PHP :: Bug #38168 :: PDO Exception Causes PHP Crash

Bug #38168

PDO Exception Causes PHP Crash

Submitted:

2006-07-20 21:35 UTC

Modified:

2006-08-01 16:37 UTC

Votes:	4
Avg. Score:	4.8 ± 0.4
Reproduced:	4 of 4 (100.0%)
Same Version:	4 (100.0%)
Same OS:	3 (75.0%)

From:

php at unfit dot org

Assigned:

Status:

Closed

Package:

PDO related

PHP Version:

5.1.4

OS:

Gentoo Linux

Private report:

CVE-ID:

None

View Developer Edit

[2006-07-20 21:35 UTC] php at unfit dot org

Description:
------------
Core dump on PDO error.

PDO error code if checked before execute is 'HY093'.

Reproduce code:
---------------
<?php
  //use actual database, user and password where applicable
  $dbh = new PDO('pgsql:host=127.0.0.1;dbname=foo', 'foo', 'foo');

  $query = $dbh->prepare('INSERT INTO table (varA, varB, varC) VALUES ( :varA, :varB, :varC );');

  $query->bindValue(':foo', 'foo');
  $query->bindValue(':varC', 'foo');
  
  $err = $query->errorCode();
  echo "$err\n";

  echo "you will see this.\n"; flush();
  $query->execute();
  
  /*
    CRASH POINT

    You will see only output that has been flushed.

    If running on the command line you will also see something like this:

    *** glibc detected *** malloc(): memory corruption: 0x16987018 ***
    Aborted (core dumped)

  */

  echo "you won't see this.\n"; flush();
?>

Expected result:
----------------
HY093
you will see this.
you won't see this.

Actual result:
--------------
HY093
you will see this.
*** glibc detected *** malloc(): memory corruption: 0x16987018 ***
Aborted (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-07-23 07:11 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-07-23 17:42 UTC] php at unfit dot org

I tried the php version from cvs and it seems to fix the test gave I provided.  However, if I remove '$err = $query->errorCode();' from the test case, it will core dump again, though the execution still appears to complete.

[2006-07-23 17:43 UTC] php at unfit dot org

I tried the php version from cvs and it seems to fix the test I provided.  However, if I remove '$err = $query->errorCode();' from the test case, it will core dump again, though the execution still appears to complete.

[2006-07-24 16:10 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2006-07-24 16:20 UTC] php at unfit dot org

Wish I could help more, but I just recompiled php with debug enabled and PHP crashes on '$dbh = new PDO(...)'.  I don't see any symbols in the backtrace.  If I have more time later I will play with it some more.

[2006-07-24 16:40 UTC] tony2001@php.net

==21175== Invalid write of size 4
==21175==    at 0x80C50D3: pgsql_stmt_param_hook (pgsql_statement.c:305)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==  Address 0x4D96418 is 4 bytes after a block of size 4 alloc'd
==21175==    at 0x401C451: malloc (vg_replace_malloc.c:149)
==21175==    by 0x81807AD: _emalloc (zend_alloc.c:1577)
==21175==    by 0x8180A93: _ecalloc (zend_alloc.c:1675)
==21175==    by 0x80C4CE2: pgsql_stmt_param_hook (pgsql_statement.c:249)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==
==21175== Invalid write of size 4
==21175==    at 0x80C50F1: pgsql_stmt_param_hook (pgsql_statement.c:306)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==  Address 0x4D96450 is 4 bytes after a block of size 4 alloc'd
==21175==    at 0x401C451: malloc (vg_replace_malloc.c:149)
==21175==    by 0x81807AD: _emalloc (zend_alloc.c:1577)
==21175==    by 0x8180A93: _ecalloc (zend_alloc.c:1675)
==21175==    by 0x80C4D12: pgsql_stmt_param_hook (pgsql_statement.c:252)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==
==21175== Invalid write of size 4
==21175==    at 0x80C5106: pgsql_stmt_param_hook (pgsql_statement.c:307)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==  Address 0x4D96488 is 4 bytes after a block of size 4 alloc'd
==21175==    at 0x401C451: malloc (vg_replace_malloc.c:149)
==21175==    by 0x81807AD: _emalloc (zend_alloc.c:1577)
==21175==    by 0x8180A93: _ecalloc (zend_alloc.c:1675)
==21175==    by 0x80C4D42: pgsql_stmt_param_hook (pgsql_statement.c:255)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==
==21175== Invalid write of size 4
==21175==    at 0x80C515F: pgsql_stmt_param_hook (pgsql_statement.c:314)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==  Address 0x4D964C0 is 4 bytes after a block of size 4 alloc'd
==21175==    at 0x401C451: malloc (vg_replace_malloc.c:149)
==21175==    by 0x81807AD: _emalloc (zend_alloc.c:1577)
==21175==    by 0x8180A93: _ecalloc (zend_alloc.c:1675)
==21175==    by 0x80C4D72: pgsql_stmt_param_hook (pgsql_statement.c:258)
==21175==    by 0x80BBD07: dispatch_param_event (pdo_stmt.c:149)
==21175==    by 0x80BC690: zim_PDOStatement_execute (pdo_stmt.c:447)
==21175==    by 0x81B79C1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==21175==    by 0x81B7F0D: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
you won't see this.
==21175==
==21175== Invalid free() / delete / delete[]
==21175==    at 0x401CF78: free (vg_replace_malloc.c:235)
==21175==    by 0x4ADF51B: free_mem (in /lib/tls/libc.so.6)
==21175==    by 0x4ADEFA1: __libc_freeres (in /lib/tls/libc.so.6)
==21175==    by 0x401835E: _vgw_freeres (vg_preloaded.c:62)
==21175==    by 0x4A72C43: _Exit (in /lib/tls/libc.so.6)
==21175==    by 0x81FF0FF: main (php_cli.c:1263)
==21175==  Address 0x4C26620 is not stack'd, malloc'd or (recently) free'd
==21175==
==21175== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 43 from 1)
==21175== malloc/free: in use at exit: 20 bytes in 2 blocks.
==21175== malloc/free: 5,850 allocs, 5,849 frees, 481,868 bytes allocated.
==21175== For counts of detected errors, rerun with: -v
==21175== searching for pointers to 2 not-freed blocks.
==21175== checked 868,748 bytes.
==21175==
==21175==
==21175== 4 bytes in 1 blocks are indirectly lost in loss record 1 of 2
==21175==    at 0x401C451: malloc (vg_replace_malloc.c:149)
==21175==    by 0x81807AD: _emalloc (zend_alloc.c:1577)
==21175==    by 0x8180B47: _estrndup (zend_alloc.c:1701)
==21175==    by 0x81983A7: _zval_copy_ctor_func (zend_variables.c:120)
==21175==    by 0x81FB0E0: _zval_copy_ctor (zend_variables.h:45)
==21175==    by 0x81BAC38: ZEND_SEND_VAL_SPEC_CONST_HANDLER (zend_vm_execute.h:1771)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==
==21175==
==21175== 20 (16 direct, 4 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 2
==21175==    at 0x401C451: malloc (vg_replace_malloc.c:149)
==21175==    by 0x81807AD: _emalloc (zend_alloc.c:1577)
==21175==    by 0x81BABF0: ZEND_SEND_VAL_SPEC_CONST_HANDLER (zend_vm_execute.h:1768)
==21175==    by 0x81B75D4: execute (zend_vm_execute.h:92)
==21175==    by 0x819A09A: zend_execute_scripts (zend.c:1095)
==21175==    by 0x8153984: php_execute_script (main.c:1759)
==21175==    by 0x81FEA23: main (php_cli.c:1097)
==21175==
==21175== LEAK SUMMARY:
==21175==    definitely lost: 16 bytes in 1 blocks.
==21175==    indirectly lost: 4 bytes in 1 blocks.
==21175==      possibly lost: 0 bytes in 0 blocks.
==21175==    still reachable: 0 bytes in 0 blocks.
==21175==         suppressed: 0 bytes in 0 blocks.

[2006-08-01 16:37 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 21:00:02 2025 UTC