php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31252 call_overloaded_function crashes under some circumstances (DB_DataObject?)
Submitted: 2004-12-22 18:15 UTC Modified: 2004-12-22 18:29 UTC
From: mark-phpspam at vectrex dot org dot uk Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.10 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mark-phpspam at vectrex dot org dot uk
New email:
PHP Version: OS:

 

 [2004-12-22 18:15 UTC] mark-phpspam at vectrex dot org dot uk 
Description:
------------
A crash which happens somewhere inside DB_DataObject when it's trying to get stuff from MySQL. I don't know exactly where in PHP code, nor what function it's calling at the time, but it might be just before or after mysql_num_rows or is_a.

The only way I know to instrument it is using apd (a zend extension). However, the bug is reproducable with no zend extensions.

The same code works correctly in PHP 4.3.8 with an identical config and all other factors the same.

Config:
 ./configure  --prefix=/home/mark/apache/php --with-apxs2=/home/mark/apache/bin/apxs --with-curl --with-openssl --with-gd --enable-mbstring --with-zlib --with-jpeg-dir=/usr

Apache version: 2.0.50
OS: Debian unstable, kernel 2.6.3 (if that makes a difference)

Reproduce code:
---------------
I have not isolated short code which can reproduce this, but it fails with all my (large) apps which use DB_DataObject and MySQL.

I think it happens when calling DB_DataObject->fetch

Expected result:
----------------
It shouldn't crash

Actual result:
--------------
#0  call_overloaded_function (T=0xbfffc8ac, arg_count=-1073755988, 
    return_value=0xbfffc8ac)
    at /home/mark/unpack/php-4.3.10/Zend/zend_execute.c:992
        ce = (zend_class_entry *) 0x0
#1  0x40595fb0 in execute (op_array=0x82f2b20)
    at /home/mark/unpack/php-4.3.10/Zend/zend_execute.c:1708
        original_return_value = (zval **) 0x40417940
        execute_data = {opline = 0x82f39f0, function_state = {
    function_symbol_table = 0x81245c8, function = 0x836855c, reserved = {
      0x4074b688, 0x81efb04, 0x5, 0xbfffccf8}}, fbc = 0x836855c, ce = 0x0, 
  object = {ptr = 0x81ef694}, Ts = 0xbfffc67c, 
  original_in_execution = 1 '\001', op_array = 0x82f2b20, 
  prev_execute_data = 0xbfffd0c0}
#2  0x40596184 in execute (op_array=0x81eef48)
    at /home/mark/unpack/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x81efd74
        original_return_value = (zval **) 0xbfffd220
        execute_data = {opline = 0x81eecec, function_state = {
    function_symbol_table = 0x8214fcc, function = 0x82f2b20, reserved = {
      0x4074b688, 0xbfffd13c, 0xbfffd5a0, 0xbfffd118}}, fbc = 0x82f2b20, 
  ce = 0x0, object = {ptr = 0x0}, Ts = 0xbfffcd1c, 
  original_in_execution = 1 '\001', op_array = 0x81eef48, 
  prev_execute_data = 0xbfffd5c0}
#3  0x40596184 in execute (op_array=0x81e94ec)
    at /home/mark/unpack/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x4076a0ec
        original_return_value = (zval **) 0xbfffd638
        execute_data = {opline = 0x81ed9d4, function_state = {
    function_symbol_table = 0x81efd74, function = 0x81eef48, reserved = {
      0x4074b688, 0x81e95d4, 0x0, 0xbfffd5f8}}, fbc = 0x81eef48, ce = 0x0, 
  object = {ptr = 0x0}, Ts = 0xbfffd13c, original_in_execution = 0 '\0', 
  op_array = 0x81e94ec, prev_execute_data = 0x0}
#4  0x40586231 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/mark/unpack/php-4.3.10/Zend/zend.c:900
        files = 0xbfffd664 ""
        i = 1
---Type <return> to continue, or q <return> to quit---
        file_handle = (zend_file_handle *) 0xbffff860
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#5  0x4055855f in php_execute_script (primary_file=0xbffff860)
    at /home/mark/unpack/php-4.3.10/main/main.c:1736
        orig_bailout = {{__jmpbuf = {1081390728, 1081516504, -1073743556, 
      -1073743528, -1073743984, 1079620072}, __mask_was_saved = 0, 
    __saved_mask = {__val = {0 <repeats 32 times>}}}}
        orig_bailout_set = 1 '\001'
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, 
  handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, 
  handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
        old_cwd = 0xbfffd66c "/home/mark/apache"
        old_primary_file_path = 0x0
        retval = 0
#6  0x4059b400 in php_handler (r=0x81e1668)
    at /home/mark/unpack/php-4.3.10/sapi/apache2handler/sapi_apache2.c:542
        zfd = {type = 1 '\001', 
  filename = 0x81e29d8 "/home/mark/progs/listmanager/site/logon.php", 
  opened_path = 0x81e9604 "3?\202U\006", handle = {fd = 33, fp = 0x21}, 
  free_filename = 0 '\0'}
        ctx = (php_struct *) 0x81e3238
        conf = (void *) 0xbfffc8ac
        brigade = (apr_bucket_brigade *) 0x81e32b0
        bucket = (apr_bucket *) 0xbfffc8ac
        rv = -1073755988
        parent_req = (request_rec *) 0x0
#7  0x0809b8d5 in ap_run_handler (r=0x81e1668) at config.c:151
        pHook = (ap_LINK_handler_t *) 0xbfffc8ac
        n = 6
        rv = -1073755988

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-22 18:29 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Sat Jun 20 07:00:01 2026 UTC