php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77590 SIGSEGV in zend_hash_str_find_bucket
Submitted: 2019-02-08 20:51 UTC Modified: 2021-07-25 04:22 UTC
Votes:3
Avg. Score:3.0 ± 0.8
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: gravydish at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Built-in web server
PHP Version: 7.2.15 OS: Fedora 29
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-02-08 20:51 UTC] gravydish at gmail dot com
Description:
------------
This is on PHP 7.2.14, I will retest with 7.2.15 when it is available for Fedora. However, according to the release notes, I do not see this particular issue addressed in 7.2.15.

I get a SIGSEGV and this backtrace for rendering a particular page in my software. I have not been able to narrow it down to a specific line of PHP code yet, but reviewing the PHP source code referenced from the backtrace, it seems to be originating outside of PHP interpretation.

Following the backtrace, I see that the `zend_hash_str_find_bucket` function is inlined, so it must be one of the lines of the inlined function which is failing some assumption, but I'm currently unable to provide a more-specific backtrace.

What can I do to provide better direction for this bug?

Cheers,
Jared

Actual result:
--------------
#0  0x0000555555820153 in zend_hash_str_find_bucket (h=9223372037048248209, len=3, str=0x5555558c29aa "UTC", 
    ht=0x7ffff6e04738) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.c:1971
#1  zend_hash_str_find (ht=0x7ffff6e04738, str=0x5555558c29aa "UTC", len=3)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.c:1971
#2  0x0000555555668220 in zend_hash_str_find_ptr (len=<optimized out>, str=0x5555558c29aa "UTC", ht=<optimized out>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.h:753
#3  php_date_parse_tzfile (formal_tzname=0x5555558c29aa "UTC", tzdb=0x555555bb2fd0)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:949
#4  0x000055555566a0ce in get_timezone_info () at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:1028
#5  0x000055555566b4b8 in php_format_date (format=format@entry=0x55555592010c "r", format_len=format_len@entry=1, 
    ts=1549653057, localtime=localtime@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:1283
#6  0x00005555558b87c0 in append_essential_headers (buffer=buffer@entry=0x7fffffffc1b0, client=client@entry=0x555555b10360, 
    persistent=persistent@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:359
#7  0x00005555558bb824 in php_cli_server_begin_send_static (client=0x555555b10360, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2043
#8  php_cli_server_dispatch (client=0x555555b10360, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2184
#9  php_cli_server_recv_event_read_request (server=0x555555a2edc0 <server>, client=0x555555b10360)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2379
#10 0x00005555558bbdf4 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7fffffffc300, fd=fd@entry=5, 
    event=event@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2462
#11 0x00005555558bca1b in php_cli_server_poller_iter_on_active (poller=0x555555a2edc8 <server+8>, 
    callback=0x5555558bbda0 <php_cli_server_do_event_for_each_fd_callback>, opaque=0x7fffffffc300)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:846
#12 php_cli_server_do_event_for_each_fd (whandler=0x5555558b9d90 <php_cli_server_send_event>, 
    rhandler=0x5555558bb520 <php_cli_server_recv_event_read_request>, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2480
#13 php_cli_server_do_event_loop (server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2490
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2612
#15 0x0000555555661b18 in main (argc=3, argv=0x555555a4ae50)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli.c:1406

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-11 17:17 UTC] gravydish at gmail dot com
I wanted to add that I am able to observe the same SIGSEGV on the same request on the version of PHP that ships with MacOS, 7.1.23.
 [2019-02-20 20:00 UTC] kontakt at beberlei dot de
The problem is that static requests don't initialize the DATEG(tzcache) global variable, which leads to the DATEG(tzcahce) probably pointing to invalid memory when its used in php_format_date -> get_timezone_info() instead of NULL, and it never gets correctly initialized.
 [2019-03-25 13:51 UTC] nikic@php.net
Can't reproduce this (including no errors under valgrind). Does this require anything beyond accessing a static page via built-in server?
 [2019-04-16 13:27 UTC] jkavalik at gmail dot com
getting the same intermittently on PHP 7.1.28-1+ubuntu16.04.1+deb.sury.org+3 (cli) (built: Apr 10 2019 10:49:52) ( NTS )
running as
$ php7.1 -S localhost:8000 -t www

I trigger it most often by accessing multiple similar url in parallel that need heavy execution (Nette+ORM+mariadb).


gdb bt:

#0  zend_hash_str_find_bucket (h=<optimized out>, len=13, str=0x55dfb02a0940 "Europe/Berlin", ht=0x55dfb02a0940) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.c:510
#1  zend_hash_str_find (ht=ht@entry=0x7f645ab73af0, str=str@entry=0x55dfb02a0940 "Europe/Berlin", len=13) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.c:1970
#2  0x000055dfb006acbb in zend_hash_str_find_ptr (len=<optimized out>, str=0x55dfb02a0940 "Europe/Berlin", ht=<optimized out>) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.h:748
#3  php_date_parse_tzfile (formal_tzname=0x55dfb02a0940 "Europe/Berlin", tzdb=0x55dfb1bc42c0) at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:946
#4  0x000055dfb006cf46 in get_timezone_info () at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:1042
#5  0x000055dfb006f01d in php_format_date (format=format@entry=0x55dfb02f8dec "r", format_len=format_len@entry=1, ts=1555335406, localtime=localtime@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:1295
#6  0x000055dfb0298ffb in append_essential_headers (buffer=buffer@entry=0x7ffcff84eb00, client=client@entry=0x55dfb1c1efd0, persistent=persistent@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:359
#7  0x000055dfb029bf95 in php_cli_server_begin_send_static (client=0x55dfb1c1efd0, server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2074
#8  php_cli_server_dispatch (client=0x55dfb1c1efd0, server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2215
#9  php_cli_server_recv_event_read_request (server=0x55dfb05ed800 <server>, client=0x55dfb1c1efd0) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2410
#10 0x000055dfb029c6b9 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7ffcff84ec50, fd=fd@entry=6, event=event@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2495
#11 0x000055dfb029d479 in php_cli_server_poller_iter_on_active (poller=0x55dfb05ed808 <server+8>, callback=0x55dfb029c5c0 <php_cli_server_do_event_for_each_fd_callback>, opaque=0x7ffcff84ec50)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:846
#12 php_cli_server_do_event_for_each_fd (whandler=0x55dfb029a540 <php_cli_server_send_event>, rhandler=0x55dfb029bc90 <php_cli_server_recv_event_read_request>, server=0x55dfb05ed800 <server>)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2513
#13 php_cli_server_do_event_loop (server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2523
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2645
#15 0x000055dfb0065b23 in main (argc=5, argv=0x55dfb18c7410) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli.c:1384

loading .gdbinit and running zbacktrace comes empty
 [2021-07-13 15:51 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-07-13 15:51 UTC] cmb@php.net
Does this still happen with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-07-25 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 07:01:29 2024 UTC