Bug #52613 [Asn-Fbk]: crash in mysqlnd
Edit report at http://bugs.php.net/bug.php?id=52613edit=1 ID: 52613 Updated by: and...@php.net Reported by:manuel at mausz dot at Summary:crash in mysqlnd -Status: Assigned +Status: Feedback Type: Bug Package:MySQL related Operating System: Unix PHP Version:5.3.3 Assigned To:andrey Block user comment: N New Comment: If PHP hits the memory limit then mysqlnd loses all control, because Zend takes it. Can you show more information about the crash? Just the bt, without line numbers doesn't help. valgrind output will be even better. Previous Comments: [2010-08-15 17:45:22] manuel at mausz dot at Description: mysqlnd trys to free memory which must not be valid (e.g. if memory_limit prevents that) Test script: --- * create a database table with a bunch of string-columns and fill in a lot of data * write a php script which fetches the content of the whole table and stores the content in an array * run the php script in a shell loop which increases the memory limit by a few kB per step. e.g: for i in $(seq 1 100); do let mem=$i*10; echo $mem; ./sapi/cli/php -dmemory_limit=$mem crash.php; done Expected result: no crash Actual result: -- (gdb) bt #0 0x0838b494 in mysqlnd_palloc_zval_ptr_dtor () #1 0x0838bbc2 in php_mysqlnd_res_free_buffered_data_pub () #2 0x0838be4a in php_mysqlnd_res_free_result_buffers_pub () #3 0x0838bf4f in mysqlnd_internal_free_result_contents () #4 0x0838bfa8 in mysqlnd_internal_free_result () #5 0x0838f984 in php_mysqlnd_res_free_result_pub () #6 0x081ef818 in _free_mysql_result () #7 0x08408ecc in list_entry_destructor () #8 0x08406e2f in zend_hash_apply_deleter () #9 0x08406f13 in zend_hash_graceful_reverse_destroy () #10 0x0840902e in zend_destroy_rsrc_list () #11 0x083fa116 in zend_deactivate () #12 0x0839adfb in php_request_shutdown () #13 0x084b6b22 in main () -- Edit this bug report at http://bugs.php.net/bug.php?id=52613edit=1
Bug #52613 [Asn-Fbk]: crash in mysqlnd
Edit report at http://bugs.php.net/bug.php?id=52613edit=1 ID: 52613 Updated by: and...@php.net Reported by:manuel at mausz dot at Summary:crash in mysqlnd -Status: Assigned +Status: Feedback Type: Bug Package:MySQL related Operating System: Unix PHP Version:5.3.3 Assigned To:andrey Block user comment: N New Comment: This looks strange. ==22090== Invalid read of size 4 ==22090==at 0x82BC0E2: mysqlnd_palloc_zval_ptr_dtor (mysqlnd_result.c:103) ==22090== Access not within mapped region at address 0x8 current_row in the calling function is NULL. Dereferencing NULL with index gives use first 0x0, then 0x4 and 0x8 - you are on 32bit system, thus 3 fields, in this case, on 64bit, this should have been the second field. But how is current_row NULL when there is explicit check just before that call. Anyway, could you try this patch (it is against 5.3.4-dev) and tell me whether it works for you. Your sources are a bit different, put it will probably apply without problem, with some notices. http://hristov.com/tmp/52613.patch.txt Thanks! Previous Comments: [2010-08-17 18:13:07] manuel at mausz dot at ==22090== Memcheck, a memory error detector ==22090== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==22090== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info ==22090== Command: /root/php-5.3.3/sapi/cli/php -dmemory_limit=390 crash2.php ==22090== Fatal error: Allowed memory size of 390 bytes exhausted (tried to allocate 20 bytes) in /var/www/test2/crash2.php on line 12 ==22090== Invalid read of size 4 ==22090==at 0x82BC0E2: mysqlnd_palloc_zval_ptr_dtor (mysqlnd_result.c:103) ==22090==by 0x82BE1A8: php_mysqlnd_res_free_buffered_data_pub (mysqlnd_result.c:208) ==22090==by 0x82BE0AF: php_mysqlnd_res_free_result_buffers_pub (mysqlnd_result.c:253) ==22090==by 0x82BD86F: mysqlnd_internal_free_result_contents (mysqlnd_result.c:285) ==22090==by 0x82BD81F: mysqlnd_internal_free_result (mysqlnd_result.c:302) ==22090==by 0x82BCDA5: php_mysqlnd_res_free_result_pub (mysqlnd_result.c:1336) ==22090==by 0x8178D46: _free_mysql_result (php_mysql.c:417) ==22090==by 0x83236F1: list_entry_destructor (zend_list.c:184) ==22090==by 0x83209D6: zend_hash_apply_deleter (zend_hash.c:611) ==22090==by 0x8320C56: zend_hash_graceful_reverse_destroy (zend_hash.c:646) ==22090==by 0x8315475: zend_deactivate (zend.c:896) ==22090==by 0x82C5D29: php_request_shutdown (main.c:1633) ==22090== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==22090== ==22090== ==22090== Process terminating with default action of signal 11 (SIGSEGV) ==22090== Access not within mapped region at address 0x8 ==22090==at 0x82BC0E2: mysqlnd_palloc_zval_ptr_dtor (mysqlnd_result.c:103) ==22090==by 0x82BE1A8: php_mysqlnd_res_free_buffered_data_pub (mysqlnd_result.c:208) ==22090==by 0x82BE0AF: php_mysqlnd_res_free_result_buffers_pub (mysqlnd_result.c:253) ==22090==by 0x82BD86F: mysqlnd_internal_free_result_contents (mysqlnd_result.c:285) ==22090==by 0x82BD81F: mysqlnd_internal_free_result (mysqlnd_result.c:302) ==22090==by 0x82BCDA5: php_mysqlnd_res_free_result_pub (mysqlnd_result.c:1336) ==22090==by 0x8178D46: _free_mysql_result (php_mysql.c:417) ==22090==by 0x83236F1: list_entry_destructor (zend_list.c:184) ==22090==by 0x83209D6: zend_hash_apply_deleter (zend_hash.c:611) ==22090==by 0x8320C56: zend_hash_graceful_reverse_destroy (zend_hash.c:646) ==22090==by 0x8315475: zend_deactivate (zend.c:896) ==22090==by 0x82C5D29: php_request_shutdown (main.c:1633) ==22090== If you believe this happened as a result of a stack ==22090== overflow in your program's main thread (unlikely but ==22090== possible), you can try to increase the size of the ==22090== main thread stack using the --main-stacksize= flag. ==22090== The main thread stack size used in this run was 8388608. ==22090== ==22090== HEAP SUMMARY: ==22090== in use at exit: 5,336,261 bytes in 31,521 blocks ==22090== total heap usage: 87,945 allocs, 56,424 frees, 11,136,282 bytes allocated ==22090== ==22090== LEAK SUMMARY: ==22090==definitely lost: 0 bytes in 0 blocks ==22090==indirectly lost: 0 bytes in 0 blocks ==22090== possibly lost: 363,504 bytes in 3,303 blocks ==22090==still reachable: 4,972,757 bytes in 28,218 blocks ==22090== suppressed: 0 bytes in 0 blocks ==22090== Rerun with --leak-check=full to see details of leaked memory ==22090== ==22090== For counts of detected and suppressed errors, rerun with: -v ==22090== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 7 from 7) Segmentation fault
Bug #52613 [Asn-Fbk]: crash in mysqlnd
Edit report at http://bugs.php.net/bug.php?id=52613edit=1 ID: 52613 Updated by: and...@php.net Reported by:manuel at mausz dot at Summary:crash in mysqlnd -Status: Assigned +Status: Feedback Type: Bug Package:MySQL related Operating System: Unix PHP Version:5.3.3 Assigned To:andrey Block user comment: N Previous Comments: [2010-08-17 19:04:56] and...@php.net Can you test on the server, which exposed this memory problem? If it is ok, then I will commit the patch to the repository. Thanks! [2010-08-17 18:47:19] manuel at mausz dot at Patch works. No crashes anymore. Although I have to say that I added a check for current_row[col] myself and got some very weird memory corruptions on one webserver (out of ~40) after executing a simple mysql query. Don't know why they occured after adding that check.. Applying your patch to 5.3.3 didn't work, so I added your changes by hand and rediffed: http://pastie.org/private/lu8ajelnwwijjiebzzrrta [2010-08-17 18:28:26] and...@php.net This looks strange. ==22090== Invalid read of size 4 ==22090==at 0x82BC0E2: mysqlnd_palloc_zval_ptr_dtor (mysqlnd_result.c:103) ==22090== Access not within mapped region at address 0x8 current_row in the calling function is NULL. Dereferencing NULL with index gives use first 0x0, then 0x4 and 0x8 - you are on 32bit system, thus 3 fields, in this case, on 64bit, this should have been the second field. But how is current_row NULL when there is explicit check just before that call. Anyway, could you try this patch (it is against 5.3.4-dev) and tell me whether it works for you. Your sources are a bit different, put it will probably apply without problem, with some notices. http://hristov.com/tmp/52613.patch.txt Thanks! [2010-08-17 18:13:07] manuel at mausz dot at ==22090== Memcheck, a memory error detector ==22090== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==22090== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info ==22090== Command: /root/php-5.3.3/sapi/cli/php -dmemory_limit=390 crash2.php ==22090== Fatal error: Allowed memory size of 390 bytes exhausted (tried to allocate 20 bytes) in /var/www/test2/crash2.php on line 12 ==22090== Invalid read of size 4 ==22090==at 0x82BC0E2: mysqlnd_palloc_zval_ptr_dtor (mysqlnd_result.c:103) ==22090==by 0x82BE1A8: php_mysqlnd_res_free_buffered_data_pub (mysqlnd_result.c:208) ==22090==by 0x82BE0AF: php_mysqlnd_res_free_result_buffers_pub (mysqlnd_result.c:253) ==22090==by 0x82BD86F: mysqlnd_internal_free_result_contents (mysqlnd_result.c:285) ==22090==by 0x82BD81F: mysqlnd_internal_free_result (mysqlnd_result.c:302) ==22090==by 0x82BCDA5: php_mysqlnd_res_free_result_pub (mysqlnd_result.c:1336) ==22090==by 0x8178D46: _free_mysql_result (php_mysql.c:417) ==22090==by 0x83236F1: list_entry_destructor (zend_list.c:184) ==22090==by 0x83209D6: zend_hash_apply_deleter (zend_hash.c:611) ==22090==by 0x8320C56: zend_hash_graceful_reverse_destroy (zend_hash.c:646) ==22090==by 0x8315475: zend_deactivate (zend.c:896) ==22090==by 0x82C5D29: php_request_shutdown (main.c:1633) ==22090== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==22090== ==22090== ==22090== Process terminating with default action of signal 11 (SIGSEGV) ==22090== Access not within mapped region at address 0x8 ==22090==at 0x82BC0E2: mysqlnd_palloc_zval_ptr_dtor (mysqlnd_result.c:103) ==22090==by 0x82BE1A8: php_mysqlnd_res_free_buffered_data_pub (mysqlnd_result.c:208) ==22090==by 0x82BE0AF: php_mysqlnd_res_free_result_buffers_pub (mysqlnd_result.c:253) ==22090==by 0x82BD86F: mysqlnd_internal_free_result_contents (mysqlnd_result.c:285) ==22090==by 0x82BD81F: mysqlnd_internal_free_result (mysqlnd_result.c:302) ==22090==by 0x82BCDA5: php_mysqlnd_res_free_result_pub (mysqlnd_result.c:1336) ==22090==by 0x8178D46: _free_mysql_result (php_mysql.c:417) ==22090==by 0x83236F1: list_entry_destructor (zend_list.c:184) ==22090==by 0x83209D6: zend_hash_apply_deleter (zend_hash.c:611) ==22090==by 0x8320C56: zend_hash_graceful_reverse_destroy (zend_hash.c:646) ==22090==by 0x8315475: zend_deactivate (zend.c:896) ==22090==by 0x82C5D29: php_request_shutdown (main.c:1633) ==22090== If you believe this happened as a result of a stack ==22090== overflow in your program's main thread (unlikely but ==22090== possible), you can try to increase the size of the ==22090== main thread stack using the --main-stacksize= flag. ==22090== The main