ID: 47928
Updated by: [email protected]
Reported By: jjuergens at web dot de
-Status: Open
+Status: Feedback
Bug Type: MySQLi related
Operating System: Opensuse 11.1
PHP Version: 5.2.9
New Comment:
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
Previous Comments:
------------------------------------------------------------------------
[2009-04-13 20:21:37] jjuergens at web dot de
Well, I thought that a senseless script alone shouldn't be enough to
crash the interpreter, but then again what do I know...
Anyhow, as I wrote in the code, that particular idea didn't come from
me, but I sat down and changed it to a more understandable version.
Also, I added some echo()s and figured out, what causes the problem.
------------
1. The DB-side:
On my machine, it doesn't matter what is written inside the data-field,
but as soon as I set a data-field to contain 281 charaters and attempt
to read it, PHP crashes when reading that row. On another machine with
suoshin it feeds me the efree()/heap overflow-message as soon as I enter
a single character (as long as the field is empty no error is raised)
and when I enter more than 280 chars the efree()-message disappears and
I get a segault instead
------------
2. The script
The script excerpted from a larger class where it queries the database
and returns all found results in an array, that's the reason it seems a
bit complicated but it makes more sense in its context. As mentioned
before, I've changed it for easier reading, although it worked as well
before. Here's the critical part again:
// create set of result-fields
$resData=$stmt->result_metadata();
//this will contain the field-names to bind to the resultset
$resFields=array();
//1. while-loop: get all field-names
while($field=mysqli_fetch_field($resData)){
//save this fieldname
$resFields[$field->name]=null;
}
//bind result-fields
call_user_func_array(array($stmt,'bind_result'),$resFields);
//this is for the results
$result=array();
//2. while-loop: fetch result
while($stmt->fetch()){
$tmpRes=array();
//get all fields from this row
foreach($resFields as $key=>$value){
$tmpRes[$key]=$value;
}
//add this row to the result
array_push($result,$tmpRes);
}
//close statement
$stmt->close();
//print results
print_r($result);
------------
3. The results
I added some echo()-statement to figure out at which part the segfault
happens. The first iteration of the 2nd while-loop is completed, then it
crashes. So my guess is that the $stmt->fetch() is the cause, which
makes sense to me, as the valgrind-output mentions it too:
==4161== Jump to the invalid address stated on the next line
==4161== at 0x20: ???
==4161== by 0x5187D5C: zif_mysqli_stmt_fetch (in
/usr/lib/php5/extensions/mysqli.so)
==4161== by 0x81DE342: (within /usr/bin/php5)
==4161== by 0x81C94BA: execute (in /usr/bin/php5)
==4161== by 0x81A3D4F: zend_execute_scripts (in /usr/bin/php5)
==4161== by 0x81589F9: php_execute_script (in /usr/bin/php5)
==4161== by 0x821C780: main (in /usr/bin/php5)
==4161== Address 0x20 is not stack'd, malloc'd or (recently) free'd
Oh, by the way: I tried this script on two very different machines and
I still got a segfault on both.
------------------------------------------------------------------------
[2009-04-13 17:39:06] [email protected]
Please provide a sane reproduce script. The one provided can not
work, ever. What exactly is this supposed to achieve anyway:
$resData=$stmt->result_metadata();
$resFields=array();
$bindArray=array();
while($field=mysqli_fetch_field($resData)){
$resFields[]=&$bindArray[$field->name];
}
References to unexisting array entries..? You're ending up with
references of NULL. With proper ini settings, this leads to error
about allowed memory exhausted. You propably have some minor
differences with stack size and such since you end up with a
segfault..
------------------------------------------------------------------------
[2009-04-12 14:42:39] jjuergens at web dot de
Ok, here's my new configure line, didn't see what else I could remove:
> /temp/php3/bin/php -i
phpinfo()
PHP Version => 5.2.10-dev
System => Linux medion 2.6.27.7-9-default #1 SMP 2008-12-04 18:10:04
+0100 i686
Build Date => Apr 12 2009 16:32:09
Configure Command => './configure' '--prefix=/temp/php3'
'--enable-static' '--enable-cli'
'--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli'
------------
Now running the script with this version, I get a segfault again.
> /temp/php3/bin/php -n mysqli.php
Speicherzugriffsfehler
------------
And here's the matching valgrind-output:
> /temp/php3/bin/php -n mysqli.php
Speicherzugriffsfehler
d...@medion:~/Desktop/temp> valgrind /temp/php3/bin/php -n mysqli.php
==32741== Memcheck, a memory error detector.
==32741== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
al.
==32741== Using LibVEX rev 1854, a library for dynamic binary
translation.
==32741== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==32741== Using valgrind-3.3.1, a dynamic binary instrumentation
framework.
==32741== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
al.
==32741== For more details, rerun with: -v
==32741==
==32741== Invalid read of size 4
==32741== at 0x82859CA: _zval_ptr_dtor (zend_execute_API.c:412)
==32741== by 0x829C28D: zend_hash_destroy (zend_hash.c:526)
==32741== by 0x8291DE4: _zval_dtor_func (zend_variables.c:43)
==32741== by 0x8285A1F: _zval_ptr_dtor (zend_variables.h:35)
==32741== by 0x829BF41: zend_hash_apply_deleter (zend_hash.c:611)
==32741== by 0x829C1CE: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==32741== by 0x828839F: shutdown_executor (zend_execute_API.c:239)
==32741== by 0x8292882: zend_deactivate (zend.c:860)
==32741== by 0x8251666: php_request_shutdown (main.c:1492)
==32741== by 0x82FDC80: main (php_cli.c:1343)
==32741== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==32741==
==32741== Process terminating with default action of signal 11
(SIGSEGV)
==32741== Access not within mapped region at address 0x0
==32741== at 0x82859CA: _zval_ptr_dtor (zend_execute_API.c:412)
==32741== by 0x829C28D: zend_hash_destroy (zend_hash.c:526)
==32741== by 0x8291DE4: _zval_dtor_func (zend_variables.c:43)
==32741== by 0x8285A1F: _zval_ptr_dtor (zend_variables.h:35)
==32741== by 0x829BF41: zend_hash_apply_deleter (zend_hash.c:611)
==32741== by 0x829C1CE: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==32741== by 0x828839F: shutdown_executor (zend_execute_API.c:239)
==32741== by 0x8292882: zend_deactivate (zend.c:860)
==32741== by 0x8251666: php_request_shutdown (main.c:1492)
==32741== by 0x82FDC80: main (php_cli.c:1343)
==32741==
==32741== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from
1)
==32741== malloc/free: in use at exit: 1,016,362 bytes in 10,656
blocks.
==32741== malloc/free: 11,104 allocs, 448 frees, 1,409,172 bytes
allocated.
==32741== For counts of detected errors, rerun with: -v
==32741== searching for pointers to 10,656 not-freed blocks.
==32741== checked 1,208,392 bytes.
==32741==
==32741== LEAK SUMMARY:
==32741== definitely lost: 0 bytes in 0 blocks.
==32741== possibly lost: 0 bytes in 0 blocks.
==32741== still reachable: 1,016,362 bytes in 10,656 blocks.
==32741== suppressed: 0 bytes in 0 blocks.
==32741== Rerun with --leak-check=full to see details of leaked
memory.
Speicherzugriffsfehler
------------------------------------------------------------------------
[2009-04-11 23:54:58] [email protected]
Try building the snapshot with shortest possible configure line
necessary. And do not use shared extensions when debugging the crash,
build all static and use -n when running the test to prevent loading
any php.ini's.
------------------------------------------------------------------------
[2009-04-11 09:44:13] jjuergens at web dot de
Ok, I just downloaded the latest version (php5.2-200904110630) and
compiled it with the following options:
'./configure' '--prefix=/temp/php' '--enable-libxml'
'--enable-session' '--with-mm' '--with-pcre-r
egex=/usr' '--enable-xml' '--enable-simplexml' '--enable-spl'
'--enable-filter' '--disable-debug' '--enable-inline-optimi
zation' '--disable-rpath' '--disable-static' '--enable-shared'
'--program-suffix=5' '--with-pic' '--with-gnu-ld' '--with-
system-tzdata=/usr/share/zoneinfo' '--enable-cli'
'--with-pear=/usr/share/php5/PEAR' '--enable-bcmath=shared' '--enable-c
alendar=shared' '--enable-ctype=shared' '--enable-dbase=shared'
'--enable-dom=shared' '--enable-exif=shared' '--enable-ft
p=shared' '--enable-mbstring=shared' '--enable-mbregex'
'--enable-pcntl=shared' '--enable-posix=shared' '--enable-shmop=s
hared' '--enable-soap=shared' '--enable-sockets=shared'
'--enable-sysvmsg=shared' '--enable-sysvsem=shared' '--enable-sys
vshm=shared' '--enable-tokenizer=shared' '--enable-wddx=shared'
'--with-zlib=shared' '--with-bz2=shared' '--with-curl=sha
red' '--with-gd=shared' '--enable-gd-native-ttf' '--with-xpm-dir=/usr'
'--with-freetype-dir=/usr' '--with-png-dir=/usr' '
--with-jpeg-dir=/usr' '--with-zlib-dir=/usr' '--with-t1lib=/usr'
'--with-gettext=shared' '--with-gmp=shared' '--enable-ha
sh=shared' '--with-iconv=shared' '--with-imap-ssl'
'--enable-json=shared' '--with-libedit=shared,/usr' '--with-mcrypt=sha
red' '--with-mysql=shared,/usr'
'--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli'
'--with-ncurses=shared' '--
with-unixODBC=shared,/usr' '--with-openssl=shared'
'--with-xmlrpc=shared' '--enable-xmlreader=shared' '--enable-xmlwriter
=shared' '--with-xsl=shared' '--with-tidy=shared,/usr'
'--enable-dba=shared' '--with-db4=/usr' '--without-gdbm' '--with-c
db' '--with-inifile' '--with-flatfile' '--enable-pdo=shared'
'--with-pdo_sqlite=shared,/usr' '--with-pdo-mysql=shared,/us
r' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-sqlite=shared,/usr'
'--enable-sqlite-utf8' '--enable-zip=shared' '--dis
able-cgi'
Running it with the same code I posted here I get a memory-error again.
But Valgrind shows some different output than before:
>valgrind /temp/php/bin/php5 mysqli.php
==19284== Memcheck, a memory error detector.
==19284== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
al.
==19284== Using LibVEX rev 1854, a library for dynamic binary
translation.
==19284== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==19284== Using valgrind-3.3.1, a dynamic binary instrumentation
framework.
==19284== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
al.
==19284== For more details, rerun with: -v
==19284==
==19284== Invalid read of size 4
==19284== at 0x81A16EA: _zval_ptr_dtor (zend_execute_API.c:412)
==19284== by 0x81B9E29: zend_hash_destroy (zend_hash.c:526)
==19284== by 0x81AEA3C: _zval_dtor_func (zend_variables.c:43)
==19284== by 0x81A1747: _zval_ptr_dtor (zend_variables.h:35)
==19284== by 0x81B9A81: zend_hash_apply_deleter (zend_hash.c:611)
==19284== by 0x81B9D46: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==19284== by 0x81A4582: shutdown_executor (zend_execute_API.c:239)
==19284== by 0x81AF66E: zend_deactivate (zend.c:860)
==19284== by 0x81673C7: php_request_shutdown (main.c:1492)
==19284== by 0x8226483: main (php_cli.c:1343)
==19284== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==19284==
==19284== Process terminating with default action of signal 11
(SIGSEGV)
==19284== Access not within mapped region at address 0x0
==19284== at 0x81A16EA: _zval_ptr_dtor (zend_execute_API.c:412)
==19284== by 0x81B9E29: zend_hash_destroy (zend_hash.c:526)
==19284== by 0x81AEA3C: _zval_dtor_func (zend_variables.c:43)
==19284== by 0x81A1747: _zval_ptr_dtor (zend_variables.h:35)
==19284== by 0x81B9A81: zend_hash_apply_deleter (zend_hash.c:611)
==19284== by 0x81B9D46: zend_hash_graceful_reverse_destroy
(zend_hash.c:646)
==19284== by 0x81A4582: shutdown_executor (zend_execute_API.c:239)
==19284== by 0x81AF66E: zend_deactivate (zend.c:860)
==19284== by 0x81673C7: php_request_shutdown (main.c:1492)
==19284== by 0x8226483: main (php_cli.c:1343)
==19284==
==19284== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from
1)
==19284== malloc/free: in use at exit: 790,981 bytes in 7,064 blocks.
==19284== malloc/free: 7,399 allocs, 335 frees, 1,180,249 bytes
allocated.
==19284== For counts of detected errors, rerun with: -v
==19284== searching for pointers to 7,064 not-freed blocks.
==19284== checked 1,025,176 bytes.
==19284==
==19284== LEAK SUMMARY:
==19284== definitely lost: 0 bytes in 0 blocks.
==19284== possibly lost: 0 bytes in 0 blocks.
==19284== still reachable: 790,981 bytes in 7,064 blocks.
==19284== suppressed: 0 bytes in 0 blocks.
==19284== Rerun with --leak-check=full to see details of leaked memory.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/47928
--
Edit this bug report at http://bugs.php.net/?id=47928&edit=1
