PHP :: Bug #26133 :: OCIDescriptorFree segfault PHP

Bug #26133

OCIDescriptorFree segfault PHP

Submitted:

2003-11-05 04:08 UTC

Modified:

2003-12-16 10:56 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

msanmartin at seamus dot es

Assigned:

Status:

Closed

Package:

OCI8 related

PHP Version:

4CVS, 5CVS

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2003-11-05 04:08 UTC] msanmartin at seamus dot es

Description:
------------
If I call OCINewDescriptor for create a OCI_D_ROWID
when I free this descriptor or php free at the 
end it crash.
It happens in Oracle  9.2.0.1.0 
In Oracle 9.0.1.0.0 the code works.

I make a program in C that makes similar calls to
OCI8 but it works well.

The crash is in the call to OCIDescriptorFree.

I reproduce this in php4-200311050830 php-4.3.2 php-4.3.4
In php-4.2.2 the code works.


Reproduce code:
---------------
<?
$db_log_sql = 'INSERT INTO test (VARIABLE, VALUE) VALUES (\'1\',\'1\')'.
              'RETURNING  ROWID INTO :v_rowid ';
$db_log = OCILogon('xxx','xxx','xxx');
$db_log_stmt = OCIParse($db_log,$db_log_sql);
$db_log_rowid = OCINewDescriptor($db_log,OCI_D_ROWID);
OCIBindByName($db_log_stmt,":v_rowid", &$db_log_rowid,-1,OCI_B_ROWID);
if (OCIExecute($db_log_stmt)) {
        OCICommit($db_log);
}
OCIFreeStatement($db_log_stmt);
$db_log_rowid->free();
?>


Actual result:
--------------
$ gdb /usr/local/src/php-4.3.4/sapi/cli/php             
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) set args x2.php 
(gdb) run
Starting program: /usr/local/src/php-4.3.4/sapi/cli/php x2.php 
[New Thread 16384 (LWP 11411)]
end
********** Internal heap ERROR 17112 addr=0x81d4278 *********

***** Dump of memory around addr 0x81d4278: 
81D4070                   00000000 00000000          [........]
81D4080 00000000 00000000 00000000 00000000  [................]
        Repeat 30 times
81D4270 00000000 00000000 80000022 081D405C  [........"...\@..]
81D4280 40921CBD 000A15CD D7000001 000D009F  [...@............]
81D4290 00DA2501 00000059 80000032 081D4278  [.%..Y...2...xB..]
81D42A0 408FAAA0 000A15CD 00000000 00000000  [...@............]
81D42B0 00000000 00000000 00000000 00000000  [................]
81D42C0 00000000 00000000 80000052 081D4298  [........R....B..]
81D42D0 408FAAA0 000A15CD 081D42A8 00000005  [...@.....B......]
81D42E0 00000000 40000000 40400000 00000000  [.......@..@@....]
81D42F0 00000000 00000000 00000000 00000000  [................]
81D4300 00000010 402B29E0 402B2A30 081C29D8  [.....)+@0*+@.)..]
81D4310 00000000 00000000 80000032 081D42C8  [........2....B..]
81D4320 408FAAA0 000A15CD 00000000 00000000  [...@............]
81D4330 00000000 00000000 00000000 00000000  [................]
81D4340 00000000 00000000 80000052 081D4318  [........R....C..]
81D4350 408FAAA0 000A15CD 081D4328 00000005  [...@....(C......]
81D4360 00000000 40000000 40400000 402B2AE0  [.......@..@@.*+@]
81D4370 402B2B20 00000000 00000000 00000000  [ ++@............]
81D4380 00000014 402B29E0 402B2A30 081C29D8  [.....)+@0*+@.)..]
81D4390 00000000 00000000 80000032 081D4348  [........2...HC..]
81D43A0 408FAAA0 000A15CD 00000000 00000000  [...@............]
81D43B0 00000000 00000000 00000000 00000000  [................]
81D43C0 00000000 00000000 80000052 081D4398  [........R....C..]
81D43D0 408FAAA0 000A15CD 081D43A8 00000005  [...@.....C......]
81D43E0 00000000 40000000 40400000 402B2A70  [.......@..@@p*+@]
81D43F0 402B2AA0 00000000 00000000 00000000  [.*+@............]
81D4400 0000005C 402B29E0 402B2A30 081C29D8  [\....)+@0*+@.)..]
81D4410 00000000 00000000 88000032 081D43C8  [........2....C..]
81D4420 408FAAA0 000A15CD 00000000 081D43D8  [...@.........C..]
81D4430 081D42D8 081D4358 00000000 00000000  [.B..XC..........]
81D4440 00000000 00000000 00000000 00001041  [............A...]
81D4450 081C63D8 081D3410 10001031 00000000  [.c...4..1.......]
81D4460 081C63D8 081C6370 081CC7A0 80000AF9  [.c..pc..........]
81D4470 00000000 00000000                    [........]        

***HEAP DUMP heap name="Alloc environm"  desc=0x820bc78
 extent sz=0x1024 alt=32767 het=32767 rec=0 flg=3 opc=3
 parent=0x820bce0 owner=(nil) nex=(nil) xsz=0x1024
EXTENT 0 addr=0x8251914
  Chunk  825191c sz=     4124    free      "               "
EXTENT 1 addr=0x82508d4
  Chunk  82508dc sz=     2808    free      "               "
  Chunk  82513d4 sz=     1316    freeable assoc with mark prv=(nil) nxt=(nil)
EXTENT 2 addr=0x82018e4
  Chunk  82018ec sz=       76    perm      "perm           "  alo=76
  Chunk  8201938 sz=       48    free      "               "
  Chunk  8201968 sz=       24    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  8201980 sz=       32    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  82019a0 sz=      920    free      "               "
  Chunk  8201d38 sz=      544    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  8201f58 sz=     1292    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  8202464 sz=      544    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  8202684 sz=       24    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  820269c sz=       20    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  82026b0 sz=      468    freeable assoc with mark prv=(nil) nxt=(nil)
  Chunk  8202884 sz=      116    freeable assoc with mark prv=(nil) nxt=(nil)
Total heap size    =    12356
FREE LISTS:
 Bucket 0 size=272
  Chunk  8201938 sz=       48    free      "               "
 Bucket 1 size=528
  Chunk  82019a0 sz=      920    free      "               "
 Bucket 2 size=1040
  Chunk  825191c sz=     4124    free      "               "
  Chunk  82508dc sz=     2808    free      "               "
Total free space   =     7900
UNPINNED RECREATABLE CHUNKS (lru first):
PERMANENT CHUNKS:
  Chunk  82018ec sz=       76    perm      "perm           "  alo=76
Permanent space    =       76
***************************************************
 Hla: 0

ORA-21500: internal error code, arguments: [17112], [0x81D4278], [], [], [], [], [], []
Errors in file :
ORA-21500: internal error code, arguments: [17112], [0x81D4278], [], [], [], [], [], []


----- Call Stack Trace -----
Cannot open /proc/11411/exe.
calling              call     entry                argument values in hex      
location             type     point                (? means dubious value)     
-------------------- -------- -------------------- ----------------------------
Cannot find symbol in /proc/11411/exe.
Cannot find symbol in /proc/11411/exe.
Cannot find symbol in /proc/11411/exe.
Cannot find symbol in /proc/11411/exe.
Cannot find symbol in /proc/11411/exe.
Cannot find symbol in /proc/11411/exe.
402E33BB             CALL     401642E0             8208890 ? 402E337D ?

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 11411)]
0x40690857 in slrac () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
(gdb) backtrace
#0  0x40690857 in slrac () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#1  0x406e18a7 in kgdsaaddr () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#2  0x406e1160 in kgdsdst () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#3  0x402e33c0 in skgudmp () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#4  0x406bc1a2 in kgesiv () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#5  0x406bbefe in kgesic1 () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#6  0x406a3bf3 in kgherror () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#7  0x406adfd2 in kghfre () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#8  0x401c2479 in kpuhhfre () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#9  0x401d568e in kpufdesc () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#10 0x4022be83 in OCIDescriptorFree () from /u01/app/oracle/product/9.2.0.2.0/lib/libclntsh.so.9.0
#11 0x0807f31f in _oci_descriptor_list_dtor (rsrc=0x0) at /usr/local/src/php-4.3.4/ext/oci8/oci8.c:903
#12 0x08120c31 in list_entry_destructor (ptr=0x81f6984) at /usr/local/src/php-4.3.4/Zend/zend_list.c:177
#13 0x0811f8a3 in zend_hash_del_key_or_index (ht=0x81949e0, arKey=0x0, nKeyLength=0, h=8, flag=0)
    at /usr/local/src/php-4.3.4/Zend/zend_hash.c:524
#14 0x08120a51 in _zend_list_delete (id=8) at /usr/local/src/php-4.3.4/Zend/zend_list.c:56
#15 0x0808267e in zif_ocifreedesc (ht=0, return_value=0x81de0f4, this_ptr=0x4e455645, return_value_used=0)
    at /usr/local/src/php-4.3.4/ext/oci8/oci8.c:3038
#16 0x08127152 in execute (op_array=0x81e2664) at /usr/local/src/php-4.3.4/Zend/zend_execute.c:1616
#17 0x0811c417 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php-4.3.4/Zend/zend.c:884
#18 0x080fb14b in php_execute_script (primary_file=0xbffff970) at /usr/local/src/php-4.3.4/main/main.c:1729
#19 0x0812aec0 in main (argc=2, argv=0xbffffa04) at /usr/local/src/php-4.3.4/sapi/cli/php_cli.c:819
#20 0x409b6bb4 in __libc_start_main () from /lib/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-12-08 05:55 UTC] thies@php.net

no need to allocate a descriptor for that.
 
see:
    <?php
       
        $db = OCILogon("scott","tiger");

        $stmt = OCIParse($db,"select rowid,chickens_sold 
from chicken for update");
        
OCIDefineByName($stmt,"CHICKENS_SOLD",$chickens_sold);
        OCIDefineByName($stmt,"ROWID",$rid);
        OCIExecute($stmt,OCI_DEFAULT);
        OCIFetch($stmt);

        echo "chicken sold so far: $chickens_sold\n";

        $update = OCIParse($db,"update chicken set 
chickens_sold=:chickens_sold where rowid = :rid");
        
OCIBindByName($update,"CHICKENS_SOLD",$chickens_sold,32)
;
        OCIBindByName($update,"RID",$rid,
-1,OCI_B_ROWID);

        $chickens_sold += 100;

        OCIExecute($update);
        OCICommit($db);
    ?>

[2003-12-08 11:16 UTC] tony2001 at phpclub dot net

if you replace this:
$db_log_rowid = OCINewDescriptor($db_log,OCI_D_ROWID);

with that:
$db_log_rowid = OCINewDescriptor($db_log,OCI_D_LOB);

you'll get another one segfault, but this one is initiated by OciExecute();

isn't it an OCI bug?
it seems, that Oracle allocates memory for descriptor, but can't initialize while executing the query and should return an error in this case.

[2003-12-13 13:57 UTC] agarcia at at4 dot net

Just a wordaround until this bug gets fixed.

Use rowidtochar(rowid) to avoid using ocinewdescriptor.

<?
$db_log_sql = 'INSERT INTO test (VARIABLE, VALUE) VALUES
(\'1\',\'1\')'.
              'RETURNING rowidtochar(ROWID) INTO :v_rowid ';
$db_log = OCILogon('xxx','xxx','xxx');
$db_log_stmt = OCIParse($db_log,$db_log_sql);
OCIBindByName($db_log_stmt,":v_rowid", $db_log_rowid, 255);
if (OCIExecute($db_log_stmt)) {
        OCICommit($db_log);
}
OCIFreeStatement($db_log_stmt);
?>

[2003-12-16 10:56 UTC] tony2001@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 04 20:01:32 2024 UTC