php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77590 SIGSEGV in zend_hash_str_find_bucket
Submitted: 2019-02-08 20:51 UTC Modified: 2019-03-25 13:51 UTC
Votes:2
Avg. Score:2.5 ± 0.5
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: gravydish at gmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: 7.2.15 OS: Fedora 29
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: gravydish at gmail dot com
New email:
PHP Version: OS:

 

 [2019-02-08 20:51 UTC] gravydish at gmail dot com
Description:
------------
This is on PHP 7.2.14, I will retest with 7.2.15 when it is available for Fedora. However, according to the release notes, I do not see this particular issue addressed in 7.2.15.

I get a SIGSEGV and this backtrace for rendering a particular page in my software. I have not been able to narrow it down to a specific line of PHP code yet, but reviewing the PHP source code referenced from the backtrace, it seems to be originating outside of PHP interpretation.

Following the backtrace, I see that the `zend_hash_str_find_bucket` function is inlined, so it must be one of the lines of the inlined function which is failing some assumption, but I'm currently unable to provide a more-specific backtrace.

What can I do to provide better direction for this bug?

Cheers,
Jared

Actual result:
--------------
#0  0x0000555555820153 in zend_hash_str_find_bucket (h=9223372037048248209, len=3, str=0x5555558c29aa "UTC", 
    ht=0x7ffff6e04738) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.c:1971
#1  zend_hash_str_find (ht=0x7ffff6e04738, str=0x5555558c29aa "UTC", len=3)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.c:1971
#2  0x0000555555668220 in zend_hash_str_find_ptr (len=<optimized out>, str=0x5555558c29aa "UTC", ht=<optimized out>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/Zend/zend_hash.h:753
#3  php_date_parse_tzfile (formal_tzname=0x5555558c29aa "UTC", tzdb=0x555555bb2fd0)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:949
#4  0x000055555566a0ce in get_timezone_info () at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:1028
#5  0x000055555566b4b8 in php_format_date (format=format@entry=0x55555592010c "r", format_len=format_len@entry=1, 
    ts=1549653057, localtime=localtime@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/ext/date/php_date.c:1283
#6  0x00005555558b87c0 in append_essential_headers (buffer=buffer@entry=0x7fffffffc1b0, client=client@entry=0x555555b10360, 
    persistent=persistent@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:359
#7  0x00005555558bb824 in php_cli_server_begin_send_static (client=0x555555b10360, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2043
#8  php_cli_server_dispatch (client=0x555555b10360, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2184
#9  php_cli_server_recv_event_read_request (server=0x555555a2edc0 <server>, client=0x555555b10360)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2379
#10 0x00005555558bbdf4 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7fffffffc300, fd=fd@entry=5, 
    event=event@entry=1) at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2462
#11 0x00005555558bca1b in php_cli_server_poller_iter_on_active (poller=0x555555a2edc8 <server+8>, 
    callback=0x5555558bbda0 <php_cli_server_do_event_for_each_fd_callback>, opaque=0x7fffffffc300)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:846
#12 php_cli_server_do_event_for_each_fd (whandler=0x5555558b9d90 <php_cli_server_send_event>, 
    rhandler=0x5555558bb520 <php_cli_server_recv_event_read_request>, server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2480
#13 php_cli_server_do_event_loop (server=0x555555a2edc0 <server>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2490
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli_server.c:2612
#15 0x0000555555661b18 in main (argc=3, argv=0x555555a4ae50)
    at /usr/src/debug/php-7.2.14-1.fc29.x86_64/sapi/cli/php_cli.c:1406

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-11 17:17 UTC] gravydish at gmail dot com
I wanted to add that I am able to observe the same SIGSEGV on the same request on the version of PHP that ships with MacOS, 7.1.23.
 [2019-02-20 20:00 UTC] kontakt at beberlei dot de
The problem is that static requests don't initialize the DATEG(tzcache) global variable, which leads to the DATEG(tzcahce) probably pointing to invalid memory when its used in php_format_date -> get_timezone_info() instead of NULL, and it never gets correctly initialized.
 [2019-03-25 13:51 UTC] nikic@php.net
Can't reproduce this (including no errors under valgrind). Does this require anything beyond accessing a static page via built-in server?
 [2019-04-16 13:27 UTC] jkavalik at gmail dot com
getting the same intermittently on PHP 7.1.28-1+ubuntu16.04.1+deb.sury.org+3 (cli) (built: Apr 10 2019 10:49:52) ( NTS )
running as
$ php7.1 -S localhost:8000 -t www

I trigger it most often by accessing multiple similar url in parallel that need heavy execution (Nette+ORM+mariadb).


gdb bt:

#0  zend_hash_str_find_bucket (h=<optimized out>, len=13, str=0x55dfb02a0940 "Europe/Berlin", ht=0x55dfb02a0940) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.c:510
#1  zend_hash_str_find (ht=ht@entry=0x7f645ab73af0, str=str@entry=0x55dfb02a0940 "Europe/Berlin", len=13) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.c:1970
#2  0x000055dfb006acbb in zend_hash_str_find_ptr (len=<optimized out>, str=0x55dfb02a0940 "Europe/Berlin", ht=<optimized out>) at /build/php7.1-JdcYxT/php7.1-7.1.28/Zend/zend_hash.h:748
#3  php_date_parse_tzfile (formal_tzname=0x55dfb02a0940 "Europe/Berlin", tzdb=0x55dfb1bc42c0) at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:946
#4  0x000055dfb006cf46 in get_timezone_info () at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:1042
#5  0x000055dfb006f01d in php_format_date (format=format@entry=0x55dfb02f8dec "r", format_len=format_len@entry=1, ts=1555335406, localtime=localtime@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/ext/date/php_date.c:1295
#6  0x000055dfb0298ffb in append_essential_headers (buffer=buffer@entry=0x7ffcff84eb00, client=client@entry=0x55dfb1c1efd0, persistent=persistent@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:359
#7  0x000055dfb029bf95 in php_cli_server_begin_send_static (client=0x55dfb1c1efd0, server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2074
#8  php_cli_server_dispatch (client=0x55dfb1c1efd0, server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2215
#9  php_cli_server_recv_event_read_request (server=0x55dfb05ed800 <server>, client=0x55dfb1c1efd0) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2410
#10 0x000055dfb029c6b9 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7ffcff84ec50, fd=fd@entry=6, event=event@entry=1)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2495
#11 0x000055dfb029d479 in php_cli_server_poller_iter_on_active (poller=0x55dfb05ed808 <server+8>, callback=0x55dfb029c5c0 <php_cli_server_do_event_for_each_fd_callback>, opaque=0x7ffcff84ec50)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:846
#12 php_cli_server_do_event_for_each_fd (whandler=0x55dfb029a540 <php_cli_server_send_event>, rhandler=0x55dfb029bc90 <php_cli_server_recv_event_read_request>, server=0x55dfb05ed800 <server>)
    at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2513
#13 php_cli_server_do_event_loop (server=0x55dfb05ed800 <server>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2523
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli_server.c:2645
#15 0x000055dfb0065b23 in main (argc=5, argv=0x55dfb18c7410) at /build/php7.1-JdcYxT/php7.1-7.1.28/sapi/cli/php_cli.c:1384

loading .gdbinit and running zbacktrace comes empty
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Apr 25 21:01:25 2019 UTC