Edit report at https://bugs.php.net/bug.php?id=65337&edit=1
ID: 65337
Updated by: johan...@php.net
Reported by: pool at unimca dot com
Summary: Segmentation Fault in _zend_mm_free_int using
mysqlnd
-Status: Open
+Status: Duplicate
Type: Bug
Package: Reproducible crash
Operating System: Linux Debian Wheezy amd64
PHP Version: 5.4.17
Block user comment: N
Private report: N
New Comment:
Already fixed in this commit:
https://github.com/php/php-src/commit/9fc38183b707341b6eddb8c196d0ea2b7c13d6a9
Previous Comments:
------------------------------------------------------------------------
[2013-07-28 13:34:55] pool at unimca dot com
Error also occurs with integer key:
CREATE TABLE `testTable` (
`id` int auto_increment,
`content` varchar(30) NOT NULL,
PRIMARY KEY (`id`)
);
------------------------------------------------------------------------
[2013-07-25 16:35:01] pool at unimca dot com
Description:
------------
I get recurring (script to reproduce attached) segmentation faults. Both PHP
5.4.17 and 5.4.4.
When I query mySQL using:
- mysqli
- mysqlnd (native driver)
- prepared statements
- specific number o parameters
For me a number of parameters in the provided script of 1923-2033 produce the
error. A number below or above works fine. The numbers might vary from system
to system (I don't know). To take this into account, I made the script loop
with different numbers of parameters.
The Apache2 log reports: [notice] child pid 30414 exit signal Segmentation
fault (11)
I get the same error when using PDO and prepared statements (with real prepared
statements, ATTR_EMULATE_PREPARES = false).
I compiled PHP 5.4.17 myself (I'm not experienced in doing so). PHP 5.4.4 was
out of the box.
Both use mysqlnd in what seems to be the same version 5.0.10 ((?) according to
phpinfo()).
mySQL is out of the box wheezy: is Ver 14.14 Distrib 5.5.31, for
debian-linux-gnu (x86_64) using readline 6.2. Using InnoDB
Debian Wheezy is: 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
Can anyone confirm that this is not specific to my machine/installation ?
Test script:
---------------
<?php
/*
CREATE DATABASE testDatabase
CHARACTER SET utf8
DEFAULT CHARACTER SET utf8
COLLATE utf8_general_ci
DEFAULT COLLATE utf8_general_ci;
USE testDatabase;
SET NAMES 'utf8';
GRANT CREATE, ALTER, INDEX, DROP, CREATE TEMPORARY TABLES, SELECT, INSERT,
UPDATE, DELETE ON testDatabase.* TO 'testUser'@'localhost' IDENTIFIED BY
'testPassword';
GRANT CREATE, ALTER, INDEX, DROP, CREATE TEMPORARY TABLES, SELECT, INSERT,
UPDATE, DELETE ON testDatabase.* TO 'testUser'@'localhost.localdomain'
IDENTIFIED BY 'testPassword';
FLUSH PRIVILEGES;
CREATE TABLE `testTable` (
`testField` binary(16) NOT NULL,
`content` varchar(30) NOT NULL,
PRIMARY KEY (`testField`)
);
*/
for($j=2;$j<65000;$j++)
{
$arBind = array();
$sBind = '';
for($i=0;$i<$j;$i++) //$j = number parameters for prepared statement
{
$sBind .= 's';
$arBind[] = '00000000000000000000000000000000';
}
echo '<br>Going to probe number of parameters: ' . count($arBind);
ob_flush(); //print it to browser right away, not required for script
flush(); //print it to browser right away, not required for script
//Constructing the query
$query = 'SELECT * from testTable WHERE testField IN(unhex(?)';
$questionMarksMinus1 = count($arBind) - 1; //1 questionmark already set in query
for($i=1;$i<=$questionMarksMinus1;$i++)
{
$query .= ',unhex(?)';
}
$query .= ')';
$mysqliConn= mysqli_connect('127.0.0.1', 'testUser', 'testPassword');
$mysqliConn->select_db('testDatabase');
$mysqliSTMT = $mysqliConn->stmt_init();
$mysqliSTMT->prepare($query);
array_unshift($arBind,$sBind); //add the type string to the beginning of the
array
$arBindRef = array(); //bind the parameters. bind_param expects references and
not values -> making new reference array
foreach($arBind as $key => $value)
{
$arBindRef[] = &$arBind[$key];
}
call_user_func_array(array($mysqliSTMT,'bind_param'),$arBindRef);
$mysqliSTMT->execute(); //here the problem occurs
}
echo '<br>FINISHED';
?>
Expected result:
----------------
No segementation fault
Actual result:
--------------
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
2100 if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0 _zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
#1 0x00007f7a1eb08afd in _mysqlnd_pefree (ptr=<optimized out>, persistent=0
'\000') at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_alloc.c:372
#2 0x00007f7a1eb14cfa in mysqlnd_internal_free_result_contents
(result=0x7f7a19d479e8) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:288
#3 0x00007f7a1eb14d1a in mysqlnd_internal_free_result (result=0x7f7a19d479e8)
at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:302
#4 0x00007f7a1eb1b9a1 in php_mysqlnd_stmt_free_stmt_content_pub
(s=0x7f7a19cc6ae0) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2115
#5 0x00007f7a1eb1cc4c in php_mysqlnd_stmt_net_close_priv (s=<optimized out>,
implicit=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2203
#6 0x00007f7a1eb1b66e in php_mysqlnd_stmt_dtor_pub (s=0x7f7a19cc6ae0,
implicit=1 '\001') at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2229
#7 0x00007f7a1e9ab018 in php_clear_stmt_bind (stmt=0x7f7a19f1d658) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:164
#8 0x00007f7a1e9ab06a in mysqli_stmt_free_storage (object=0x7f7a19cc6860) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:255
#9 0x00007f7a1ebada26 in zend_objects_store_del_ref_by_handle_ex (handle=2,
handlers=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:221
#10 0x00007f7a1ebada43 in zend_objects_store_del_ref (zobject=0x7f7a19cc5360)
at /home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:173
#11 0x00007f7a1eb77d29 in _zval_dtor (zvalue=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_variables.h:35
#12 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:436
#13 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:425
#14 0x00007f7a1eb930a5 in zend_hash_apply_deleter (ht=ht@entry=0x7f7a1f396d08,
p=p@entry=0x7f7a19cc6900) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:650
#15 0x00007f7a1eb94be1 in zend_hash_reverse_apply (ht=ht@entry=0x7f7a1f396d08,
apply_func=apply_func@entry=0x7f7a1eb77bb0 <zval_call_destructor>)
at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:804
#16 0x00007f7a1eb78041 in shutdown_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:217
#17 0x00007f7a1eb86ac7 in zend_call_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend.c:922
#18 0x00007f7a1eb27e25 in php_request_shutdown (dummy=dummy@entry=0x0) at
/home/myUser/DebMaking/php-5.4.17/main/main.c:1742
#19 0x00007f7a1ec305af in php_apache_request_dtor (r=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:507
#20 php_handler (r=0x7f7a22af20a0) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:679
#21 0x00007f7a22d0db60 in ap_run_handler ()
#22 0x00007f7a22d0dfab in ap_invoke_handler ()
#23 0x00007f7a22d1e088 in ap_process_request ()
#24 0x00007f7a22d1af48 in ?? ()
#25 0x00007f7a22d14520 in ap_run_process_connection ()
#26 0x00007f7a22d22cb9 in ?? ()
#27 0x00007f7a22d233d2 in ?? ()
#28 0x00007f7a22d23f36 in ap_mpm_run ()
#29 0x00007f7a22cf8832 in main ()
(gdb) bt full
#0 _zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
mm_block = 0x7f7a19cd5f28
next_block = 0x3030afaa49fd8f58
size = 3472328296227680304
#1 0x00007f7a1eb08afd in _mysqlnd_pefree (ptr=<optimized out>, persistent=0
'\000') at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_alloc.c:372
free_amount = <optimized out>
collect_memory_statistics = 0 '\000'
#2 0x00007f7a1eb14cfa in mysqlnd_internal_free_result_contents
(result=0x7f7a19d479e8) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:288
No locals.
#3 0x00007f7a1eb14d1a in mysqlnd_internal_free_result (result=0x7f7a19d479e8)
at /home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:302
No locals.
#4 0x00007f7a1eb1b9a1 in php_mysqlnd_stmt_free_stmt_content_pub
(s=0x7f7a19cc6ae0) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2115
stmt = 0x7f7a19cc6b30
#5 0x00007f7a1eb1cc4c in php_mysqlnd_stmt_net_close_priv (s=<optimized out>,
implicit=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2203
stmt = 0x7f7a19cc6b30
conn = <optimized out>
cmd_buf = "\001\000\000"
statistic = <optimized out>
#6 0x00007f7a1eb1b66e in php_mysqlnd_stmt_dtor_pub (s=0x7f7a19cc6ae0,
implicit=1 '\001') at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2229
stmt = 0x7f7a19cc6b30
ret = FAIL
persistent = 0 '\000'
#7 0x00007f7a1e9ab018 in php_clear_stmt_bind (stmt=0x7f7a19f1d658) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:164
No locals.
#8 0x00007f7a1e9ab06a in mysqli_stmt_free_storage (object=0x7f7a19cc6860) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:255
stmt = <optimized out>
zo = 0x7f7a19cc6860
intern = 0x7f7a19cc6860
my_res = <optimized out>
#9 0x00007f7a1ebada26 in zend_objects_store_del_ref_by_handle_ex (handle=2,
handlers=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:221
__orig_bailout = <optimized out>
__bailout = {{__jmpbuf = {140162395558752, -8192091644916044739,
140162395540600, 140162486594824, 140162478078896, 140735356192568,
-8123113098347975619,
-8192088360732496835}, __mask_was_saved = 0, __saved_mask =
{__val = {140162477808826, 140161962737665, 0, 5283658345051342928,
140162477785156, 0,
140162542126972, 0, 0, 140735356190832, 140162397992704,
140162531681520, 140162477986829, 140162486592512, 0, 0}}}}
obj = 0x7f7a19f05070
failure = <optimized out>
#10 0x00007f7a1ebada43 in zend_objects_store_del_ref (zobject=0x7f7a19cc5360)
at /home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:173
handle = <optimized out>
#11 0x00007f7a1eb77d29 in _zval_dtor (zvalue=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_variables.h:35
No locals.
#12 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:436
No locals.
#13 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:425
No locals.
#14 0x00007f7a1eb930a5 in zend_hash_apply_deleter (ht=ht@entry=0x7f7a1f396d08,
p=p@entry=0x7f7a19cc6900) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:650
retval = <optimized out>
#15 0x00007f7a1eb94be1 in zend_hash_reverse_apply (ht=ht@entry=0x7f7a1f396d08,
apply_func=apply_func@entry=0x7f7a1eb77bb0 <zval_call_destructor>)
at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:804
result = 1
p = 0x7f7a19cc0c78
q = 0x7f7a19cc6900
#16 0x00007f7a1eb78041 in shutdown_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:217
symbols = 14
__orig_bailout = 0x7fff80e9bf30
__bailout = {{__jmpbuf = {140162486594432, -8192091645151974339,
140162544640160, 140162549147716, -4294967295, 140735356192568,
-8123113101239948227,
-8192088332522132419}, __mask_was_saved = 0, __saved_mask =
{__val = {140162482955400, 140162397992704, 140162477812253, 0,
140162397992840, 103079215104,
140162477986829, 140162397992896, 140162477986829, 0,
433992944, 8, 140162396730936, 7, 23, 140162486594824}}}}
#17 0x00007f7a1eb86ac7 in zend_call_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend.c:922
__orig_bailout = <optimized out>
__bailout = {{__jmpbuf = {140162486594432, -8192091645151974339,
140162544640160, 140162549147716, -4294967295, 140735356192568,
-8123113101273502659,
-8192088337574958019}, __mask_was_saved = 0, __saved_mask =
{__val = {140735356192568, 140735356191360, 140162537525486, 3,
140735356191400,
140162479205191, 140162544640040, 140162477998400,
140162574668336, 140162544603136, 140162544606128, 8, 18446744069414584321,
140162486592808,
140162486592512, 140162544640160}}}}
---Type <return> to continue, or q <return> to quit---
#18 0x00007f7a1eb27e25 in php_request_shutdown (dummy=dummy@entry=0x0) at
/home/myUser/DebMaking/php-5.4.17/main/main.c:1742
__orig_bailout = <optimized out>
__bailout = {{__jmpbuf = {140162486594432, -8192091645151974339,
140162544640160, 140162549147716, -4294967295, 140735356192568,
-8123113101149770691,
-8192088286588605379}, __mask_was_saved = 0, __saved_mask =
{__val = {140162544640040, 4, 140162544606160, 140735356191600,
140162537483668,
140162483051270, 140162544606128, 140162483051320,
140162544643688, 4294967400, 409318933599, 55834574848, 140162544643984,
140162483051323,
140162544640160, 140162486593120}}}}
report_memleaks = 1 '\001'
#19 0x00007f7a1ec305af in php_apache_request_dtor (r=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:507
No locals.
#20 php_handler (r=0x7f7a22af20a0) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:679
ctx = 0x7f7a22aefe08
conf = 0x7f7a22c203d8
brigade = 0x7f7a22ae9b08
bucket = <optimized out>
rv = <optimized out>
parent_req = 0x0
#21 0x00007f7a22d0db60 in ap_run_handler ()
No symbol table info available.
#22 0x00007f7a22d0dfab in ap_invoke_handler ()
No symbol table info available.
#23 0x00007f7a22d1e088 in ap_process_request ()
No symbol table info available.
#24 0x00007f7a22d1af48 in ?? ()
No symbol table info available.
#25 0x00007f7a22d14520 in ap_run_process_connection ()
No symbol table info available.
#26 0x00007f7a22d22cb9 in ?? ()
No symbol table info available.
#27 0x00007f7a22d233d2 in ?? ()
No symbol table info available.
#28 0x00007f7a22d23f36 in ap_mpm_run ()
No symbol table info available.
#29 0x00007f7a22cf8832 in main ()
No symbol table info available.
phpinfo() of my 5.4.17:
Configure Command './configure' '--prefix=/usr' '--with-mysql=mysqlnd'
'--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd'
'--with-apxs2=/usr/bin/apxs2' '--with-libdir=/lib/x86_64-linux-gnu'
'--without-db4' '--without-qdbm' '--without-gdbm' '--without-imap'
'--with-sqlite3' '--with-gd' '--with-config-file-path=/etc/php5/apache2'
'--with-config-file-scan-dir=/etc/php5/apache2/conf.d'
'--build=x86_64-linux-gnu' '--host=x86_64-linux-gnu' '--sysconfdir=/etc'
'--localstatedir=/var' '--mandir=/usr/share/man' '--disable-debug'
'--with-regex=php' '--disable-rpath' '--disable-static' '--with-pic'
'--with-layout=GNU' '--with-pear=/usr/share/php' '--enable-calendar'
'--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-bcmath'
'--with-bz2' '--enable-ctype' '--with-iconv' '--enable-exif' '--enable-ftp'
'--with-gettext' '--enable-mbstring' '--with-onig=/usr'
'--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--enable-wddx'
'--with-libxml-dir=/usr' '--with-zlib' '--with
-kerberos=/usr' '--with-openssl=/usr' '--enable-soap' '--enable-zip'
'--with-mhash=yes' '--with-system-tzdata'
'--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-mm'
'--with-curl=shared,/usr' '--with-enchant=shared,/usr' '--with-zlib-dir=/usr'
'--enable-gd-native-ttf' '--with-gmp=shared,/usr' '--with-jpeg-dir=shared,/usr'
'--with-xpm-dir=shared,/usr/X11R6' '--with-png-dir=shared,/usr'
'--with-freetype-dir=shared,/usr' '--with-imap-ssl' '--enable-intl=shared'
'--without-t1lib' '--with-ldap=shared,/usr' '--with-ldap-sasl=/usr'
'--with-mcrypt=shared,/usr' '--with-pspell=shared,/usr'
'--with-recode=shared,/usr' '--with-xsl=shared,/usr' '--with-snmp=shared,/usr'
'--with-mssql=shared,/usr' '--with-tidy=shared,/usr' '--with-xmlrpc=shared'
'--with-pgsql=shared,/usr'
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65337&edit=1
