php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26589 mssql money datatype in query crashes apache
Submitted: 2003-12-10 22:02 UTC Modified: 2004-04-06 04:02 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: justin22 at v-biz dot net Assigned: fmk
Status: Closed Package: MSSQL related
PHP Version: 4CVS, 5CVS OS: windows 2000
Private report: No CVE-ID:
 [2003-12-10 22:02 UTC] justin22 at v-biz dot net
Description:
------------
php 4.3.3 & 4.3.4 / sql server 2000 sp3 / win2k sp4 / apache 2.0.47

query contains a money field, after 30-40 rows, apache crashed.

apache log:
[Thu Dec 11 10:11:02 2003] [notice] Parent: child process exited with status 3221225477 -- Restarting.
[Thu Dec 11 10:11:04 2003] [notice] Parent: Created child process 1008

dr watson log:
Application exception occurred:
        App:  (pid=1168)
        When: 11/12/2003 @ 10:11:00.979
        Exception number: c0000005 (access violation)
...

State Dump for Thread Id 0x544

eax=223d6504 ebx=000000e9 ecx=3e223335 edx=01ebb298 esi=01aa0000 edi=01ebab50
eip=77fcb032 esp=01a1da40 ebp=01a1dbd8 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246


function: _eFSQRT
        77fcb00e 884705           mov     [edi+0x5],al                 ds:02944a36=??
        77fcb011 ff75d0           push    dword ptr [ebp+0xd0]   ss:024a7abe=????????
        77fcb014 8b75a4           mov     esi,[ebp+0xa4]         ss:024a7abe=????????
        77fcb017 56               push    esi
        77fcb018 e81de5fbff       call RtlConsoleMultiByteToUnicodeN+0x348 (77f8953a)
        77fcb01d 8b4dd0           mov     ecx,[ebp+0xd0]         ss:024a7abe=????????
        77fcb020 8b4108           mov     eax,[ecx+0x8]          ds:3ecad21b=????????
        77fcb023 8985d8feffff     mov     [ebp+0xfffffed8],eax   ss:01a1dab0=223d6504
        77fcb029 8b490c           mov     ecx,[ecx+0xc]          ds:3ecad21b=????????
        77fcb02c 898dd4feffff     mov     [ebp+0xfffffed4],ecx   ss:01a1daac=3e223335
FAULT ->77fcb032 8901             mov     [ecx],eax              ds:3e223335=????????
        77fcb034 894804           mov     [eax+0x4],ecx          ds:22e603ea=????????
        77fcb037 3bc1             cmp     eax,ecx
        77fcb039 0f84b7240000     je      RtlFreeHeap+0xd23 (77fcd4f6)
        77fcb03f 8b45d0           mov     eax,[ebp+0xd0]         ss:024a7abe=????????
        77fcb042 0fb708           movzx   ecx,word ptr [eax]         ds:223d6504=????
        77fcb045 294e28           sub     [esi+0x28],ecx         ds:02529ee6=????????
        77fcb048 0fb700           movzx   eax,word ptr [eax]         ds:223d6504=????
        77fcb04b 03d8             add     ebx,eax
        77fcb04d 895da8           mov     [ebp+0xa8],ebx         ss:024a7abe=????????
        77fcb050 81fb00fe0000     cmp     ebx,0xfe00
        77fcb056 0f86d4240000     jbe     RtlFreeHeap+0xd5d (77fcd530)

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
01A1DBD8 00F4EEB2 01AA0000 00000001 000000B0 000000A0 ntdll!_eFSQRT 
000000A0 00000000 00000000 00000000 00000000 00000000 !emalloc 

fault is 100% repeatable on a particular dataset.

the problem goes away if I change the source query to convert to a float:


select CONVERT(float, dbo.Payments.Amount) AS Amount


Reproduce code:
---------------
$sql="select amount from fred";
if (!db_connect()) return false;
$result = mssql_query($sql);

// Crash

$sql="select CONVERT(float, dbo.Payments.Amount) AS Amount from fred"
$result = mssql_query($sql);

// OK

Sample table Fred has 1 column, Amount(money) with 236 rows, can be supplied on request


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-11 21:41 UTC] justin22 at v-biz dot net
Tried latest CVS, exact same result.
Could be same problem as reported in bug #19588, as I tried to do a convert(smallmoney, amount) instead of float conversion and it still failed.
 [2003-12-12 01:02 UTC] fmk@php.net
I've tested this with the latest code from CVS of both php4 and php5 and I can't reproduce it.

Please provide some more details like php.ini settings for mssql and are you using CGI or apache module ?

The Microsoft library used for the mssql extension is not thread safe. That could be the problem if you are using apache module.

You can send your sample code and data to fmk@php.net.
 [2003-12-14 20:28 UTC] justin22 at v-biz dot net
I've created a sample database with my table, along with this script:

<?
echo "Connect to server<br>";
$ConnID = mssql_pconnect('justin', 'xxx', 'ppp');
if ($ConnID===false) die("Cannot connect to server");
echo "select Database<br>";
if (!mssql_select_db('PhpMoneyTest')) die('cannot select db PHPmoneytest');
$sql="select amount as amount from Test";
$result = mssql_query($sql);

// php crashes here

echo "Test Passed"
// Finished

?>


php.ini settings are:
[MSSQL]
; Allow or prevent persistent links.
mssql.allow_persistent = on
; Maximum number of persistent links.  -1 means no limit.
mssql.max_persistent = -1
; Maximum number of links (persistent+non persistent).  -1 means no limit.
mssql.max_links = -1
; Minimum error severity to display.
mssql.min_error_severity = 10
; Minimum message severity to display.
mssql.min_message_severity = 10
; Compatability mode with old versions of PHP 3.0.
mssql.compatability_mode = Off
; Valid range 0 - 2147483647.  Default = 4096.
;[jvp] allow more text!
mssql.textlimit = 16384
; Valid range 0 - 2147483647.  Default = 4096.
;[jvp]
mssql.textsize = 16384
; Limits the number of records in each batch.  0 = all records in one batch.
mssql.batchsize = 0
; Use NT authentication when connecting to the server
mssql.secure_connection = 0
; Specify max number of processes. Default = 25
;mssql.max_procs = 25
; Disable date time conversions: dates formatted yyyy-mm-dd hh:mm:ssAA
mssql.datetimeconvert = 0

I tried changing some of these (in particular, tried without persistent connections) without any effect.

I'm using apache module, but this dies with only a single process (request), so its unlikely to be  a thread issue.  I'm very concerned about your threadsafe comments - can you point me to any discussion of this issue?

sample db with table 'Test' emailed as requested.

Thanks for your quick response!

Justin
 [2004-02-17 17:34 UTC] sniper@php.net
Does it crash if you run it from command line using CLI / CGI binary?

 [2004-02-18 01:01 UTC] justin22 at v-biz dot net
running it from the command line ('php moneytest.php') also crashes:
dr watson:
function: RtlAllocateHeap
        77fcc4c9 897dcc           mov     [ebp+0xcc],edi         ss:0154958a=????????
        77fcc4cc 884705           mov     [edi+0x5],al                 ds:020da096=??
        77fcc4cf 66894f02         mov     [edi+0x2],cx               ds:020da097=????
        77fcc4d3 8a4e04           mov     cl,[esi+0x4]                 ds:020da076=??
        77fcc4d6 884f04           mov     [edi+0x4],cl                 ds:020da096=??
        77fcc4d9 66891f           mov     [edi],bx                   ds:00cc01b0=2e6c
        77fcc4dc a810             test    al,0x10
        77fcc4de 0f8540020000     jne     RtlAllocateHeap+0x477 (77fcc724)
        77fcc4e4 8d0cdf           lea     ecx,[edi+ebx*8]        ds:00002e6c=????????
        77fcc4e7 894dd0           mov     [ebp+0xd0],ecx         ss:0154958a=????????
FAULT ->77fcc4ea 8a4105           mov     al,[ecx+0x5]                 ds:020f13f6=??
        77fcc4ed a801             test    al,0x1
        77fcc4ef 0f8419ebffff     je      _eFSQRT+0xd44 (77fcb00e)
        77fcc4f5 66895902         mov     [ecx+0x2],bx               ds:020f13f7=????
        77fcc4f9 6681fb8000       cmp     bx,0x80
        77fcc4fe 0f8391f4ffff     jnb     RtlSizeHeap+0x8f (77fcb995)
        77fcc504 80670510         and     byte ptr [edi+0x5],0x10      ds:020da096=??
        77fcc508 0fb7c3           movzx   eax,bx
        77fcc50b 8b4da4           mov     ecx,[ebp+0xa4]         ss:0154958a=????????
        77fcc50e 8db4c178010000   lea     esi,[ecx+eax*8+0x178]  ds:000006e6=????????
        77fcc515 89b500ffffff     mov     [ebp+0xffffff00],esi   ss:0012f5a4=00000000
        77fcc51b 3936             cmp     [esi],esi              ds:00cc0190=00cc0004

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0012F6A4 100BFE82 00CC0000 00000001 00000018 00000001 ntdll!RtlAllocateHeap 
00000005 00000000 00000000 00000000 00000000 00000000 !emalloc
 [2004-03-23 13:17 UTC] fmk@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2004-04-06 04:02 UTC] justin22 at v-biz dot net
new version from CVS works fine now.  However returning a float instead of string may cause other programs to develop rounding problems.  AS PHP does not support Money type or fixed point arithmetic, this may just be as good as it gets.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC