From: basa...@php.net Operating system: Linux PHP version: 5.2.11 PHP Bug Type: PDO related Bug description: Race condition in PDOStatement
Description: ------------ There is a race condition in pdo's stmt PDOStatement class. This class is dynamically created and it adds a member named queryString (inside pdo_stmt_init). zend_declare_property_null allocates property using malloc. Later pdo_dbstmt_ce is copied to other hashes in pdo_dbstmt_new. zend_hash_copy increments refcount of pdo_dbstmt_ce->queryString property. In multithreaded php refcount increment was not atomic. It was causing refcount to become 0 and hence efree was trying to delete something which was allocated from malloc. There is a php benchmark kit named olio and can be downloaded from : https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/viewproductdetail-start?productref=olio-php-1.0-a-...@cds-cds_smi The bug is easily reproducible with olio php benchmark inside Sun Web Server. Expected result: ---------------- Correct functionality Actual result: -------------- Stack trace : -------------- Program terminated with signal 11, Segmentation fault. #0 0x00002ba1630451e0 in _zend_mm_free_int () from /home/sun/webserver7/bin/libphp5.so #1 0x00002ba163084aa0 in zend_std_write_property () from /home/sun/webserver7/bin/libphp5.so #2 0x00002ba162ebfc4a in pdo_stmt_construct () from /home/sun/webserver7/bin/libphp5.so #3 0x00002ba162ec0073 in zim_PDO_query () from /home/sun/webserver7/bin/libphp5.so #4 0x00002ba1630999f9 in zend_do_fcall_common_helper_SPEC () from /home/sun/webserver7/bin/libphp5.so #5 0x00002ba16308705f in execute () from /home/sun/webserver7/bin/libphp5.so #6 0x00002ba1630993d8 in zend_do_fcall_common_helper_SPEC () from /home/sun/webserver7/bin/libphp5.so #7 0x00002ba16308705f in execute () from /home/sun/webserver7/bin/libphp5.so #8 0x00002ba1630630fa in zend_execute_scripts () from /home/sun/webserver7/bin/libphp5.so #9 0x00002ba1630188bb in php_execute_script () from /home/sun/webserver7/bin/libphp5.so #10 0x00002ba1630ee465 in php5_execute () -- Edit bug report at http://bugs.php.net/?id=49937&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49937&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49937&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49937&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49937&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49937&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49937&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49937&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49937&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49937&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49937&r=support Expected behavior: http://bugs.php.net/fix.php?id=49937&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49937&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49937&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49937&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49937&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=49937&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49937&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49937&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49937&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49937&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49937&r=mysqlcfg