php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35293 PDO segfaults when using persistent connections
Submitted: 2005-11-19 15:40 UTC Modified: 2005-11-19 17:42 UTC
From: joh at deworks dot net Assigned: wez
Status: Closed Package: PDO related
PHP Version: 5CVS-2005-11-19 (snap) OS: Linux
Private report: No CVE-ID:
 [2005-11-19 15:40 UTC] joh at deworks dot net
Description:
------------
PDO segfaults on any pdo_stmt_instantiate when using persistent connections.

Reproduce code:
---------------
<?php
$dsn = '...';
$user = '...';
$pass = '...';
$options = array(PDO::ATTR_PERSISTENT => true);
$db = new PDO($dsn, $user, $pass, $options);
$sql = 'SELECT * FROM some_table';
$result = $db->query($sql);
echo "Query OK";
?>

Expected result:
----------------
Query OK

Actual result:
--------------
Segmentation fault

GDB backtrace:
#0  _object_and_properties_init (arg=0x8599b0c, class_type=0x0, properties=0x0,
    tsrm_ls=0x8439018) at /shared/src/php/php5-200511191330/Zend/zend_API.c:818
#1  0x0829ba79 in _object_init_ex (arg=0x8599b0c, class_type=0x0,
    tsrm_ls=0x8439018) at /shared/src/php/php5-200511191330/Zend/zend_API.c:843
#2  0x081316c0 in pdo_stmt_instantiate (dbh=0x8599c08, object=0x8599b0c, dbstmt_ce=Variable "dbstmt_ce" is not available.

) at /shared/src/php/php5-200511191330/ext/pdo/pdo_dbh.c:418
#3  0x08133d11 in zif_PDO_query (ht=1, return_value=0x8599b0c,
    return_value_ptr=0x0, this_ptr=0x8599a84, return_value_used=1,
    tsrm_ls=0x8439018) at /shared/src/php/php5-200511191330/ext/pdo/pdo_dbh.c:971
#4  0x082be00e in zend_do_fcall_common_helper_SPEC (execute_data=0xbfdfd24c,
    tsrm_ls=0x8439018) at zend_vm_execute.h:188
#5  0x082bd5fa in execute (op_array=0x8595184, tsrm_ls=0x8439018)
    at zend_vm_execute.h:88
#6  0x0829893e in zend_execute_scripts (type=8, tsrm_ls=0x8439018, retval=Variable "retval" is not available.
)
    at /shared/src/php/php5-200511191330/Zend/zend.c:1090
#7  0x0825af0a in php_execute_script (primary_file=0xbfdff64c, tsrm_ls=0x8439018)
    at /shared/src/php/php5-200511191330/main/main.c:1704
#8  0x08332867 in main (argc=2, argv=0xbfdff734)
    at /shared/src/php/php5-200511191330/sapi/cli/php_cli.c:1039

It seems that the dbh returned by zend_object_store_get_object(getThis() TSRMLS_CC); does not contain a valid def_stmt_ce when using persistent connections. _object_and_properties_init then segfaults when being passed a null-pointer as the class_type argument.

My guess is an error in the dbh_constructor function, though I'm not sure as I don't know how the inner details of PHP/PDO. If the connection is persistent, dbh_constructor allocates a brand new pdo_dbh_t (pdbh) structure without pointing pdbh->def_stmt_ce to the one pointed to by the old dbh (dbh).

Hope you can figure this out :)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-19 15:45 UTC] joh at deworks dot net
Forgot to mention I get these results when using the mysql and the pgsql drivers.
 [2005-11-19 16:44 UTC] tony2001@php.net
Wez, you forgot to copy def_stmt_ce and def_stmt_ctor_args:

Index: ext/pdo/pdo_dbh.c
===================================================================
RCS file: /repository/php-src/ext/pdo/pdo_dbh.c,v
retrieving revision 1.82.2.13
diff -u -p -d -r1.82.2.13 pdo_dbh.c
--- ext/pdo/pdo_dbh.c   27 Oct 2005 03:51:23 -0000      1.82.2.13
+++ ext/pdo/pdo_dbh.c   19 Nov 2005 15:44:15 -0000
@@ -341,6 +341,8 @@ static PHP_METHOD(PDO, dbh_constructor)
                if (pdbh) {
                        /* let's copy the emalloc bits over from the other handle */
                        pdbh->ce = dbh->ce;
+                       pdbh->def_stmt_ce = dbh->def_stmt_ce;
+                       pdbh->def_stmt_ctor_args = dbh->def_stmt_ctor_args;
                        pdbh->properties = dbh->properties;
                        /* kill the non-persistent thingamy */
                        efree(dbh);

 [2005-11-19 17:42 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC