ID: 47928
Updated by: [email protected]
Reported By: jjuergens at web dot de
-Status: Open
+Status: Feedback
Bug Type: MySQLi related
Operating System: Opensuse 11.1
PHP Version: 5.2.9
New Comment:
Please provide a sane reproduce script. The one provided can not
work, ever. What exactly is this supposed to achieve anyway:
$resData=$stmt->result_metadata();
$resFields=array();
$bindArray=array();
while($field=mysqli_fetch_field($resData)){
$resFields[]=&$bindArray[$field->name];
}
References to unexisting array entries..? You're ending up with
references of NULL. With proper ini settings, this leads to error
about allowed memory exhausted. You propably have some minor
differences with stack size and such since you end up with a
segfault..
Previous Comments:
------------------------------------------------------------------------
[2009-04-12 14:42:39] jjuergens at web dot de
Ok, here's my new configure line, didn't see what else I could remove:
> /temp/php3/bin/php -i
phpinfo()
PHP Version => 5.2.10-dev
System => Linux medion 2.6.27.7-9-default #1 SMP 2008-12-04 18:10:04
+0100 i686
Build Date => Apr 12 2009 16:32:09
Configure Command => './configure' '--prefix=/temp/php3'
'--enable-static' '--enable-cli'
'--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli'
------------
Now running the script with this version, I get a segfault again.
> /temp/php3/bin/php -n mysqli.php
Speicherzugriffsfehler
------------
And here's the matching valgrind-output:
> /temp/php3/bin/php -n mysqli.php
Speicherzugriffsfehler
d...@medion:~/Desktop/temp> valgrind /temp/php3/bin/php -n mysqli.php
==32741== Memcheck, a memory error detector.
==32741== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
al.
==32741== Using LibVEX rev 1854, a library for dynamic binary
translation.
==32741== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==32741== Using valgrind-3.3.1, a dynamic binary instrumentation
framework.
==32741== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
al.
==32741== For more details, rerun with: -v
==32741==
==32741== Invalid read of size 4
==32741== at 0x82859CA: _zval_ptr_dtor (zend_execute_API.c:412)
==32741== by 0x829C28D: zend_hash_destroy (zend_hash.c:526)
==32741== by 0x8291DE4: _zval_dtor_func (zend_variables.c:43)
==32741== by 0x8285A1F: _zval_ptr_dtor (zend_variables.h:35)
==32741== by 0x829BF41: zend_hash_apply_deleter (zend_hash.c:611)
==32741== by 0x829C1CE: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==32741== by 0x828839F: shutdown_executor (zend_execute_API.c:239)
==32741== by 0x8292882: zend_deactivate (zend.c:860)
==32741== by 0x8251666: php_request_shutdown (main.c:1492)
==32741== by 0x82FDC80: main (php_cli.c:1343)
==32741== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==32741==
==32741== Process terminating with default action of signal 11
(SIGSEGV)
==32741== Access not within mapped region at address 0x0
==32741== at 0x82859CA: _zval_ptr_dtor (zend_execute_API.c:412)
==32741== by 0x829C28D: zend_hash_destroy (zend_hash.c:526)
==32741== by 0x8291DE4: _zval_dtor_func (zend_variables.c:43)
==32741== by 0x8285A1F: _zval_ptr_dtor (zend_variables.h:35)
==32741== by 0x829BF41: zend_hash_apply_deleter (zend_hash.c:611)
==32741== by 0x829C1CE: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==32741== by 0x828839F: shutdown_executor (zend_execute_API.c:239)
==32741== by 0x8292882: zend_deactivate (zend.c:860)
==32741== by 0x8251666: php_request_shutdown (main.c:1492)
==32741== by 0x82FDC80: main (php_cli.c:1343)
==32741==
==32741== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from
1)
==32741== malloc/free: in use at exit: 1,016,362 bytes in 10,656
blocks.
==32741== malloc/free: 11,104 allocs, 448 frees, 1,409,172 bytes
allocated.
==32741== For counts of detected errors, rerun with: -v
==32741== searching for pointers to 10,656 not-freed blocks.
==32741== checked 1,208,392 bytes.
==32741==
==32741== LEAK SUMMARY:
==32741== definitely lost: 0 bytes in 0 blocks.
==32741== possibly lost: 0 bytes in 0 blocks.
==32741== still reachable: 1,016,362 bytes in 10,656 blocks.
==32741== suppressed: 0 bytes in 0 blocks.
==32741== Rerun with --leak-check=full to see details of leaked
memory.
Speicherzugriffsfehler
------------------------------------------------------------------------
[2009-04-11 23:54:58] [email protected]
Try building the snapshot with shortest possible configure line
necessary. And do not use shared extensions when debugging the crash,
build all static and use -n when running the test to prevent loading
any php.ini's.
------------------------------------------------------------------------
[2009-04-11 09:44:13] jjuergens at web dot de
Ok, I just downloaded the latest version (php5.2-200904110630) and
compiled it with the following options:
'./configure' '--prefix=/temp/php' '--enable-libxml'
'--enable-session' '--with-mm' '--with-pcre-r
egex=/usr' '--enable-xml' '--enable-simplexml' '--enable-spl'
'--enable-filter' '--disable-debug' '--enable-inline-optimi
zation' '--disable-rpath' '--disable-static' '--enable-shared'
'--program-suffix=5' '--with-pic' '--with-gnu-ld' '--with-
system-tzdata=/usr/share/zoneinfo' '--enable-cli'
'--with-pear=/usr/share/php5/PEAR' '--enable-bcmath=shared' '--enable-c
alendar=shared' '--enable-ctype=shared' '--enable-dbase=shared'
'--enable-dom=shared' '--enable-exif=shared' '--enable-ft
p=shared' '--enable-mbstring=shared' '--enable-mbregex'
'--enable-pcntl=shared' '--enable-posix=shared' '--enable-shmop=s
hared' '--enable-soap=shared' '--enable-sockets=shared'
'--enable-sysvmsg=shared' '--enable-sysvsem=shared' '--enable-sys
vshm=shared' '--enable-tokenizer=shared' '--enable-wddx=shared'
'--with-zlib=shared' '--with-bz2=shared' '--with-curl=sha
red' '--with-gd=shared' '--enable-gd-native-ttf' '--with-xpm-dir=/usr'
'--with-freetype-dir=/usr' '--with-png-dir=/usr' '
--with-jpeg-dir=/usr' '--with-zlib-dir=/usr' '--with-t1lib=/usr'
'--with-gettext=shared' '--with-gmp=shared' '--enable-ha
sh=shared' '--with-iconv=shared' '--with-imap-ssl'
'--enable-json=shared' '--with-libedit=shared,/usr' '--with-mcrypt=sha
red' '--with-mysql=shared,/usr'
'--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli'
'--with-ncurses=shared' '--
with-unixODBC=shared,/usr' '--with-openssl=shared'
'--with-xmlrpc=shared' '--enable-xmlreader=shared' '--enable-xmlwriter
=shared' '--with-xsl=shared' '--with-tidy=shared,/usr'
'--enable-dba=shared' '--with-db4=/usr' '--without-gdbm' '--with-c
db' '--with-inifile' '--with-flatfile' '--enable-pdo=shared'
'--with-pdo_sqlite=shared,/usr' '--with-pdo-mysql=shared,/us
r' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-sqlite=shared,/usr'
'--enable-sqlite-utf8' '--enable-zip=shared' '--dis
able-cgi'
Running it with the same code I posted here I get a memory-error again.
But Valgrind shows some different output than before:
>valgrind /temp/php/bin/php5 mysqli.php
==19284== Memcheck, a memory error detector.
==19284== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
al.
==19284== Using LibVEX rev 1854, a library for dynamic binary
translation.
==19284== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==19284== Using valgrind-3.3.1, a dynamic binary instrumentation
framework.
==19284== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
al.
==19284== For more details, rerun with: -v
==19284==
==19284== Invalid read of size 4
==19284== at 0x81A16EA: _zval_ptr_dtor (zend_execute_API.c:412)
==19284== by 0x81B9E29: zend_hash_destroy (zend_hash.c:526)
==19284== by 0x81AEA3C: _zval_dtor_func (zend_variables.c:43)
==19284== by 0x81A1747: _zval_ptr_dtor (zend_variables.h:35)
==19284== by 0x81B9A81: zend_hash_apply_deleter (zend_hash.c:611)
==19284== by 0x81B9D46: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==19284== by 0x81A4582: shutdown_executor (zend_execute_API.c:239)
==19284== by 0x81AF66E: zend_deactivate (zend.c:860)
==19284== by 0x81673C7: php_request_shutdown (main.c:1492)
==19284== by 0x8226483: main (php_cli.c:1343)
==19284== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==19284==
==19284== Process terminating with default action of signal 11
(SIGSEGV)
==19284== Access not within mapped region at address 0x0
==19284== at 0x81A16EA: _zval_ptr_dtor (zend_execute_API.c:412)
==19284== by 0x81B9E29: zend_hash_destroy (zend_hash.c:526)
==19284== by 0x81AEA3C: _zval_dtor_func (zend_variables.c:43)
==19284== by 0x81A1747: _zval_ptr_dtor (zend_variables.h:35)
==19284== by 0x81B9A81: zend_hash_apply_deleter (zend_hash.c:611)
==19284== by 0x81B9D46: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==19284== by 0x81A4582: shutdown_executor (zend_execute_API.c:239)
==19284== by 0x81AF66E: zend_deactivate (zend.c:860)
==19284== by 0x81673C7: php_request_shutdown (main.c:1492)
==19284== by 0x8226483: main (php_cli.c:1343)
==19284==
==19284== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from
1)
==19284== malloc/free: in use at exit: 790,981 bytes in 7,064 blocks.
==19284== malloc/free: 7,399 allocs, 335 frees, 1,180,249 bytes
allocated.
==19284== For counts of detected errors, rerun with: -v
==19284== searching for pointers to 7,064 not-freed blocks.
==19284== checked 1,025,176 bytes.
==19284==
==19284== LEAK SUMMARY:
==19284== definitely lost: 0 bytes in 0 blocks.
==19284== possibly lost: 0 bytes in 0 blocks.
==19284== still reachable: 790,981 bytes in 7,064 blocks.
==19284== suppressed: 0 bytes in 0 blocks.
==19284== Rerun with --leak-check=full to see details of leaked memory.
------------------------------------------------------------------------
[2009-04-08 20:37:18] jjuergens at web dot de
Description:
------------
When trying to retrieve data from a MySQL-Database using a
mysqli-statement, PHP just crashes. I excerpted the code below from a
larger web-application and invoked it via the PHP-Cli and it still fails
with a memory-error.
Interestingly enough though, if you just change a single value within
$arg1 and $arg2 (e.g. replace the last 8 from $arg1 with a 7), the bug
doesn't occur anymore.
I've included a Valgrind-output which shows the error.
MySQL-Version is 5.0.67.
Reproduce code:
---------------
<?php
/*
This is the database-table used:
CREATE TABLE `sessionData` (
`sessionId` varchar(60) collate utf8_unicode_ci NOT NULL,
`pathHash` varchar(32) collate utf8_unicode_ci NOT NULL,
`path` varchar(100) collate utf8_unicode_ci NOT NULL,
`data` longtext collate utf8_unicode_ci NOT NULL,
PRIMARY KEY (`sessionId`,`pathHash`),
CONSTRAINT `sessionData_ibfk_1` FOREIGN KEY (`sessionId`) REFERENCES
`sessionIndex` (`sessionId`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
*/
//create db-link
$dbLink=new mysqli("host","user","pass","db",3306);
//create the statement
$stmt=$dbLink->prepare("SELECT * FROM `sessionData` WHERE `sessionId`=?
AND `pathHash`=? LIMIT 1");
//bind params
$arg1="e75c7781166e3a361b7cff546563d5e8";
$arg2="9ddec3abec5c92628022210892e76afb";
$stmt->bind_param("ss",$arg1,$arg2);
//execute
$stmt->execute();
//create set of result-fields (see
http://php.net/manual/de/mysqli-stmt.bind-result.php#85470)
$resData=$stmt->result_metadata();
$resFields=array();
$bindArray=array();
while($field=mysqli_fetch_field($resData)){
$resFields[]=&$bindArray[$field->name];
}
//bind result-fields
call_user_func_array(array($stmt,'bind_result'),$resFields);
//fetch result
$res=0;
while($stmt->fetch()){
$tmpRes=array();
foreach($bindArray as $key=>$value){
$tmpRes[$key]=$value;
}
//add this row (not needed for bug reproduction)
// array_push($result,$tmpRes);
$res++;
}
//close statement
$stmt->close();
Expected result:
----------------
In this case, the script should just exit normally without a result.
Actual result:
--------------
Running it in a shell, I get a memory-error.
Using Valgrind, I get the following:
==13749== Memcheck, a memory error detector.
==13749== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
al.
==13749== Using LibVEX rev 1854, a library for dynamic binary
translation.
==13749== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==13749== Using valgrind-3.3.1, a dynamic binary instrumentation
framework.
==13749== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
al.
==13749== For more details, rerun with: -v
==13749==
==13749== Invalid read of size 4
==13749== at 0x51AA261: mysql_stmt_fetch (in
/usr/lib/libmysqlclient.so.15.0.0)
==13749== by 0x5187D5C: zif_mysqli_stmt_fetch (in
/usr/lib/php5/extensions/mysqli.so)
==13749== by 0x81DE342: (within /usr/bin/php5)
==13749== by 0x81C94BA: execute (in /usr/bin/php5)
==13749== by 0x81A3D4F: zend_execute_scripts (in /usr/bin/php5)
==13749== by 0x81589F9: php_execute_script (in /usr/bin/php5)
==13749== by 0x821C780: main (in /usr/bin/php5)
==13749== Address 0x84 is not stack'd, malloc'd or (recently) free'd
==13749==
==13749== Process terminating with default action of signal 11
(SIGSEGV)
==13749== Access not within mapped region at address 0x84
==13749== at 0x51AA261: mysql_stmt_fetch (in
/usr/lib/libmysqlclient.so.15.0.0)
==13749== by 0x5187D5C: zif_mysqli_stmt_fetch (in
/usr/lib/php5/extensions/mysqli.so)
==13749== by 0x81DE342: (within /usr/bin/php5)
==13749== by 0x81C94BA: execute (in /usr/bin/php5)
==13749== by 0x81A3D4F: zend_execute_scripts (in /usr/bin/php5)
==13749== by 0x81589F9: php_execute_script (in /usr/bin/php5)
==13749== by 0x821C780: main (in /usr/bin/php5)
==13749==
==13749== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 118 from
2)
==13749== malloc/free: in use at exit: 1,296,363 bytes in 13,676
blocks.
==13749== malloc/free: 14,687 allocs, 1,011 frees, 2,096,685 bytes
allocated.
==13749== For counts of detected errors, rerun with: -v
==13749== searching for pointers to 13,676 not-freed blocks.
==13749== checked 1,736,688 bytes.
==13749==
==13749== LEAK SUMMARY:
==13749== definitely lost: 30,599 bytes in 11 blocks.
==13749== possibly lost: 10,263 bytes in 2 blocks.
==13749== still reachable: 1,255,501 bytes in 13,663 blocks.
==13749== suppressed: 0 bytes in 0 blocks.
==13749== Rerun with --leak-check=full to see details of leaked
memory.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47928&edit=1
