PHP :: Bug #77734 :: Seg Fault caused by php_mysqlnd_free_field

Bug #77734

Seg Fault caused by php_mysqlnd_free_field_metadata

Submitted:

2019-03-13 09:27 UTC

Modified:

2019-05-07 09:16 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

scott at exussum dot co dot uk

Assigned:

Status:

Duplicate

Package:

PDO MySQL

PHP Version:

7.3.3

OS:

Ubuntu 18.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	scott at exussum dot co dot uk
New email:
PHP Version:		OS:

New Comment:

[2019-03-13 09:27 UTC] scott at exussum dot co dot uk

Description:
------------
Stack trace below. This appears to happen randomly. Its generated by a long running script running lots of SQL. happens at a differnt point each time so hard to debug the actual cause.

Backtrace generated below. I can get more info from gdb if needed.

The same script runs fine with php7.2 with no issues.



Actual result:
--------------
Program terminated with signal SIGSEGV, Segmentation fault.

#0  php_mysqlnd_free_field_metadata (meta=0x7f9d7f401018) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result_meta.c:38
#1  mysqlnd_mysqlnd_res_meta_free_pub (meta=0x7f9d7f7fb8e0) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result_meta.c:106
#2  0x00007f9d8495b5ea in mysqlnd_mysqlnd_res_free_result_contents_internal_pub (result=0x7f9d7f7fb048) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result.c:300
#3  0x00007f9d8495bfe0 in mysqlnd_mysqlnd_res_free_result_internal_pub (result=0x7f9d7f7fb048) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result.c:316
#4  0x00007f9d8495bcf8 in mysqlnd_mysqlnd_res_free_result_pub (result=0x7f9d7f7fb048, implicit=<optimized out>)
    at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result.c:1498
#5  0x00007f9d82d86811 in pdo_mysql_stmt_dtor (stmt=0x7f9d7f6c7300) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/pdo_mysql/mysql_statement.c:53
#6  0x00007f9d84732f52 in php_pdo_free_statement (stmt=0x7f9d7f6c7300) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/pdo/pdo_stmt.c:2333

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-04-15 08:13 UTC] panychek at gmail dot com

We got the same thing. We have a long running CLI script too (Debian 9), and it works fine with PHP 7.2.
The only difference is that we are using the MySQLi extension, not PDO.

Our trace:
Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000055ae4184fd16 in php_mysqlnd_free_field_metadata (meta=0x7fd4ba201018) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result_meta.c:36
#1  0x000055ae41850801 in mysqlnd_mysqlnd_res_meta_free_pub (meta=0x7fd4ba585e60) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result_meta.c:106
#2  0x000055ae418458ce in mysqlnd_mysqlnd_res_free_result_contents_internal_pub (result=0x7fd4ba585048) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result.c:300
#3  0x000055ae41845a6d in mysqlnd_mysqlnd_res_free_result_internal_pub (result=0x7fd4ba585048) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result.c:316
#4  0x000055ae4184d136 in mysqlnd_mysqlnd_res_free_result_pub (result=0x7fd4ba585048, implicit=0 '\000') at /usr/src/php-src/ext/mysqlnd/mysqlnd_result.c:1507
#5  0x000055ae4164d122 in mysqli_result_free_storage (object=0x7fd4ba47e310) at /usr/src/php-src/ext/mysqli/mysqli.c:262
#6  0x000055ae41955f6e in zend_objects_store_del (object=0x7fd4ba47e310) at /usr/src/php-src/Zend/zend_objects_API.c:194

[2019-04-15 08:41 UTC] nikic@php.net

Would it be possible for you to run the CLI script under "USE_ZEND_ALLOC=0 valgrind php script.php" and provide the resulting log?

[2019-04-15 10:06 UTC] scott at exussum dot co dot uk

I dont have all debug symbols, working on getting more

This is the trace though - hope it helps in some way ?

==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x421F165: ???
==32515==    by 0x2324D8F7: ???
==32515==    by 0x2324D8F7: ???
==32515==    by 0x2324D91D: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x2324D8F7: ???
==32515== 
+------------------------------------+
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x421F144: ???
==32515==    by 0x228FE0E7: ???
==32515==    by 0x228FE0E7: ???
==32515==    by 0x228FE0EB: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x228FE0E7: ???
==32515== 
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x3C7C92: zend_string_equal_val (zend_string.c:403)
==32515==    by 0x40DCFC: zend_string_equal_content (zend_string.h:310)
==32515==    by 0x40DCFC: zend_fast_equal_strings (zend_operators.h:734)
==32515==    by 0x40DCFC: ZEND_IS_EQUAL_SPEC_CV_CV_HANDLER (zend_vm_execute.h:48290)
==32515==    by 0x42730C: execute_ex (zend_vm_execute.h:60509)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CA422: zif_array_filter (array.c:6059)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CDF54: zif_call_user_func_array (basic_functions.c:4942)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x42DC69: zend_execute (zend_vm_execute.h:60881)
==32515==    by 0x39E3F2: zend_execute_scripts (zend.c:1568)
==32515==    by 0x33CD0F: php_execute_script (main.c:2630)
==32515== 
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x210DA389: ???
==32515==    by 0x21014C47: ???
==32515==    by 0x21014C47: ???
==32515==    by 0x21015AB0: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x21014C47: ???
==32515== 
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x210DA389: ???
==32515==    by 0x23661DD7: ???
==32515==    by 0x23661DD7: ???
==32515==    by 0x23662C3B: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x23661DD7: ???
==32515== 

vex: the `impossible' happened:
   isZeroU
vex storage: T total 3415284120 bytes allocated
vex storage: P total 640 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

host stacktrace:
==32515==    at 0x38083F48: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38084064: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380842A1: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380842CA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3809F682: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38145428: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3815256D: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38156692: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x381572C6: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38159188: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3815A1D6: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3814320C: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380A1C0B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380D296B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380D45CF: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380E3946: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 32515)
==32515==    at 0xBAAE4C0: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==32515==    by 0xBA8D13F: EC_POINT_mul (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==32515==    by 0x8E8304CBD4DD2CFF: ???
==32515==    by 0x2148606F: ???
==32515==    by 0xBA95B39: EC_KEY_generate_key (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==32515==    by 0xB76DD24: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==32515==    by 0xB771967: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==32515==    by 0xB77B145: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==32515==    by 0x1B322514: ??? (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B30DEA7: PQconnectPoll (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B30EAAD: ??? (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B30F426: PQconnectdb (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B0F9302: pdo_pgsql_handle_factory (pgsql_driver.c:1225)
==32515==    by 0xA0330DD: zim_PDO_dbh_constructor (pdo_dbh.c:356)
==32515==    by 0x42D597: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==32515==    by 0x42D597: execute_ex (zend_vm_execute.h:55485)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CDD71: zif_call_user_func (basic_functions.c:4916)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x3D097F: zend_std_call_issetter (zend_object_handlers.c:316)
==32515==    by 0x3D3F98: zend_std_has_property (zend_object_handlers.c:1659)
==32515==    by 0x3E337C: ZEND_ISSET_ISEMPTY_PROP_OBJ_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:32444)
==32515==    by 0x428388: execute_ex (zend_vm_execute.h:58895)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CDF54: zif_call_user_func_array (basic_functions.c:4942)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x42DC69: zend_execute (zend_vm_execute.h:60881)
==32515==    by 0x39E3F2: zend_execute_scripts (zend.c:1568)
==32515==    by 0x33CD0F: php_execute_script (main.c:2630)
==32515==    by 0x430108: do_cli (php_cli.c:997)
==32515==    by 0x1F68DB: main (php_cli.c:1389)

[2019-04-15 10:15 UTC] nikic@php.net

Unfortunately these all look like false positives (the ??? are likely from PCRE JIT and zend_string_equal_val is expected) and valgrind itself crashed before it got to anything interesting :(

[2019-04-15 10:48 UTC] scott at exussum dot co dot uk

Anything else I can do for debugging ? I can make it happen fairly often

[2019-05-07 08:02 UTC] sjon at hortensius dot net

I think this bug is duplicated by #77955 which has a better stacktrace with debug-symbols

[2019-05-07 09:16 UTC] sjon@php.net

-Status: Open +Status: Duplicate

[2019-05-07 09:16 UTC] sjon@php.net

duplicate of bug #77955 (which has a better backtrace)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 01:01:30 2024 UTC