php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79307 httpd crash when combine strings in php
Submitted: 2020-02-25 14:40 UTC Modified: 2020-02-26 07:56 UTC
From: idzjy at live dot cn Assigned:
Status: Open Package: Apache2 related
PHP Version: 7.3.15 OS: Windows 10
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-02-25 14:40 UTC] idzjy at live dot cn
Description:
------------
when trying to combine thousands of strings using concatenation operator ('.'), httpd crash.

like:
https://github.com/laminas/laminas-validator/blob/master/src/Hostname/Biz.php
https://github.com/laminas/laminas-validator/blob/master/src/Hostname/Cn.php

the php package was downloaded directly from https://windows.php.net/downloads/releases/php-7.3.15-Win32-VC15-x64.zip

apache version: 2.4.37 on windows with wampserver 3.1.7 64bit.
crash on 7.2.14 / 7.3.9 / 7.3.15, not on 5.6.40 as I tested.
crash on apache, not cli.

// logs
apache log:
[Tue Feb 25 22:04:01.612217 2020] [mpm_winnt:notice] [pid 273704:tid 764] AH00428: Parent: child process 282396 exited with status 3221225725 -- Restarting.

php logs nothing.

Windows Event Viewer:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2020-02-25T14:03:58.936699400Z" /> 
  <EventRecordID>49477</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>***</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>httpd.exe</Data> 
  <Data>2.4.37.0</Data> 
  <Data>5bf538f3</Data> 
  <Data>php7ts.dll</Data> 
  <Data>7.3.15.0</Data> 
  <Data>5e4bea74</Data> 
  <Data>c00000fd</Data> 
  <Data>0000000000011f92</Data> 
  <Data>44f1c</Data> 
  <Data>01d5ebe4613b26c1</Data> 
  <Data>D:\wamp64\bin\apache\apache2.4.37\bin\httpd.exe</Data> 
  <Data>D:\wamp64\bin\apache\apache2.4.37\bin\php7ts.dll</Data> 
  <Data>caca7d2d-d7d9-4478-a028-6429e916ab68</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>


Test script:
---------------
<?php
// test1.php
$a =
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890';
// ... 2000 lines in total, crash
var_dump($a);

//////////////////////////////////////////////////
<?php
// test2.php
$a =
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890';
// ... 1000 lines in total, ok

$b =
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890' .
'123456789012345678901234567890';
// ... 1000 lines in total, ok

$c = $a + $b;
var_dump($c);
// everything is fine

//////////////////////////////////////////////////
// same thing happens even if reduce the length of the single string to '123'.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-25 17:29 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-02-25 17:29 UTC] cmb@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
 [2020-02-25 20:30 UTC] nikic@php.net
Just going by the description, I'd assume this is a stack overflow in the compiler due to a very deeply nested AST.

Could be addressed by converting concat into a list node with some special handling, not sure if that's worth the bother.
 [2020-02-26 03:25 UTC] idzjy at live dot cn
-Status: Feedback +Status: Assigned
 [2020-02-26 03:25 UTC] idzjy at live dot cn
Thread 4 - System ID 291428

Entry point   libhttpd!ap_run_generate_log_id+3b10 
Create time   2020-02-26 10:36:00 
Time spent in user mode   0 Days 00:00:00.000 
Time spent in kernel mode   0 Days 00:00:00.000 

This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.

php7ts!zend_compile_binary_op+c [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7128 + c]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7128 + c
php7ts!zend_compile_binary_op+3f [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135
// 1143 same lines here
php7ts!zend_compile_binary_op+3f [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 7135
php7ts!zend_compile_assign+1ea [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 2985]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 2985
php7ts!zend_compile_stmt+178 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8318]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8318
php7ts!zend_compile_top_stmt+23 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8205]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8205
php7ts!zend_compile_top_stmt+a5 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8198 + c]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_compile.c @ 8198 + c
php7ts!zend_compile+168 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 604]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 604
php7ts!compile_file+3c [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 637 + 8]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend_language_scanner.l @ 637 + 8
php7ts!phar_compile_file+33c [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\ext\phar\phar.c @ 3348 + 1d]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\ext\phar\phar.c @ 3348 + 1d
php_xdebug_2_8_0_7_3_vc15_x86_64+5bbc
php7ts!zend_execute_scripts+88 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend.c @ 1563]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\zend\zend.c @ 1563
php7ts!php_execute_script+261 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\main\main.c @ 2641]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\main\main.c @ 2641
php7apache2_4!php_handler+591 [c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\sapi\apache2handler\sapi_apache2.c @ 700]   c:\php-snap-build\php73\vc15\x64\php-7.3.15-ts\sapi\apache2handler\sapi_apache2.c @ 700
libhttpd!ap_run_handler+35
libhttpd!ap_invoke_handler+10f
libhttpd!ap_internal_redirect_handler+29a
libhttpd!ap_process_request+f
libhttpd!ap_byterange_filter+1581
libhttpd!ap_run_process_connection+35
libhttpd!ap_process_connection+45
libhttpd!ap_run_generate_log_id+3da0
kernel32!BaseThreadInitThunk+14
ntdll!RtlUserThreadStart+21
 [2020-02-26 07:56 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2020-02-26 07:56 UTC] cmb@php.net
Thanks for the backtrace!  So @nikic was spot-on.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Apr 01 09:01:22 2020 UTC