Edit report at http://bugs.php.net/bug.php?id=45941&edit=1
ID: 45941 Updated by: and...@php.net Reported by: tony2...@php.net Summary: mysqli_stmt_fetch() crashes -Status: Assigned +Status: Closed Type: Bug Package: MySQLi related Operating System: Linux 64bit PHP Version: 5.3CVS-2008-08-28 (CVS) Assigned To: mysql New Comment: Can't reproduce anymore, seems fixed. Previous Comments: ------------------------------------------------------------------------ [2009-04-20 18:10:52] andrey dot hristov at sun dot com Tony, I think I have seen this problem and it is because libmysql is faulty. I think it won't be reproducible with mysqlnd. There are other places where you can see problems with libmysql but mysqlnd will perfectly work. These are present in the test cases so we don't forget them. ------------------------------------------------------------------------ [2008-08-28 09:42:58] tony2...@php.net Description: ------------ ext/mysqli/tests/mysqli_stmt_bind_result.phpt crashes. The invalid write and the crash it causes are reproducible both in ZTS and non-ZTS modes. # mysql --version mysql Ver 14.12 Distrib 5.0.26, for suse-linux-gnu (x86_64) using readline 5.1 Using ./configure --with-mysqli seems to be enough (i.e. no mysqlnd used). Reproduce code: --------------- See ext/mysqli/tests/mysqli_stmt_bind_result.phpt Actual result: -------------- GDB bt: Program terminated with signal 11, Segmentation fault. #0 0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1, return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842 842 if (Z_TYPE_P(stmt->result.vars[i]) == IS_STRING) { (gdb) bt #0 0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1, return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842 #1 0x00000000006e2aaa in zif_mysqli_stmt_fetch (ht=1, return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:984 #2 0x0000000000d3e3ca in zend_do_fcall_common_helper_SPEC (execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:315 #3 0x0000000000d48039 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:1574 #4 0x0000000000d3c7ef in execute (op_array=0x1bf0240, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:104 #5 0x0000000000ce945f in zend_execute_scripts (type=8, tsrm_ls=0x18940c0, retval=0x0, file_count=3) at /local/qa/5_3.gcov/Zend/zend.c:1197 #6 0x0000000000bff458 in php_execute_script (primary_file=0x7fffb30af670, tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/main/main.c:2074 #7 0x0000000000e04d76 in main (argc=61, argv=0x7fffb30af8c8) at /local/qa/5_3.gcov/sapi/cli/php_cli.c:1130 Valgrind log: ==25793== Invalid write of size 1 ==25793== at 0x5CC414: mysqli_stmt_fetch_libmysql (mysqli_api.c:826) ==25793== by 0x5CCC93: zif_mysqli_stmt_fetch (mysqli_api.c:984) ==25793== by 0x9E374D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:315) ==25793== by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1574) ==25793== by 0x9E21FF: execute (zend_vm_execute.h:104) ==25793== by 0x9AD109: zend_execute_scripts (zend.c:1197) ==25793== by 0x90F5E1: php_execute_script (main.c:2074) ==25793== by 0xA618F0: main (php_cli.c:1130) ==25793== Address 0x8b83368 is 0 bytes after a block of size 256 alloc'd ==25793== at 0x4C22DAB: malloc (vg_replace_malloc.c:207) ==25793== by 0x97D83A: _emalloc (zend_alloc.c:2285) ==25793== by 0x5C9EBB: mysqli_stmt_bind_result_do_bind (mysqli_api.c:407) ==25793== by 0x5CA55C: zif_mysqli_stmt_bind_result (mysqli_api.c:499) ==25793== by 0x9E374D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:315) ==25793== by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1574) ==25793== by 0x9E21FF: execute (zend_vm_execute.h:104) ==25793== by 0x9AD109: zend_execute_scripts (zend.c:1197) ==25793== by 0x90F5E1: php_execute_script (main.c:2074) ==25793== by 0xA618F0: main (php_cli.c:1130) ==25793== ==25793== Invalid read of size 8 ==25793== at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422) ==25793== by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175) ==25793== by 0x9BE947: zend_hash_destroy (zend_hash.c:526) ==25793== by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45) ==25793== by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212) ==25793== by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288) ==25793== by 0x9DF006: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:215) ==25793== by 0x9DEB5C: zend_objects_store_del_ref (zend_objects_API.c:171) ==25793== by 0x9A910B: _zval_dtor_func (zend_variables.c:52) ==25793== by 0x99788B: _zval_dtor (zend_variables.h:35) ==25793== by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428) ==25793== by 0x9E26A0: zend_leave_helper_SPEC (zend_vm_execute.h:157) ==25793== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==25793== ==25793== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==25793== Access not within mapped region at address 0x0 ==25793== at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422) ==25793== by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175) ==25793== by 0x9BE947: zend_hash_destroy (zend_hash.c:526) ==25793== by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45) ==25793== by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212) ==25793== by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288) ==25793== by 0x9DF006: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:215) ==25793== by 0x9DEB5C: zend_objects_store_del_ref (zend_objects_API.c:171) ==25793== by 0x9A910B: _zval_dtor_func (zend_variables.c:52) ==25793== by 0x99788B: _zval_dtor (zend_variables.h:35) ==25793== by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428) ==25793== by 0x9E26A0: zend_leave_helper_SPEC (zend_vm_execute.h:157) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=45941&edit=1