[PHP-BUG] Bug #53551 [NEW]: PDOStatement execute segfaults for pdo_mysql driver

Wed, 15 Dec 2010 13:34:43 -0800 

From:             
Operating system: Centos 5
PHP version:      5.3.4
Package:          PDO related
Bug Type:         Bug
Bug description:PDOStatement execute segfaults for pdo_mysql driver

Description:
------------
A segfault will occur when a PDOStatement is reused after failing due to a
NOT 

NULL integrity constraint.  This occurred when using the pdo_mysql driver
as 

opposed to the mysqlnd driver.



Also to avoid confusion, I was only able to test this on PHP 5.3.2.  I
could find 

nothing in the changelogs that would imply this bug has been fixed.  I 

unfortunately did not have the time to free up hardware or vms for an
upgrade.

Test script:
---------------
$dbh = new PDO('mysql:host=127.0.0.1;dbname=foo', 'user', 'pass');

$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0);



$createSql = "CREATE TABLE `foo` (

  `count` bigint(20) unsigned NOT NULL DEFAULT '0'

)";



$dbh->exec('drop table if exists foo');

$dbh->exec($createSql);

$dbh->exec("insert into foo set `count` = 1 ");



$sql = 'UPDATE foo SET `count` = :count';

$stmt = $dbh->prepare($sql);



$values = array (

  'count' => NULL,

);



echo "1\n";

$stmt->execute($values);

var_dump($stmt->errorInfo());



echo "2\n";

$stmt->execute($values);

var_dump($stmt->errorInfo());



echo "\ndone\n";



Expected result:
----------------
[...@foo ~]$ php ed.php

1

array(3) {

  [0]=>

  string(5) "23000"

  [1]=>

  int(1048)

  [2]=>

  string(29) "Column 'count' cannot be null"

}

2

array(3) {

  [0]=>

  string(5) "23000"

  [1]=>

  int(1048)

  [2]=>

  string(29) "Column 'count' cannot be null"

}

done



Actual result:
--------------
[...@foo ~]$ php ed.php

1

array(3) {

  [0]=>

  string(5) "23000"

  [1]=>

  int(1048)

  [2]=>

  string(29) "Column 'count' cannot be null"

}

2

Segmentation fault (core dumped)







Core was generated by `php ed.php'.

Program terminated with signal 11, Segmentation fault.

[New process 16072]

#0  0x00000000005aa8be in pdo_mysql_stmt_param_hook (stmt=0xe5c12e8, 

param=0xe5c1a78, event_type=<value optimized out>) at /tmp/php-

5.3.2/ext/pdo_mysql/mysql_statement.c:490

490                                     b->is_null = &S->in_null[param-

>paramno];

(gdb) bt

#0  0x00000000005aa8be in pdo_mysql_stmt_param_hook (stmt=0xe5c12e8, 

param=0xe5c1a78, event_type=<value optimized out>) at /tmp/php-

5.3.2/ext/pdo_mysql/mysql_statement.c:490

#1  0x00000000005a34d9 in really_register_bound_param
(param=0x7ffff7cb9990, 

stmt=0xe5c12e8, is_param=1) at /tmp/php-5.3.2/ext/pdo/pdo_stmt.c:408

#2  0x00000000005a4940 in zim_PDOStatement_execute (ht=<value optimized
out>, 

return_value=0xe5c18d0, return_value_ptr=<value optimized out>,
this_ptr=<value 

optimized out>, 

    return_value_used=<value optimized out>) at /tmp/php-

5.3.2/ext/pdo/pdo_stmt.c:474

#3  0x0000000000789059 in zend_do_fcall_common_helper_SPEC 

(execute_data=0x2ae09210b050) at /tmp/php-5.3.2/Zend/zend_vm_execute.h:313

#4  0x000000000075f98e in execute (op_array=0xe5be920) at /tmp/php-

5.3.2/Zend/zend_vm_execute.h:104

#5  0x000000000073c439 in zend_execute_scripts (type=8, retval=0x0, 

file_count=3) at /tmp/php-5.3.2/Zend/zend.c:1194

#6  0x00000000006ea968 in php_execute_script (primary_file=0x7ffff7cbc190)
at 

/tmp/php-5.3.2/main/main.c:2260

#7  0x00000000007c617e in main (argc=2, argv=0x7ffff7cbc408) at /tmp/php-

5.3.2/sapi/cli/php_cli.c:1192

(gdb) print *param

$1 = {paramno = 0, name = 0xe5c0750 ":count", namelen = 6, max_value_len =
0, 

parameter = 0xe5c1900, param_type = PDO_PARAM_STR, driver_params = 0x0, 

driver_data = 0x0, 

  stmt = 0xe5c12e8, is_param = 1}

(gdb) print param

$2 = (struct pdo_bound_param_data *) 0xe5c1a78



-- 
Edit bug report at http://bugs.php.net/bug.php?id=53551&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=53551&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=53551&r=trysnapshot53
Try a snapshot (trunk):              
http://bugs.php.net/fix.php?id=53551&r=trysnapshottrunk
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=53551&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=53551&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=53551&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=53551&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=53551&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=53551&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=53551&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=53551&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=53551&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=53551&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=53551&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=53551&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=53551&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=53551&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=53551&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=53551&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=53551&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=53551&r=mysqlcfg

Reply via email to