php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30312 sybase_unbuffered_query calls
Submitted: 2004-10-02 20:44 UTC Modified: 2008-11-08 14:08 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dfleury2 at libertysurf dot fr Assigned: thekid
Status: Closed Package: Sybase-ct (ctlib) related
PHP Version: 5.1.3, 4.4.2 OS: *
Private report: No CVE-ID:
 [2004-10-02 20:44 UTC] dfleury2 at libertysurf dot fr
Description:
------------
Two calls to sybase_unbuffered_query core Apache.

To correct the problem before somelse those it
perfectly, I had add a return after
php_sybase_finish_results(result);


/* Forward declaration */
static int php_sybase_finish_results (sybase_result *result);

static void php_free_sybase_result(zend_rsrc_list_entry *rsrc TSRMLS_DC)
{
    sybase_result *result = (sybase_result *)rsrc->ptr;

    /* Check to see if we've read all rows */
    if (result->sybase_ptr && result->sybase_ptr->active_result_index) {
        if (result->sybase_ptr->cmd) {
            ct_cancel(NULL, result->sybase_ptr->cmd, CS_CANCEL_ALL);
        }
        php_sybase_finish_results(result);
        return;    // correction
    }

    _free_sybase_result(result);
}


Reproduce code:
---------------
<?php
    $db     = sybase_connect( 'LOCALHOST', 'sa', '' );

    $query  = sybase_unbuffered_query( 'select getdate()' );
    $array  = sybase_fetch_array( $query );

    echo $array[ 0 ];
    echo '<br>';

    $query  = sybase_unbuffered_query( 'select getdate()' );
    $array  = sybase_fetch_array( $query );
    echo $array[ 0 ];
?>


Expected result:
----------------
2-Oct-2004 18:42:50
2-Oct-2004 18:42:50


Actual result:
--------------
Core dump

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-03 20:21 UTC] dfleury2 at libertysurf dot fr
Description:
------------
Two calls to sybase_unbuffered_query core Apache.

To correct the problem before somelse those it
perfectly, I had add a return after
php_sybase_finish_results(result);

/* Forward declaration */
static int php_sybase_finish_results (sybase_result *result);

static void php_free_sybase_result(zend_rsrc_list_entry *rsrc
TSRMLS_DC)
{
    sybase_result *result = (sybase_result *)rsrc->ptr;

    /* Check to see if we've read all rows */
    if (result->sybase_ptr && result->sybase_ptr->active_result_index)
{
        if (result->sybase_ptr->cmd) {
            ct_cancel(NULL, result->sybase_ptr->cmd, CS_CANCEL_ALL);
        }
        php_sybase_finish_results(result);
        return;    // correction
    }

    _free_sybase_result(result);
}

Reproduce code:
---------------
<?php
    $db     = sybase_connect( 'LOCALHOST', 'sa', '' );

    $query  = sybase_unbuffered_query( 'select getdate()' );
    $array  = sybase_fetch_array( $query );

    echo $array[ 0 ];
    echo '<br>';

    $query  = sybase_unbuffered_query( 'select getdate()' );
    $array  = sybase_fetch_array( $query );
    echo $array[ 0 ];
?>

Expected result:
----------------
2-Oct-2004 18:42:50
2-Oct-2004 18:42:50

Actual result:
--------------
Core dump

(gdb) bt
#0  0x080e2890 in _free_sybase_result (result=0x81cb89c)
    at /home/david/Documents/php-4.3.9/ext/sybase_ct/php_sybase_ct.c:128
#1  0x080e2acc in php_free_sybase_result (rsrc=0x81b86f4)
    at /home/david/Documents/php-4.3.9/ext/sybase_ct/php_sybase_ct.c:161
#2  0x0812cfa0 in list_entry_destructor (ptr=0x81b86f4)
    at /home/david/Documents/php-4.3.9/Zend/zend_list.c:177
#3  0x0812add1 in zend_hash_del_key_or_index (ht=0x8177ce8, arKey=0x0, nKeyLength=0, h=5, flag=1)
    at /home/david/Documents/php-4.3.9/Zend/zend_hash.c:527
#4  0x0812cc92 in _zend_list_delete (id=5) at /home/david/Documents/php-4.3.9/Zend/zend_list.c:56
#5  0x08123a95 in _zval_dtor (zvalue=0x81c6a2c, 
    __zend_filename=0x8163dc4 "/home/david/Documents/php-4.3.9/Zend/zend_execute_API.c", 
    __zend_lineno=291) at /home/david/Documents/php-4.3.9/Zend/zend_variables.c:69
#6  0x0811a9eb in _zval_ptr_dtor (zval_ptr=0xbfffcad0, 
    __zend_filename=0x814dd58 "/home/david/Documents/php-4.3.9/ext/sybase_ct/php_sybase_ct.c", 
    __zend_lineno=1426) at /home/david/Documents/php-4.3.9/Zend/zend_execute_API.c:291
#7  0x080e6ffd in php_sybase_query (ht=1, return_value=0x81c69ec, this_ptr=0x0, return_value_used=1, 
    buffered=1) at /home/david/Documents/php-4.3.9/ext/sybase_ct/php_sybase_ct.c:1426
#8  0x080e74f7 in zif_sybase_unbuffered_query (ht=1, return_value=0x81c69ec, this_ptr=0x0, 
    return_value_used=1) at /home/david/Documents/php-4.3.9/ext/sybase_ct/php_sybase_ct.c:1634
#9  0x08137694 in execute (op_array=0x81c3b84)
    at /home/david/Documents/php-4.3.9/Zend/zend_execute.c:1640
#10 0x08125735 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/david/Documents/php-4.3.9/Zend/zend.c:891
#11 0x080ef2c6 in php_execute_script (primary_file=0xbffff240)
---Type <return> to continue, or q <return> to quit---
    at /home/david/Documents/php-4.3.9/main/main.c:1735
#12 0x0813d2fa in main (argc=2, argv=0xbffff304)
    at /home/david/Documents/php-4.3.9/sapi/cli/php_cli.c:822
 [2005-02-03 21:11 UTC] dfleury2 at libertysurf dot fr
The problem still here. (php_sybase_ct.c didn't move)

A free avoid the core, but the array is corrupted for the second fetch.

<?php
    $db     = sybase_connect( 'LOCALHOST', 'sa', '' );
 
    $query  = sybase_unbuffered_query( 'select getdate()' );
    $array  = sybase_fetch_array( $query );
    var_dump( $array );
    sybase_free_result( $query );
 
    $query  = sybase_unbuffered_query( 'select getdate(), getdate()' );
    while( $array  = sybase_fetch_array( $query ) )
        var_dump( $array );
//    sybase_free_result( $query );
?>
 [2005-02-06 15:35 UTC] thekid@php.net
Sorry, I cannot reproduce this, neither with apache / mod_php4 nor with cli-php. Maybe this is because I'm using FreeTDS (and not the ct-libs?)

I added a test case to the PHP test system (http://cvs.php.net/co.php/php-src/ext/sybase_ct/tests/bug30312.phpt)

which worked fine for me.

I can see a possible double-free in the sourcecode. Maybe could you try the following patch:

http://sitten-polizei.de/bug30312.patch
 [2005-02-07 22:01 UTC] dfleury2 at libertysurf dot fr

 [2006-05-02 16:36 UTC] dfleury2 at libertysurf dot fr
The bugs are still here in the 5.1.3 release.
 [2007-01-19 19:40 UTC] lobster2 at xs4all dot nl
The use of sybase_query instead of sybase_unbuffered_query solved the core dumps in my case (PHP 4.4.0 & 5.2.0 CLI with Sybase 12.5.3 on AIX 5.2).

I used the sybase_unbuffered_query calls with the third parameter = false. The second sql query call in the script would crash the process every time, surviving only the first fetch on the result set.
 [2008-11-08 14:08 UTC] thekid@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Looks as if a double-free caused this problem. Tests from ext/sybase_ct/tests now all work.

Fixed in PHP_5_3 branch, PHP_5_2 will follow.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 12:02:07 2014 UTC