php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40639 DBLIB driver segfaults on repeated prepared select statements
Submitted: 2007-02-26 12:52 UTC Modified: 2009-05-03 01:00 UTC
Votes:10
Avg. Score:4.1 ± 1.0
Reproduced:7 of 8 (87.5%)
Same Version:0 (0.0%)
Same OS:3 (42.9%)
From: spheroid@php.net Assigned: fmk (profile)
Status: No Feedback Package: PDO related
PHP Version: 5CVS-2007-02-26 (CVS) OS: Mac OS X 10.4.8
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-02-26 12:52 UTC] spheroid@php.net
Description:
------------
The DBLIB PDO driver seems to crash when first execution of 
repeated prepared statement wont actually return any rows. If 
the first execution does return rows, it works fine.

Reproduce code:
---------------
$pdo = new PDO('dblib:host=hostname;dbname=dbname', 'user', 'pass');
$query = "SELECT 'foo' WHERE '1' = :value";
$stmt = $pdo->prepare($query);

$values = array('0', '1');

foreach ($values as $value) {
    $stmt->bindValue(':value', $value);
    $stmt->execute();    
    while ($stmt->fetch() !== false);
    $stmt->closeCursor();
}

Expected result:
----------------
Nothing.

Actual result:
--------------
(gdb) run dblib2.php 
Starting program: /usr/local/bin/php dblib2.php
Reading symbols for shared libraries .+++..+++++..++++.. done

Program received signal EXC_BAD_ACCESS, Could not access 
memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x000faf43 in do_fetch (stmt=0x172a624, do_bind=0, 
return_value=0x172a944, how=PDO_FETCH_USE_DEFAULT, 
ori=PDO_FETCH_ORI_NEXT, offset=0, return_all=0x0) at /usr/
local/src/PHP_5_2/ext/pdo/pdo_stmt.c:1026
1026                                            add_assoc_zval
(return_value, stmt->columns[i].name, val);


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-26 13:00 UTC] tony2001@php.net
Type in gdb after the segfault:
p stmt
p *stmt
p i
p stmt->columns[i]

and post the results here.
 [2007-02-26 13:51 UTC] spheroid@php.net
(gdb) p stmt
$1 = (pdo_stmt_t *) 0x172a624
(gdb) p *stmt
$2 = {
  ce = 0x24a0180, 
  properties = 0x172a6e8, 
  in_get = 0, 
  in_set = 0, 
  methods = 0x557bc0, 
  driver_data = 0x172a768, 
  executed = 1, 
  supports_placeholders = 0, 
  _reserved = 0, 
  column_count = 1, 
  columns = 0x172a95c, 
  database_object_handle = {
    value = {
      lval = 1, 
      dval = 5.5997329951816251e-307, 
      str = {
        val = 0x1 <Address 0x1 out of bounds>, 
        len = 5843616
      }, 
      ht = 0x1, 
      obj = {
        handle = 1, 
        handlers = 0x592aa0
      }
    }, 
    refcount = 2, 
    type = 5 '\005', 
    is_ref = 0 '\0'
  }, 
  dbh = 0x172a3a0, 
  bound_params = 0x172ad34, 
  bound_param_map = 0x0, 
  bound_columns = 0x0, 
  row_count = -1, 
  query_string = 0x172a740 "SELECT 'foo' WHERE '1' 
= :value", 
  query_stringlen = 31, 
  active_query_string = 0x0, 
  active_query_stringlen = 28, 
  error_code = "00000", 
  lazy_object_ref = {
    value = {
      lval = 0, 
      dval = 0, 
      str = {
        val = 0x0, 
        len = 0
      }, 
      ht = 0x0, 
      obj = {
        handle = 0, 
        handlers = 0x0
      }
    }, 
    refcount = 0, 
    type = 0 '\0', 
    is_ref = 0 '\0'
  }, 
  refcount = 1, 
  default_fetch_type = PDO_FETCH_BOTH, 
  fetch = {
    column = 0, 
    cls = {
      ce = 0x0, 
      ctor_args = 0x0, 
      retval_ptr = 0x0, 
      fci = {
        size = 0, 
        function_table = 0x0, 
        function_name = 0x0, 
        symbol_table = 0x0, 
        retval_ptr_ptr = 0x0, 
        param_count = 0, 
        params = 0x0, 
        object_pp = 0x0, 
        no_separation = 0 '\0'
      }, 
      fcc = {
        initialized = 0 '\0', 
        function_handler = 0x0, 
        calling_scope = 0x0, 
        object_pp = 0x0
      }
    }, 
    func = {
      function = 0x0, 
      fetch_args = 0x0, 
      object = 0x0, 
      fci = {
        size = 0, 
        function_table = 0x0, 
        function_name = 0x0, 
        symbol_table = 0x0, 
        retval_ptr_ptr = 0x0, 
        param_count = 0, 
        params = 0x0, 
        object_pp = 0x0, 
        no_separation = 0 '\0'
      }, 
      fcc = {
        initialized = 0 '\0', 
        function_handler = 0x0, 
        calling_scope = 0x0, 
        object_pp = 0x0
      }, 
      values = 0x0
    }, 
    into = 0x0
  }, 
  named_rewrite_template = 0x0
}
(gdb) p i
$3 = 0
(gdb) p stmt->columns[i]
$4 = {
  name = 0x0, 
  namelen = 6648949, 
  maxlen = 25, 
  param_type = 17, 
  precision = 47, 
  dbdo_data = 0x172adf4
}
 [2007-02-26 14:01 UTC] spheroid@php.net
Also, check out this one, I'm not sure whether this is the 
expected behaviour, but the colno seems to change value:

Breakpoint 1, fetch_value (stmt=0x172a624, dest=0x172a984, 
colno=0, type_override=0x0) at /usr/local/src/PHP_5_2/ext/
pdo/pdo_stmt.c:500
500             char *value = NULL;
(gdb) step    
501             unsigned long value_len = 0;
(gdb) step
502             int caller_frees = 0;
(gdb) step
506             type = PDO_PARAM_TYPE(col->param_type);
(gdb) step
507             new_type =  type_override ? PDO_PARAM_TYPE
(*type_override) : type;
(gdb) step
509             value = NULL;
(gdb) step
510             value_len = 0;
(gdb) step
512             stmt->methods->get_col(stmt, colno, &value, 
&value_len, &caller_frees TSRMLS_CC);
(gdb) print colno
$5 = 0
(gdb) step
pdo_dblib_stmt_get_col (stmt=0x172a624, colno=0, 
ptr=0xbffff05c, len=0xbffff058, caller_frees=0xbffff054) at 
/usr/local/src/PHP_5_2/ext/pdo_dblib/dblib_stmt.c:255
255             pdo_dblib_stmt *S = (pdo_dblib_stmt*)stmt-
>driver_data;
(gdb) finish
Run till exit from #0  pdo_dblib_stmt_get_col 
(stmt=0x172a624, colno=0, ptr=0xbffff05c, len=0xbffff058, 
caller_frees=0xbffff054) at /usr/local/src/PHP_5_2/ext/
pdo_dblib/dblib_stmt.c:255
fetch_value (stmt=0x172a624, dest=0x172a984, colno=24291756, 
type_override=0x0) at /usr/local/src/PHP_5_2/ext/pdo/
pdo_stmt.c:514
514             switch (type) {
Value returned is $6 = 1
(gdb) print colno
$7 = 24291756
 [2007-02-27 13:22 UTC] tony2001@php.net
Frank, could you take a look at it?
 [2009-04-25 14:43 UTC] jani@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-05-03 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2013-02-21 03:50 UTC] aero2sing at hotmail dot com
Thanks for the posting. I have experienced the same issue and was trying to find 
the cause for the past three days. I am using PHP 5.3.3.3 on Linux, and my 
program was working totally fine, until recently someone insert a new record 
which made the first execution of a select statement returned empty row. And this 
broke the whole part. Now thanks to your posting, I know where the problem was.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC