PHP :: Bug #57549 :: segfault in Instant Client

Bug #57549	segfault in Instant Client
Submitted:	2007-02-26 13:19 UTC	Modified:	2007-08-17 04:42 UTC
From:	ulf dot moeller at secardeo dot com	Assigned:
Status:	Closed	Package:	oci8 (PECL)
PHP Version:	4.4.4	OS:	Solaris 5.8
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ulf dot moeller at secardeo dot com
New email:
PHP Version:		OS:

New Comment:

[2007-02-26 13:19 UTC] ulf dot moeller at secardeo dot com

Description:
------------
I am seeing segfaults in an Apache web server which I believe to be related to the OCI8 extension.

While a php script is being executed, the Instant Client repeatedly calls php_oci_lob_callback() which in turn uses _erealloc() to get additional memory. When the memory limit from php.ini (32M in this case) is exceeded, _erealloc() calls zend_error() from the macro CHECK_MEMORY_LIMIT in order to report a fatal error "Allowed memory size of 33554432 bytes exhausted".

Then _zend_bailout() is called and a longjmp to php_request_shutdown() is done. php_oci_lob_free() is called to free data.

At this point, in the PHP debug version the hash table consistency check fails and the webserver is shut down with ".../Zend/zend_hash.c(108) : Bailed out without a bailout address!" In the no-debug version, consistency is not checked and Instant Client crashes trying to free the data.

I do not know exactly where the table turns inconsistent.

Here is a backtrace:

(gdb) bt
#0  0xfd6af530 in kohfrr ()
   from xxx/instantclient_10_2/libclntsh.so.10.1
#1  0xfd6b00f8 in kohfrw ()
   from xxx/instantclient_10_2/libclntsh.so.10.1
#2  0xfd1c01e0 in kpufdesc ()
   from xxx/instantclient_10_2/libclntsh.so.10.1
#3  0xfe1c72f0 in php_oci_lob_free ()
   from xxx/modules/libphp4.so
#4  0xfe1bfb48 in php_oci_descriptor_list_dtor ()
   from xxx/modules/libphp4.so
#5  0xfe32fcd8 in list_entry_destructor ()
   from xxx/modules/libphp4.so
#6  0xfe32d1b0 in zend_hash_apply_deleter ()
   from xxx/modules/libphp4.so
#7  0xfe32d49c in zend_hash_graceful_reverse_destroy ()
   from xxx/modules/libphp4.so
#8  0xfe32ff24 in zend_destroy_rsrc_list ()
   from xxx/modules/libphp4.so
#9  0xfe313ce8 in shutdown_executor ()
   from xxx/modules/libphp4.so
#10 0xfe324598 in zend_deactivate ()
   from xxx/modules/libphp4.so
#11 0xfe2ca650 in php_request_shutdown ()
   from xxx/modules/libphp4.so
#12 0xfe348ad0 in php_apache_request_dtor ()
   from xxx/modules/libphp4.so
#13 0xfe3494b8 in php_handler ()
   from xxx/modules/libphp4.so
#14 0x0006d89c in ap_run_handler ()
#15 0x0006e5b8 in ap_invoke_handler ()
#16 0x00050f58 in ap_process_request ()
#17 0x000473e8 in ap_process_http_connection ()
#18 0x000823a8 in ap_run_process_connection ()
#19 0x000829e0 in ap_process_connection ()
#20 0x0006aa90 in child_main ()
#21 0x0006ac20 in make_child ()
#22 0x0006ae0c in startup_children ()
#23 0x0006b658 in ap_mpm_run ()
#24 0x00077b80 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-02-26 13:24 UTC] tony2001 at phpclub dot net

Please provide short but complete reproduce code.

[2007-03-07 07:42 UTC] ulf dot moeller at secardeo dot com

Here is the script. The error occurs whenever a file read from the database is too large to fit within the memory limit. For example, we can reproduce the eror with a 1.5 meg file with memory_limit = 2M.

<?
	$REAL_PATH = "/xxx/htdocs/";
	$REAL_URL = "http://xxx.com";
}
include_once($REAL_PATH . "_phplib/_dblib.php");
$newstable = "NEWS"; // org: NEWS
$atttable = "ATTACHMENT"; // org: ATTACHMENT
$syntable = "NEWS_ATTACHMENT"; // org: NEWS_ATTACHMENT
$view = "ARTIKELS"; // org: ARTIKELS

$db = new oracleQuery($EEANEWS_USER,$EEANEWS_PASS,$PRODDB);

if($id != ""){
	$SQL = "SELECT typ from $atttable where id='$id'";
	$db->setStatement($SQL);
	$typus = $db->getResult();
	$typ = $typus["TYP"][0];

    header("Cache-Control: ");// leave blank to avoid IE errors
    header("Pragma: ");// leave blank to avoid IE errors
    //header(sprintf('Content-Type: %s', $file['FILETYPE']));
	
	switch($typ){
		case "PDF":
			header("Content-Type: application/pdf");
			$file_ext = 'document.pdf';
			break;
		case "DOC":
			header("Content-Type: application/msword");
			$file_ext = 'document.doc';
			break;
		case "XLS":
			header("Content-Type: application/msexcel");
			$file_ext = 'document.xls';
			break;
		case "PPT":
			header("Content-Type: application/vnd.ms-powerpoint");
			$file_ext = 'document.ppt';
			break;
		case "JPG":
			header("Content-Type: image/jpeg");
			$file_ext = 'bild.jpg';
			break;
		case "GIF":
			header("Content-Type: image/gif");
			$file_ext = 'bild.gif';
			break;
		case "BMP":
			header("Content-Type: image/bmp");
			$file_ext = 'bild.bmp';
			break;
		case "EXE":
			header("Content-Type: application/octet-stream");
			$file_ext = 'datei.exe';
			break;
		case "ZIP":
			header("Content-Type: application/zip");
			$file_ext = 'archiv.zip';
			break;
		default:
			header("Content-Type: application/octet-stream");
			break;
	}


    $SQL="SELECT data FROM $atttable WHERE id='$id'";
    $db->setStatement($SQL);
    $result=$db->getLob();

    header(sprintf('Content-Disposition: attachment; filename=%s',$file_ext));
    header("Content-length:".strlen($result));

    if($result){
        echo $result;
    } else {
        error();
    }
} else {
    error();
}
$db->disconnect();
function error(){
?>
<html>
<head>
<title>FEHLER</title>
</head>
<body bgcolor="#FFFFFF">
<center><b><font face="Arial">
Der Anhang wurde nicht gefunden.
</font></b></center>
</body>
</html>
<?
}
?>

[2007-03-07 07:47 UTC] tony2001 at phpclub dot net

$result=$db->getLob()?
I don't know such OCI8 method.

[2007-03-07 08:36 UTC] tony2001 at phpclub dot net

Please don't forget to specify version of Instant Client and version of OCI8.

With OIC 10.1.0.3 the only error I can see is "Warning: Unknown(): ORA-24909: call in progress. Current operation cancelled".
Oracle9 native client does segfault, but only with PHP4 (which you shouldn't be using anyway).

[2007-03-08 03:11 UTC] ulf dot moeller at secardeo dot com

Oracle Instant Client is version 10.2.0.2, used with PHP 4.

[2007-03-29 04:34 UTC] tony2001 at phpclub dot net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

[2007-08-16 19:10 UTC] wade dot ziegler at swgas dot com

It looks like this bug fix has not made it into the PHP 5.2.3 release.  I'm getting the same result so I have to downgrade back to PHP 4.

[2007-08-17 04:42 UTC] tony at daylessday dot org

>It looks like this bug fix has not made it into the PHP 5.2.3 release. 
Of course it did.

>I'm getting the same result so I have to downgrade back to PHP 4.
Wha? PHP4 surely doesn't have this fix, OCI8 in PHP4 is unsupported for years.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 13:01:30 2024 UTC