php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35604 pgsql crash when repeatedly using the same named parameter in a query
Submitted: 2005-12-08 19:08 UTC Modified: 2006-10-04 01:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: smlerman at gmail dot com Assigned: wez (profile)
Status: No Feedback Package: PDO related
PHP Version: 5CVS-2005-12-09 (snap) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: smlerman at gmail dot com
New email:
PHP Version: OS:

 

 [2005-12-08 19:08 UTC] smlerman at gmail dot com
Description:
------------
PHP crashes on the following code. Changing the second named marker from :foo1 to :foo2 fixes the crash, which made me think it had to do with duplicate names. However, removing the where clause (leaving both name markers :foo1) also eliminates the crash, though the statement gets an error code of "HY093" (no full message).

Reproduce code:
---------------
<?php
$db = new PDO("pgsql:host=localhost dbname=name user=user password=password");
$stmt = $db->prepare("UPDATE test SET foo1 = :foo1, foo2 = :foo1 WHERE foo1 = :id");
$stmt->bindParam(':foo1', $foo1);
$stmt->bindParam(':foo2', $foo2);
$stmt->bindParam(':id', $id);
$foo1 = "foo";
$foo2 = "foo";
$id = "foo";
var_dump($stmt->errorInfo());
$stmt->execute();
?>

Expected result:
----------------
An error message of some kind if duplicate names aren't allowed, but certainly not a memory dump.

Actual result:
--------------
*** glibc detected *** php: free(): invalid next size (fast): 0x09980018 ***
Followed by a backtrace and memory dump

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-08 19:16 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2005-12-09 17:53 UTC] smlerman at gmail dot com
Tried the same code on my Linux box at home (Fedora Core 2, first test server I believe is Fedora 4), and it just gives a segmentation fault instead. Tried the php5.1-200512091530 snapshot, and I get the same results.
 [2005-12-09 18:03 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2005-12-09 22:56 UTC] smlerman at gmail dot com
Here's the backtrace.

(gdb) bt
#0  0x00556716 in free () from /lib/tls/libc.so.6
#1  0x082184cd in shutdown_memory_manager (silent=0, full_shutdown=0)
    at /root/php/php5.1-200512091530/Zend/zend_alloc.c:512
#2  0x081f903f in php_request_shutdown (dummy=0x0) at /root/php/php5.1-200512091530/main/main.c:1303
#3  0x08280e1f in main (argc=2, argv=0xbfe192e4) at /root/php/php5.1-200512091530/sapi/cli/php_cli.c:1142
(gdb)
 [2005-12-12 10:30 UTC] sniper@php.net
What was the configure line you used?
 [2005-12-12 12:33 UTC] smlerman at gmail dot com
./configure --prefix=/usr/local/php5 --with-pgsql=/usr/local/pgsql/ --with-mysql=/usr/local/mysql/ --with-pdo --with-pdo-pgsql --with-pdo-mysql --with-gd --with-jpeg-dir=/usr/local/lib --with-zlib-dir=/usr/local/zlib --with-png-dir=/usr/local/libpng --with-apxs2=/usr/local/apache/bin/apxs --enable-debug
 [2005-12-12 13:23 UTC] sniper@php.net
What awk you have? And what version? gawk, mawk or awk?

 [2005-12-12 14:26 UTC] tony2001@php.net
==19435== Invalid write of size 4
==19435==    at 0x80B5654: pgsql_stmt_param_hook (pgsql_statement.c:278)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD907B8 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B52AD: pgsql_stmt_param_hook (pgsql_statement.c:222)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==
==19435== Invalid write of size 4
==19435==    at 0x80B5672: pgsql_stmt_param_hook (pgsql_statement.c:279)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD907F0 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B52CF: pgsql_stmt_param_hook (pgsql_statement.c:225)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==
==19435== Invalid write of size 4
==19435==    at 0x80B5687: pgsql_stmt_param_hook (pgsql_statement.c:280)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD90828 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B52F1: pgsql_stmt_param_hook (pgsql_statement.c:228)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==
==19435== Invalid write of size 4
==19435==    at 0x80B56E0: pgsql_stmt_param_hook (pgsql_statement.c:287)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)
==19435==  Address 0x1BD90860 is 0 bytes after a block of size 8 alloc'd
==19435==    at 0x1B901B95: calloc (vg_replace_malloc.c:279)
==19435==    by 0x80B5313: pgsql_stmt_param_hook (pgsql_statement.c:231)
==19435==    by 0x80AD15B: dispatch_param_event (pdo_stmt.c:149)
==19435==    by 0x80AD9F7: zif_PDOStatement_execute (pdo_stmt.c:422)
==19435==    by 0x81A5B6C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:192)
==19435==    by 0x81A6064: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:314)
==19435==    by 0x81A5832: execute (zend_vm_execute.h:92)
==19435==    by 0x818A69D: zend_execute_scripts (zend.c:1101)
==19435==    by 0x8149B57: php_execute_script (main.c:1720)
==19435==    by 0x81EA7A1: main (php_cli.c:1077)

 [2005-12-12 14:40 UTC] smlerman at gmail dot com
# awk --version
GNU Awk 3.1.3
Copyright (C) 1989, 1991-2003 Free Software Foundation.
 [2005-12-22 14:50 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2005-12-22 16:51 UTC] smlerman at gmail dot com
Still get a segmentation fault with the 2005-12-22-1330 snapshot.
 [2006-05-14 14:41 UTC] merlin at l0cal dot net
problem still exists with PHP 5.1.4...
 [2006-09-26 22:48 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

This should be fixed in recent snaps.
 [2006-10-04 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC