From: pool at unimca dot com
Operating system: Linux Debian Wheezy amd64
PHP version: 5.4.17
Package: Reproducible crash
Bug Type: Bug
Bug description:Segmentation Fault in _zend_mm_free_int using mysqlnd
Description:
------------
I get recurring (script to reproduce attached) segmentation faults. Both
PHP 5.4.17 and 5.4.4.
When I query mySQL using:
- mysqli
- mysqlnd (native driver)
- prepared statements
- specific number o parameters
For me a number of parameters in the provided script of 1923-2033 produce
the error. A number below or above works fine. The numbers might vary from
system to system (I don't know). To take this into account, I made the
script loop with different numbers of parameters.
The Apache2 log reports: [notice] child pid 30414 exit signal Segmentation
fault (11)
I get the same error when using PDO and prepared statements (with real
prepared statements, ATTR_EMULATE_PREPARES = false).
I compiled PHP 5.4.17 myself (I'm not experienced in doing so). PHP 5.4.4
was out of the box.
Both use mysqlnd in what seems to be the same version 5.0.10 ((?) according
to phpinfo()).
mySQL is out of the box wheezy: is Ver 14.14 Distrib 5.5.31, for
debian-linux-gnu (x86_64) using readline 6.2. Using InnoDB
Debian Wheezy is: 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
Can anyone confirm that this is not specific to my machine/installation ?
Test script:
---------------
<?php
/*
CREATE DATABASE testDatabase
CHARACTER SET utf8
DEFAULT CHARACTER SET utf8
COLLATE utf8_general_ci
DEFAULT COLLATE utf8_general_ci;
USE testDatabase;
SET NAMES 'utf8';
GRANT CREATE, ALTER, INDEX, DROP, CREATE TEMPORARY TABLES, SELECT, INSERT,
UPDATE, DELETE ON testDatabase.* TO 'testUser'@'localhost' IDENTIFIED BY
'testPassword';
GRANT CREATE, ALTER, INDEX, DROP, CREATE TEMPORARY TABLES, SELECT, INSERT,
UPDATE, DELETE ON testDatabase.* TO 'testUser'@'localhost.localdomain'
IDENTIFIED BY 'testPassword';
FLUSH PRIVILEGES;
CREATE TABLE `testTable` (
`testField` binary(16) NOT NULL,
`content` varchar(30) NOT NULL,
PRIMARY KEY (`testField`)
);
*/
for($j=2;$j<65000;$j++)
{
$arBind = array();
$sBind = '';
for($i=0;$i<$j;$i++) //$j = number parameters for prepared statement
{
$sBind .= 's';
$arBind[] = '00000000000000000000000000000000';
}
echo '<br>Going to probe number of parameters: ' . count($arBind);
ob_flush(); //print it to browser right away, not required for script
flush(); //print it to browser right away, not required for script
//Constructing the query
$query = 'SELECT * from testTable WHERE testField IN(unhex(?)';
$questionMarksMinus1 = count($arBind) - 1; //1 questionmark already set in
query
for($i=1;$i<=$questionMarksMinus1;$i++)
{
$query .= ',unhex(?)';
}
$query .= ')';
$mysqliConn= mysqli_connect('127.0.0.1', 'testUser', 'testPassword');
$mysqliConn->select_db('testDatabase');
$mysqliSTMT = $mysqliConn->stmt_init();
$mysqliSTMT->prepare($query);
array_unshift($arBind,$sBind); //add the type string to the beginning of
the array
$arBindRef = array(); //bind the parameters. bind_param expects references
and not values -> making new reference array
foreach($arBind as $key => $value)
{
$arBindRef[] = &$arBind[$key];
}
call_user_func_array(array($mysqliSTMT,'bind_param'),$arBindRef);
$mysqliSTMT->execute(); //here the problem occurs
}
echo '<br>FINISHED';
?>
Expected result:
----------------
No segementation fault
Actual result:
--------------
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
2100 if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0 _zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
#1 0x00007f7a1eb08afd in _mysqlnd_pefree (ptr=<optimized out>,
persistent=0 '\000') at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_alloc.c:372
#2 0x00007f7a1eb14cfa in mysqlnd_internal_free_result_contents
(result=0x7f7a19d479e8) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:288
#3 0x00007f7a1eb14d1a in mysqlnd_internal_free_result
(result=0x7f7a19d479e8) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:302
#4 0x00007f7a1eb1b9a1 in php_mysqlnd_stmt_free_stmt_content_pub
(s=0x7f7a19cc6ae0) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2115
#5 0x00007f7a1eb1cc4c in php_mysqlnd_stmt_net_close_priv (s=<optimized
out>, implicit=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2203
#6 0x00007f7a1eb1b66e in php_mysqlnd_stmt_dtor_pub (s=0x7f7a19cc6ae0,
implicit=1 '\001') at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2229
#7 0x00007f7a1e9ab018 in php_clear_stmt_bind (stmt=0x7f7a19f1d658) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:164
#8 0x00007f7a1e9ab06a in mysqli_stmt_free_storage (object=0x7f7a19cc6860)
at /home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:255
#9 0x00007f7a1ebada26 in zend_objects_store_del_ref_by_handle_ex
(handle=2, handlers=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:221
#10 0x00007f7a1ebada43 in zend_objects_store_del_ref
(zobject=0x7f7a19cc5360) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:173
#11 0x00007f7a1eb77d29 in _zval_dtor (zvalue=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_variables.h:35
#12 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:436
#13 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:425
#14 0x00007f7a1eb930a5 in zend_hash_apply_deleter
(ht=ht@entry=0x7f7a1f396d08, p=p@entry=0x7f7a19cc6900) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:650
#15 0x00007f7a1eb94be1 in zend_hash_reverse_apply
(ht=ht@entry=0x7f7a1f396d08, apply_func=apply_func@entry=0x7f7a1eb77bb0
<zval_call_destructor>)
at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:804
#16 0x00007f7a1eb78041 in shutdown_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:217
#17 0x00007f7a1eb86ac7 in zend_call_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend.c:922
#18 0x00007f7a1eb27e25 in php_request_shutdown (dummy=dummy@entry=0x0) at
/home/myUser/DebMaking/php-5.4.17/main/main.c:1742
#19 0x00007f7a1ec305af in php_apache_request_dtor (r=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:507
#20 php_handler (r=0x7f7a22af20a0) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:679
#21 0x00007f7a22d0db60 in ap_run_handler ()
#22 0x00007f7a22d0dfab in ap_invoke_handler ()
#23 0x00007f7a22d1e088 in ap_process_request ()
#24 0x00007f7a22d1af48 in ?? ()
#25 0x00007f7a22d14520 in ap_run_process_connection ()
#26 0x00007f7a22d22cb9 in ?? ()
#27 0x00007f7a22d233d2 in ?? ()
#28 0x00007f7a22d23f36 in ap_mpm_run ()
#29 0x00007f7a22cf8832 in main ()
(gdb) bt full
#0 _zend_mm_free_int (heap=0x7f7a2473fa40, p=0x7f7a19cd5f38) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_alloc.c:2100
mm_block = 0x7f7a19cd5f28
next_block = 0x3030afaa49fd8f58
size = 3472328296227680304
#1 0x00007f7a1eb08afd in _mysqlnd_pefree (ptr=<optimized out>,
persistent=0 '\000') at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_alloc.c:372
free_amount = <optimized out>
collect_memory_statistics = 0 '\000'
#2 0x00007f7a1eb14cfa in mysqlnd_internal_free_result_contents
(result=0x7f7a19d479e8) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:288
No locals.
#3 0x00007f7a1eb14d1a in mysqlnd_internal_free_result
(result=0x7f7a19d479e8) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_result.c:302
No locals.
#4 0x00007f7a1eb1b9a1 in php_mysqlnd_stmt_free_stmt_content_pub
(s=0x7f7a19cc6ae0) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2115
stmt = 0x7f7a19cc6b30
#5 0x00007f7a1eb1cc4c in php_mysqlnd_stmt_net_close_priv (s=<optimized
out>, implicit=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2203
stmt = 0x7f7a19cc6b30
conn = <optimized out>
cmd_buf = "\001\000\000"
statistic = <optimized out>
#6 0x00007f7a1eb1b66e in php_mysqlnd_stmt_dtor_pub (s=0x7f7a19cc6ae0,
implicit=1 '\001') at
/home/myUser/DebMaking/php-5.4.17/ext/mysqlnd/mysqlnd_ps.c:2229
stmt = 0x7f7a19cc6b30
ret = FAIL
persistent = 0 '\000'
#7 0x00007f7a1e9ab018 in php_clear_stmt_bind (stmt=0x7f7a19f1d658) at
/home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:164
No locals.
#8 0x00007f7a1e9ab06a in mysqli_stmt_free_storage (object=0x7f7a19cc6860)
at /home/myUser/DebMaking/php-5.4.17/ext/mysqli/mysqli.c:255
stmt = <optimized out>
zo = 0x7f7a19cc6860
intern = 0x7f7a19cc6860
my_res = <optimized out>
#9 0x00007f7a1ebada26 in zend_objects_store_del_ref_by_handle_ex
(handle=2, handlers=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:221
__orig_bailout = <optimized out>
__bailout = {{__jmpbuf = {140162395558752, -8192091644916044739,
140162395540600, 140162486594824, 140162478078896, 140735356192568,
-8123113098347975619,
-8192088360732496835}, __mask_was_saved = 0, __saved_mask =
{__val = {140162477808826, 140161962737665, 0, 5283658345051342928,
140162477785156, 0,
140162542126972, 0, 0, 140735356190832, 140162397992704,
140162531681520, 140162477986829, 140162486592512, 0, 0}}}}
obj = 0x7f7a19f05070
failure = <optimized out>
#10 0x00007f7a1ebada43 in zend_objects_store_del_ref
(zobject=0x7f7a19cc5360) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_objects_API.c:173
handle = <optimized out>
#11 0x00007f7a1eb77d29 in _zval_dtor (zvalue=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_variables.h:35
No locals.
#12 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:436
No locals.
#13 _zval_ptr_dtor (zval_ptr=0x7f7a19cc6918) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:425
No locals.
#14 0x00007f7a1eb930a5 in zend_hash_apply_deleter
(ht=ht@entry=0x7f7a1f396d08, p=p@entry=0x7f7a19cc6900) at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:650
retval = <optimized out>
#15 0x00007f7a1eb94be1 in zend_hash_reverse_apply
(ht=ht@entry=0x7f7a1f396d08, apply_func=apply_func@entry=0x7f7a1eb77bb0
<zval_call_destructor>)
at /home/myUser/DebMaking/php-5.4.17/Zend/zend_hash.c:804
result = 1
p = 0x7f7a19cc0c78
q = 0x7f7a19cc6900
#16 0x00007f7a1eb78041 in shutdown_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend_execute_API.c:217
symbols = 14
__orig_bailout = 0x7fff80e9bf30
__bailout = {{__jmpbuf = {140162486594432, -8192091645151974339,
140162544640160, 140162549147716, -4294967295, 140735356192568,
-8123113101239948227,
-8192088332522132419}, __mask_was_saved = 0, __saved_mask =
{__val = {140162482955400, 140162397992704, 140162477812253, 0,
140162397992840, 103079215104,
140162477986829, 140162397992896, 140162477986829, 0,
433992944, 8, 140162396730936, 7, 23, 140162486594824}}}}
#17 0x00007f7a1eb86ac7 in zend_call_destructors () at
/home/myUser/DebMaking/php-5.4.17/Zend/zend.c:922
__orig_bailout = <optimized out>
__bailout = {{__jmpbuf = {140162486594432, -8192091645151974339,
140162544640160, 140162549147716, -4294967295, 140735356192568,
-8123113101273502659,
-8192088337574958019}, __mask_was_saved = 0, __saved_mask =
{__val = {140735356192568, 140735356191360, 140162537525486, 3,
140735356191400,
140162479205191, 140162544640040, 140162477998400,
140162574668336, 140162544603136, 140162544606128, 8, 18446744069414584321,
140162486592808,
140162486592512, 140162544640160}}}}
---Type <return> to continue, or q <return> to quit---
#18 0x00007f7a1eb27e25 in php_request_shutdown (dummy=dummy@entry=0x0) at
/home/myUser/DebMaking/php-5.4.17/main/main.c:1742
__orig_bailout = <optimized out>
__bailout = {{__jmpbuf = {140162486594432, -8192091645151974339,
140162544640160, 140162549147716, -4294967295, 140735356192568,
-8123113101149770691,
-8192088286588605379}, __mask_was_saved = 0, __saved_mask =
{__val = {140162544640040, 4, 140162544606160, 140735356191600,
140162537483668,
140162483051270, 140162544606128, 140162483051320,
140162544643688, 4294967400, 409318933599, 55834574848, 140162544643984,
140162483051323,
140162544640160, 140162486593120}}}}
report_memleaks = 1 '\001'
#19 0x00007f7a1ec305af in php_apache_request_dtor (r=<optimized out>) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:507
No locals.
#20 php_handler (r=0x7f7a22af20a0) at
/home/myUser/DebMaking/php-5.4.17/sapi/apache2handler/sapi_apache2.c:679
ctx = 0x7f7a22aefe08
conf = 0x7f7a22c203d8
brigade = 0x7f7a22ae9b08
bucket = <optimized out>
rv = <optimized out>
parent_req = 0x0
#21 0x00007f7a22d0db60 in ap_run_handler ()
No symbol table info available.
#22 0x00007f7a22d0dfab in ap_invoke_handler ()
No symbol table info available.
#23 0x00007f7a22d1e088 in ap_process_request ()
No symbol table info available.
#24 0x00007f7a22d1af48 in ?? ()
No symbol table info available.
#25 0x00007f7a22d14520 in ap_run_process_connection ()
No symbol table info available.
#26 0x00007f7a22d22cb9 in ?? ()
No symbol table info available.
#27 0x00007f7a22d233d2 in ?? ()
No symbol table info available.
#28 0x00007f7a22d23f36 in ap_mpm_run ()
No symbol table info available.
#29 0x00007f7a22cf8832 in main ()
No symbol table info available.
phpinfo() of my 5.4.17:
Configure Command './configure' '--prefix=/usr' '--with-mysql=mysqlnd'
'--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd'
'--with-apxs2=/usr/bin/apxs2' '--with-libdir=/lib/x86_64-linux-gnu'
'--without-db4' '--without-qdbm' '--without-gdbm' '--without-imap'
'--with-sqlite3' '--with-gd' '--with-config-file-path=/etc/php5/apache2'
'--with-config-file-scan-dir=/etc/php5/apache2/conf.d'
'--build=x86_64-linux-gnu' '--host=x86_64-linux-gnu' '--sysconfdir=/etc'
'--localstatedir=/var' '--mandir=/usr/share/man' '--disable-debug'
'--with-regex=php' '--disable-rpath' '--disable-static' '--with-pic'
'--with-layout=GNU' '--with-pear=/usr/share/php' '--enable-calendar'
'--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-bcmath'
'--with-bz2' '--enable-ctype' '--with-iconv' '--enable-exif' '--enable-ftp'
'--with-gettext' '--enable-mbstring' '--with-onig=/usr'
'--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets'
'--enable-wddx' '--with-libxml-dir=/usr' '--with-zlib'
'--with-kerberos=/usr' '--with-openssl=/usr' '--enable-soap' '--enable-zip'
'--with-mhash=yes' '--with-system-tzdata'
'--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-mm'
'--with-curl=shared,/usr' '--with-enchant=shared,/usr'
'--with-zlib-dir=/usr' '--enable-gd-native-ttf' '--with-gmp=shared,/usr'
'--with-jpeg-dir=shared,/usr' '--with-xpm-dir=shared,/usr/X11R6'
'--with-png-dir=shared,/usr' '--with-freetype-dir=shared,/usr'
'--with-imap-ssl' '--enable-intl=shared' '--without-t1lib'
'--with-ldap=shared,/usr' '--with-ldap-sasl=/usr'
'--with-mcrypt=shared,/usr' '--with-pspell=shared,/usr'
'--with-recode=shared,/usr' '--with-xsl=shared,/usr'
'--with-snmp=shared,/usr' '--with-mssql=shared,/usr'
'--with-tidy=shared,/usr' '--with-xmlrpc=shared'
'--with-pgsql=shared,/usr'
--
Edit bug report at https://bugs.php.net/bug.php?id=65337&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=65337&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=65337&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=65337&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=65337&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=65337&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=65337&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=65337&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=65337&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=65337&r=support
Expected behavior: https://bugs.php.net/fix.php?id=65337&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=65337&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=65337&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=65337&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65337&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=65337&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=65337&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=65337&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65337&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=65337&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=65337&r=mysqlcfg
