PHP :: Bug #77590 :: SIGSEGV in zend_hash_str_find

Bug #77590

SIGSEGV in zend_hash_str_find_bucket

Submitted:

2019-02-08 20:51 UTC

Modified:

2021-07-25 04:22 UTC

Votes:	3
Avg. Score:	3.0 ± 0.8
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (50.0%)

From:

gravydish at gmail dot com

Assigned:

cmb (profile)

Status:

No Feedback

Package:

Built-in web server

PHP Version:

7.2.15

OS:

Fedora 29

Private report:

CVE-ID:

None

View Developer Edit

[2019-02-08 20:51 UTC] gravydish at gmail dot com

Description:
------------
This is on PHP 7.2.14, I will retest with 7.2.15 when it is available for Fedora. However, according to the release notes, I do not see this particular issue addressed in 7.2.15.

I get a SIGSEGV and this backtrace for rendering a particular page in my software. I have not been able to narrow it down to a specific line of PHP code yet, but reviewing the PHP source code referenced from the backtrace, it seems to be originating outside of PHP interpretation.

Following the backtrace, I see that the `zend_hash_str_find_bucket` function is inlined, so it must be one of the lines of the inlined function which is failing some assumption, but I'm currently unable to provide a more-specific backtrace.

What can I do to provide better direction for this bug?

Cheers,
Jared

Actual result:
--------------
#0  0x0000555555820153 in zend_hash_str_find_bucket (h=9223372037048248209, len=3, str=0x5555558c29aa "UTC", 
    ht=0x7ffff6e04738) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.c:1971
#1  zend_hash_str_find (ht=0x7ffff6e04738, str=0x5555558c29aa "UTC", len=3)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.c:1971
#2  0x0000555555668220 in zend_hash_str_find_ptr (len=<optimized out>, str=0x5555558c29aa "UTC", ht=<optimized out>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.h:753
#3  php_date_parse_tzfile (formal_tzname=0x5555558c29aa "UTC", tzdb=0x555555bb2fd0)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:949
#4  0x000055555566a0ce in get_timezone_info () at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:1028
#5  0x000055555566b4b8 in php_format_date (format=format@entry=0x55555592010c "r", format_len=format_len@entry=1, 
    ts=1549653057, localtime=localtime@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:1283
#6  0x00005555558b87c0 in append_essential_headers (buffer=buffer@entry=0x7fffffffc1b0, client=client@entry=0x555555b10360, 
    persistent=persistent@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:359
#7  0x00005555558bb824 in php_cli_server_begin_send_static (client=0x555555b10360, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2043
#8  php_cli_server_dispatch (client=0x555555b10360, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2184
#9  php_cli_server_recv_event_read_request (server=0x555555a2edc0 <server>, client=0x555555b10360)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2379
#10 0x00005555558bbdf4 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7fffffffc300, fd=fd@entry=5, 
    event=event@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2462
#11 0x00005555558bca1b in php_cli_server_poller_iter_on_active (poller=0x555555a2edc8 <server+8>, 
    callback=0x5555558bbda0 <php_cli_server_do_event_for_each_fd_callback>, opaque=0x7fffffffc300)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:846
#12 php_cli_server_do_event_for_each_fd (whandler=0x5555558b9d90 <php_cli_server_send_event>, 
    rhandler=0x5555558bb520 <php_cli_server_recv_event_read_request>, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2480
#13 php_cli_server_do_event_loop (server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2490
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2612
#15 0x0000555555661b18 in main (argc=3, argv=0x555555a4ae50)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli.c:1406

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-11 17:17 UTC] gravydish at gmail dot com

I wanted to add that I am able to observe the same SIGSEGV on the same request on the version of PHP that ships with MacOS, 7.1.23.

[2019-02-20 20:00 UTC] kontakt at beberlei dot de

The problem is that static requests don't initialize the DATEG(tzcache) global variable, which leads to the DATEG(tzcahce) probably pointing to invalid memory when its used in php_format_date -> get_timezone_info() instead of NULL, and it never gets correctly initialized.

[2019-03-25 13:51 UTC] nikic@php.net

Can't reproduce this (including no errors under valgrind). Does this require anything beyond accessing a static page via built-in server?

[2019-04-16 13:27 UTC] jkavalik at gmail dot com

getting the same intermittently on PHP 7.1.28-1+ubuntu16.04.1+deb.sury.org+3 (cli) (built: Apr 10 2019 10:49:52) ( NTS )
running as
$ php7.1 -S localhost:8000 -t www

I trigger it most often by accessing multiple similar url in parallel that need heavy execution (Nette+ORM+mariadb).


gdb bt:

#0  zend_hash_str_find_bucket (h=<optimized out>, len=13, str=0x55dfb02a0940 "Europe/Berlin", ht=0x55dfb02a0940) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.c:510
#1  zend_hash_str_find (ht=ht@entry=0x7f645ab73af0, str=str@entry=0x55dfb02a0940 "Europe/Berlin", len=13) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.c:1970
#2  0x000055dfb006acbb in zend_hash_str_find_ptr (len=<optimized out>, str=0x55dfb02a0940 "Europe/Berlin", ht=<optimized out>) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.h:748
#3  php_date_parse_tzfile (formal_tzname=0x55dfb02a0940 "Europe/Berlin", tzdb=0x55dfb1bc42c0) at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:946
#4  0x000055dfb006cf46 in get_timezone_info () at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:1042
#5  0x000055dfb006f01d in php_format_date (format=format@entry=0x55dfb02f8dec "r", format_len=format_len@entry=1, ts=1555335406, localtime=localtime@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:1295
#6  0x000055dfb0298ffb in append_essential_headers (buffer=buffer@entry=0x7ffcff84eb00, client=client@entry=0x55dfb1c1efd0, persistent=persistent@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:359
#7  0x000055dfb029bf95 in php_cli_server_begin_send_static (client=0x55dfb1c1efd0, server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2074
#8  php_cli_server_dispatch (client=0x55dfb1c1efd0, server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2215
#9  php_cli_server_recv_event_read_request (server=0x55dfb05ed800 <server>, client=0x55dfb1c1efd0) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2410
#10 0x000055dfb029c6b9 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7ffcff84ec50, fd=fd@entry=6, event=event@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2495
#11 0x000055dfb029d479 in php_cli_server_poller_iter_on_active (poller=0x55dfb05ed808 <server+8>, callback=0x55dfb029c5c0 <php_cli_server_do_event_for_each_fd_callback>, opaque=0x7ffcff84ec50)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:846
#12 php_cli_server_do_event_for_each_fd (whandler=0x55dfb029a540 <php_cli_server_send_event>, rhandler=0x55dfb029bc90 <php_cli_server_recv_event_read_request>, server=0x55dfb05ed800 <server>)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2513
#13 php_cli_server_do_event_loop (server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2523
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2645
#15 0x000055dfb0065b23 in main (argc=5, argv=0x55dfb18c7410) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli.c:1384

loading .gdbinit and running zbacktrace comes empty

[2021-07-13 15:51 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-07-13 15:51 UTC] cmb@php.net

Does this still happen with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-07-25 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Mar 20 05:01:28 2025 UTC