php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14357 segfault when using mssql_close()
Submitted: 2001-12-05 22:28 UTC Modified: 2002-05-24 20:34 UTC
From: jbowles at speakeasy dot net Assigned:
Status: Not a bug Package: MSSQL related
PHP Version: 4.0CVS-2001-12-05 OS: Solaris 8
Private report: No CVE-ID: None
 [2001-12-05 22:28 UTC] jbowles at speakeasy dot net
#----------------------------------------------------------------------
# Problem description
#----------------------------------------------------------------------

While selecting a large-ish amount of data from an MS-SQL 7 database,
PHP will segfault.

After constructing a small test case, it was found that the segfault happened when mssql_close() was called, and only when more than 75 rows from a 75 column table were selected in the query.

If less columns are chosen from the table, it is possible to retrieve more rows without causing a segfault. However,  as the number of rows increases, the segfault would begin to occur again.

Originally, I thought that the problem must be FreeTDS related, but a backtrace shows the problem happening within PHP.

#----------------------------------------------------------------------
# Hardware/Software Setup
#----------------------------------------------------------------------

Web Server:

  Sparc Ultra 60
  Solaris 8
  Apache 1.3.22
  PHP 4.x, CVS code base from 2001-12-05 ~7pm MST
  FreeTDS 0.53

PHP configure line:

./configure --with-mssql=/usr/local/freetds
            --with-sybase=/usr/local/sybase
            --with-apxs=/usr/local/apache/bin/apxs
            --with-mysql=/usr/local/mysql
            --prefix=/usr/local/php'

Database Server:

  Windows NT 4 SP 6a
  MS-SQL 7 SP3

#----------------------------------------------------------------------
# Script that demonstrates problem
#----------------------------------------------------------------------
<html>
<?
// Database connection parameters
$hostname = 'some-mssql-db-server';
$username = 'username';
$password = 'password';
$database = 'database-name';
$table = 'table-name';

// Connect to the database
$connection = mssql_connect($hostname,$username,$password);
mssql_select_db($database);

$query = "select * from [$table]";

print("query = $query <br>");

$query_result = mssql_query($query);
$number_fields = mssql_num_fields($query_result);
$number_rows = mssql_num_rows($query_result) ;

print("Number of rows: $number_rows <br>");
print("Number of columns: $number_fields <br>");
print("Number of cells: ");
$num_cells = $number_rows * $number_fields;
print("$num_cells <br>");

print("<table border = \"1\">");

// Display the results
for($row_number = 0; $row_number < $number_rows; $row_number++) {
  print "<tr>";

  for($field_number = 0; $field_number < $number_fields; $field_number++) {
    print "<td>";
    print mssql_result($query_result, $row_number, $field_number);
    print "</td>" ;
  }

  print "</tr>" ;
}

print("</table>");

// Close the database connection - when this line is commented out,
// then the segfault does not happen.
mssql_close($connection);

?>
</html>

#----------------------------------------------------------------------
# Backtrace
#----------------------------------------------------------------------


# gdb /usr/local/apache-debug/bin/httpd
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(gdb) run -X -d /usr/local/apache-debug -f /usr/local/apache-debug/conf/httpd.conf

Starting program: /usr/local/apache-debug/bin/httpd -X -d /usr/local/apache-debug -f /usr/local/apache-debug/conf/httpd.conf

Program received signal SIGSEGV, Segmentation fault.
0xff1c1960 in realfree () from /usr/lib/libc.so.1
(gdb) backtrace
#0  0xff1c1960 in realfree () from /usr/lib/libc.so.1
#1  0xff1c21d8 in _free_unlocked () from /usr/lib/libc.so.1
#2  0xff1c2128 in free () from /usr/lib/libc.so.1
#3  0xfefc1b0c in _efree () from /usr/local/apache/libexec/libphp4.so
#4  0xfefda144 in safe_free_zval_ptr ()
   from /usr/local/apache/libexec/libphp4.so
#5  0xfefd8550 in _zval_ptr_dtor () from /usr/local/apache/libexec/libphp4.so
#6  0xff0bfda0 in _free_sybase_result ()
   from /usr/local/apache/libexec/libphp4.so
#7  0xfeff2b3c in list_entry_destructor ()
   from /usr/local/apache/libexec/libphp4.so
#8  0xfeff02e0 in zend_hash_apply_deleter ()
   from /usr/local/apache/libexec/libphp4.so
#9  0xfeff0670 in zend_hash_apply () from /usr/local/apache/libexec/libphp4.so
#10 0xff0bfff4 in _close_sybase_link ()
   from /usr/local/apache/libexec/libphp4.so
#11 0xfeff2b3c in list_entry_destructor ()
   from /usr/local/apache/libexec/libphp4.so
#12 0xfefefe98 in zend_hash_del_key_or_index ()
   from /usr/local/apache/libexec/libphp4.so
#13 0xfeff2650 in _zend_list_delete ()
   from /usr/local/apache/libexec/libphp4.so
#14 0xff0c172c in zif_sybase_close () from /usr/local/apache/libexec/libphp4.so
#15 0xfefd1908 in execute () from /usr/local/apache/libexec/libphp4.so
#16 0xfefe8570 in zend_execute_scripts ()
   from /usr/local/apache/libexec/libphp4.so
#17 0xff001804 in php_execute_script ()
   from /usr/local/apache/libexec/libphp4.so
#18 0xfeffa4d8 in apache_php_module_main ()
   from /usr/local/apache/libexec/libphp4.so
#19 0xfeffba44 in send_php () from /usr/local/apache/libexec/libphp4.so
#20 0xfeffbabc in send_parsed_php () from /usr/local/apache/libexec/libphp4.so
#21 0x41238 in ap_invoke_handler (r=0x11cd10) at http_config.c:517
#22 0x5edf8 in process_request_internal (r=0x11cd10) at http_request.c:1307
#23 0x5ee7c in ap_process_request (r=0x11cd10) at http_request.c:1323
#24 0x523d8 in child_main (child_num_arg=0) at http_main.c:4465
#25 0x5266c in make_child (s=0xcb838, slot=0, now=1007606468)
    at http_main.c:4569
#26 0x52888 in startup_children (number_to_start=5) at http_main.c:4651
#27 0x532b8 in standalone_main (argc=6, argv=0xffbefc1c) at http_main.c:4956#28 0x53f00 in main (argc=6, argv=0xffbefc1c) at http_main.c:5301

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-24 20:34 UTC] derick@php.net
Thank you for taking the time to report a problem with PHP.
Unfortunately your version of PHP is too old -- the problem
might already be fixed. Please download a new PHP
version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 06:01:27 2019 UTC