fe7 in zend_hash_str_find_bucket (ht=0x7fb2a46c00c0, str=0x1f0a0a8 "UTC", len=3, h=9223372037048248209) at /home/kmq/php-src/Zend/zend_hash.c:509
#5  0x00000000008e5948 in zend_hash_str_find (ht=0x7fb2a46c00c0, str=0x1f0a0a8 "UTC", len=3) at /home/kmq/php-src/Zend/zend_hash.c:1970
#6  0x0000000000423afb in zend_hash_str_find_ptr (ht=0x7fb2a46c00c0, str=0x1f0a0a8 "UTC", len=3) at /home/kmq/php-src/Zend/zend_hash.h:753
#7  0x0000000000424745 in php_date_parse_tzfile (formal_tzname=0x1f0a0a8 "UTC", tzdb=0x126f6e0 <timezonedb_builtin>) at /home/kmq/php-src/ext/date/php_date.c:943
#8  0x0000000000424a47 in get_timezone_info () at /home/php-src/ext/date/php_date.c:1022
#9  0x00000000004264f6 in php_format_date (format=0xfdd325 "r", format_len=1, ts=1498025076, localtime=1) at /home/kmq/php-src/ext/date/php_date.c:1277
#10 0x00000000009b9b54 in append_essential_headers (buffer=0x7ffddc4dc0d0, client=0x2017230, persistent=1) at /home/kmq/php-src/sapi/cli/php_cli_server.c:356
#11 0x00000000009bdbb2 in php_cli_server_begin_send_static (server=0x131e9e0 <server>, client=0x2017230) at /home/kmq/php-src/sapi/cli/php_cli_server.c:1980
#12 0x00000000009be269 in php_cli_server_dispatch (server=0x131e9e0 <server>, client=0x2017230) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2121
#13 0x00000000009bea02 in php_cli_server_recv_event_read_request (server=0x131e9e0 <server>, client=0x2017230) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2316
#14 0x00000000009bed78 in php_cli_server_do_event_for_each_fd_callback (_params=0x7ffddc4dc230, fd=4, event=1) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2399
#15 0x00000000009bb01e in php_cli_server_poller_iter_on_active (poller=0x131e9e8 <server+8>, opaque=0x7ffddc4dc230, callback=0x9beb5a <php_cli_server_do_event_for_each_fd_callback>)
    at /home/kmq/php-src/sapi/cli/php_cli_server.c:843
#16 0x00000000009bedeb in php_cli_server_do_event_for_each_fd (server=0x131e9e0 <server>, rhandler=0x9be8c6 <php_cli_server_recv_event_read_request>, whandler=0x9bea29 <php_cli_server_send_event>)
    at /home/kmq/php-src/sapi/cli/php_cli_server.c:2417
#17 0x00000000009bee50 in php_cli_server_do_event_loop (server=0x131e9e0 <server>) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2427
#18 0x00000000009bf195 in do_cli_server (argc=5, argv=0x1eeab50) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2529
#19 0x00000000009b5e96 in main (argc=5, argv=0x1eeab50) at /home/kmq/php-src/sapi/cli/php_cli.c:1398

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-21 09:46 UTC] danack@php.net
Please could you list which modules you have enabled from `php -m`
 [2017-06-21 09:53 UTC] kmq at omfa dot de
sure:

$ php-src/sapi/cli/php -m
[PHP Modules]
Core
ctype
date
dom
fileinfo
filter
hash
iconv
json
libxml
pcre
PDO
pdo_sqlite
Phar
posix
Reflection
session
SimpleXML
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter

[Zend Modules]
 [2017-06-21 10:49 UTC] danack@php.net
Please could you describe what the first request is doing? i.e. the URL '/async/makeuri?title=&contenttypeslug=pages&id=&slugfield=slug&fulluri=false' 

From the extensions loaded I'm guessing it's not doing anything threaded, but it would be good to make sure.

If I had to make a guess as to what is happening, it looks like PHP somehow is running both requests at once - but the built in server isn't designed to do that as it is single threaded, and so it is exploding.

btw I can't reproduce your issue. It'd also be good to test if you still see the issue replacing whatever the first url is doing with:

<?php

echo "OK";

?>
 [2017-06-22 14:21 UTC] danack@php.net
-Status: Open +Status: Feedback
 [2017-06-22 14:22 UTC] danack@php.net
Setting to feedback as I'm not sure anyone could investigate this without a bit more info.
 [2017-07-02 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jan 15 10:01:29 2025 UTC