ID: 33167
User updated by: jsnell at networkninja dot com
Reported By: jsnell at networkninja dot com
-Status: No Feedback
+Status: Open
Bug Type: PostgreSQL related
Operating System: Debian (dotdeb), gentoo
PHP Version: 5.0.5
New Comment:
I had to modify my source a bit to get any output. For some reason PHP
was exiting normally despite stopping half way through the script.
Here's the modified source:
<?php
error_reporting(E_STRICT | E_ALL);
$db_user = "db_user";
$db_password = "db_pass";
$db_name = "db_name";
$db_port = 5432;
$connect_string = "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";
$db_link = pg_connect($connect_string);
$query = 'select 1 as one';
$result = pg_exec($db_link, $query);
$i = (float) floor(4/5);
echo("PRE"); flush();
$data = pg_fetch_array($result, $i); // i think it gets corrupted
here
echo('i:'.$i); flush();
$data = pg_fetch_array($result, ($i));
$data = pg_fetch_array($result, ($i));
echo("z\n");
?>
And the backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1213273280 (LWP 17172)]
0xb7d455e7 in memcpy () from /lib/tls/libc.so.6
(gdb) bt
#0 0xb7d455e7 in memcpy () from /lib/tls/libc.so.6
#1 0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44,
op2=0xbfffc540) at
/usr/src/php5-200510021630/Zend/zend_operators.c:1180
#2 0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER
(execute_data=0xbfffc8a0)
at zend_vm_execute.h:3502
#3 0x082bb177 in execute (op_array=0x848ce2c) at zend_vm_execute.h:88
#4 0x0828ea39 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/src/php5-200510021630/Zend/zend.c:1087
#5 0x08245090 in php_execute_script (primary_file=0xbfffed20)
at /usr/src/php5-200510021630/main/main.c:1677
#6 0x0830943c in main (argc=4, argv=0xbfffedf4)
at /usr/src/php5-200510021630/sapi/cli/php_cli.c:1039
Here's some extra information which I hope will help:
(gdb) frame 1
#1 0x08289e15 in concat_function (result=0xbfffc814, op1=0x8493d44,
op2=0xbfffc540) at
/usr/src/php5-200510021630/Zend/zend_operators.c:1180
1180
memcpy(result->value.str.val+op1->value.str.len, op2->value.str.val,
op2->value.str.len);
(gdb) print result->value.str
$1 = {val = 0x5d54802c "i:", len = 1515870812}
(gdb) print op1->value.str.len
$2 = 2
(gdb) print op2->value.str.val
$3 = 0x0
(gdb) print op2->value.str.len
$4 = 1515870810
(gdb)
(gdb) frame 2
#2 0x082c2bc8 in ZEND_CONCAT_SPEC_CONST_CV_HANDLER
(execute_data=0xbfffcd20)
at zend_vm_execute.h:3502
3502 concat_function(&EX_T(opline->result.u.var).tmp_var,
(gdb) print *opline
$74 = {handler = 0x82c2b78 <ZEND_CONCAT_SPEC_CONST_CV_HANDLER>, result
= {
op_type = 2, u = {constant = {value = {lval = 580,
dval = 2.86558074587923e-321, str = {
val = 0x244 <Address 0x244 out of bounds>, len = 0}, ht =
0x244,
obj = {handle = 580, handlers = 0x0}}, refcount = 0, type = 0
'\0',
is_ref = 0 '\0'}, var = 580, opline_num = 580, op_array =
0x244,
jmp_addr = 0x244, EA = {var = 580, type = 0}}}, op1 = {op_type =
1,
u = {constant = {value = {lval = 139013284,
dval = 4.3126732698705173e-314, str = {val = 0x8492ca4 "i:",
len = 2}, ht = 0x8492ca4, obj = {handle = 139013284,
handlers = 0x2}}, refcount = 2, type = 6 '\006',
is_ref = 1 '\001'}, var = 139013284, opline_num = 139013284,
op_array = 0x8492ca4, jmp_addr = 0x8492ca4, EA = {var =
139013284,
type = 2}}}, op2 = {op_type = 16, u = {constant = {value =
{lval = 8,
dval = 3.3951932659396882e-313, str = {
val = 0x8 <Address 0x8 out of bounds>, len = 16}, ht =
0x8,
obj = {handle = 8, handlers = 0x10}}, refcount = 1,
type = 6 '\006', is_ref = 0 '\0'}, var = 8, opline_num = 8,
op_array = 0x8, jmp_addr = 0x8, EA = {var = 8, type = 16}}},
extended_value = 0, lineno = 20, opcode = 8 '\b'}
Previous Comments:
------------------------------------------------------------------------
[2005-09-26 01:00:01] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2005-09-18 03:11:44] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php5-latest.tar.gz
And this time: TRY the snapshot for real. And provide the backtrace
using that snapshot if the crash still happens.
------------------------------------------------------------------------
[2005-05-28 00:59:29] jsnell at networkninja dot com
Description:
------------
Calling pg_fetch_array() with the results of a division followed by
calling it with a constant causes a segfault. I have confirmed it in
both cgi and mod php 5.0.4 and also in cgi php 5.0.3.
Reproduce code:
---------------
// need a valid database to connect to
// contents don't matter
$query = 'select 1 as one';
$db_user = "your_user";
$db_password = "your_pass";
$db_name = "your_db";
$db_port = 5432;
$connect_string = "user=$db_user " .
"password=$db_password " .
"port=$db_port ".
"dbname=$db_name";
$db_link = pg_connect($connect_string);
$result = pg_exec($db_link, $query);
$i = floor(4/5);
$data = pg_fetch_array($result, $i);
$i = 0;
$data = pg_fetch_array($result, $i);
echo("No segfault");
Expected result:
----------------
No segfault
Actual result:
--------------
gdb backtrace:
#0 0x0820cf3b in _zend_hash_index_update_or_next_insert ()
#1 0x08209c53 in add_index_stringl ()
#2 0x406bee43 in zif_pg_fetch_result () from
/usr/lib/php5/20041030/pgsql.so
#3 0x406bf10f in zif_pg_fetch_array () from
/usr/lib/php5/20041030/pgsql.so
#4 0x0823c4da in zend_do_fcall_common_helper ()
#5 0x0823cb11 in zend_do_fcall_handler ()
#6 0x08224cb5 in execute ()
#7 0x08207e28 in zend_execute_scripts ()
#8 0x081d8bca in php_execute_script ()
#9 0x0824c3f4 in main ()
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=33167&edit=1
