php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74790 Built in webserver crashes on successive requests
Submitted: 2017-06-21 07:12 UTC Modified: 2017-06-21 08:20 UTC
From: kmq at omfa dot de Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: master-Git-2017-06-21 (Git) OS: Linux 4.10.13-1-ARCH
Private report: No CVE-ID: None
 [2017-06-21 07:12 UTC] kmq at omfa dot de
Description:
------------
Running a PHP application under the PHP development webserver (coomandline php -S 0.0.0.0:8080) causes a segfault under 7.1.6 and under master as of d561aa7cb1567657a34b8dbae75619f816b07352 .

The problem occurs when multiple requests are initiated by a website in quick succession. I managed to reliably reproduce it like this by taking the actual requests from the Firefox development tools.


curl 'http://localhost:8080/async/makeuri?title=&contenttypeslug=pages&id=&slugfield=slug&fulluri=false' -H 'Host: localhost:8080' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost:8080/bolt/editcontent/pages' -H 'Cookie: bolt_session_9f5ffc7a10e0bad054458b089947ce2f=caP6kZWmjLhfcct99TqvrgPXowTol9xx; bolt_authtoken_9f5ffc7a10e0bad054458b089947ce2f=85a633128932322e569a7d843d68c117' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' & curl 'http://localhost:8080/app/view/js/ckeditor/config.js?t=G14E' -H 'Host: localhost:8080' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://localhost:8080/bolt/editcontent/pages' -H 'Cookie: bolt_session_9f5ffc7a10e0bad054458b089947ce2f=caP6kZWmjLhfcct99TqvrgPXowTol9xx; bolt_authtoken_9f5ffc7a10e0bad054458b089947ce2f=85a633128932322e569a7d843d68c117' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0'


Note that this is two requests running almost simultaneously. The second request to  "/app/view/js/ckeditor/config.js", which is a file that exists in the filesystem, is the one that causes the crash.
If it's run without the preceding dynamic request it completes correctly.

I ran under a debugger and it seems that the first call to

> 517       idx = Z_NEXT(p->val);

sets idx to a value around 32767 which is much larger than the ht->nTableSize of 8 that the assertion 

> 509         ZEND_ASSERT(idx < HT_IDX_TO_HASH(ht->nTableSize));

is checking.



Test script:
---------------
There is no testscript. The crash occurs when serving a javascript file from the filesystem.

Expected result:
----------------
The PHP development webserver should serve a javascript file from the filesystem.

Actual result:
--------------

#0  0x00007fb2a691b670 in raise () from /usr/lib/libc.so.6
#1  0x00007fb2a691cd00 in abort () from /usr/lib/libc.so.6
#2  0x00007fb2a691445a in __assert_fail_base () from /usr/lib/libc.so.6
#3  0x00007fb2a69144d2 in __assert_fail () from /usr/lib/libc.so.6
#4  0x00000000008e0fe7 in zend_hash_str_find_bucket (ht=0x7fb2a46c00c0, str=0x1f0a0a8 "UTC", len=3, h=9223372037048248209) at /home/kmq/php-src/Zend/zend_hash.c:509
#5  0x00000000008e5948 in zend_hash_str_find (ht=0x7fb2a46c00c0, str=0x1f0a0a8 "UTC", len=3) at /home/kmq/php-src/Zend/zend_hash.c:1970
#6  0x0000000000423afb in zend_hash_str_find_ptr (ht=0x7fb2a46c00c0, str=0x1f0a0a8 "UTC", len=3) at /home/kmq/php-src/Zend/zend_hash.h:753
#7  0x0000000000424745 in php_date_parse_tzfile (formal_tzname=0x1f0a0a8 "UTC", tzdb=0x126f6e0 <timezonedb_builtin>) at /home/kmq/php-src/ext/date/php_date.c:943
#8  0x0000000000424a47 in get_timezone_info () at /home/php-src/ext/date/php_date.c:1022
#9  0x00000000004264f6 in php_format_date (format=0xfdd325 "r", format_len=1, ts=1498025076, localtime=1) at /home/kmq/php-src/ext/date/php_date.c:1277
#10 0x00000000009b9b54 in append_essential_headers (buffer=0x7ffddc4dc0d0, client=0x2017230, persistent=1) at /home/kmq/php-src/sapi/cli/php_cli_server.c:356
#11 0x00000000009bdbb2 in php_cli_server_begin_send_static (server=0x131e9e0 <server>, client=0x2017230) at /home/kmq/php-src/sapi/cli/php_cli_server.c:1980
#12 0x00000000009be269 in php_cli_server_dispatch (server=0x131e9e0 <server>, client=0x2017230) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2121
#13 0x00000000009bea02 in php_cli_server_recv_event_read_request (server=0x131e9e0 <server>, client=0x2017230) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2316
#14 0x00000000009bed78 in php_cli_server_do_event_for_each_fd_callback (_params=0x7ffddc4dc230, fd=4, event=1) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2399
#15 0x00000000009bb01e in php_cli_server_poller_iter_on_active (poller=0x131e9e8 <server+8>, opaque=0x7ffddc4dc230, callback=0x9beb5a <php_cli_server_do_event_for_each_fd_callback>)
    at /home/kmq/php-src/sapi/cli/php_cli_server.c:843
#16 0x00000000009bedeb in php_cli_server_do_event_for_each_fd (server=0x131e9e0 <server>, rhandler=0x9be8c6 <php_cli_server_recv_event_read_request>, whandler=0x9bea29 <php_cli_server_send_event>)
    at /home/kmq/php-src/sapi/cli/php_cli_server.c:2417
#17 0x00000000009bee50 in php_cli_server_do_event_loop (server=0x131e9e0 <server>) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2427
#18 0x00000000009bf195 in do_cli_server (argc=5, argv=0x1eeab50) at /home/kmq/php-src/sapi/cli/php_cli_server.c:2529
#19 0x00000000009b5e96 in main (argc=5, argv=0x1eeab50) at /home/kmq/php-src/sapi/cli/php_cli.c:1398

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-21 07:30 UTC] kmq at omfa dot de
-Status: Open +Status: Closed
 [2017-06-21 07:30 UTC] kmq at omfa dot de
I seem to have accidentally submitted the bugreport twice. See #74789
 [2017-06-21 08:20 UTC] nikic@php.net
-Status: Closed +Status: Duplicate
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Jan 21 18:01:23 2021 UTC