|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #57549 segfault in Instant Client
Submitted: 2007-02-26 13:19 UTC Modified: 2007-08-17 04:42 UTC
From: ulf dot moeller at secardeo dot com Assigned:
Status: Closed Package: oci8 (PECL)
PHP Version: 4.4.4 OS: Solaris 5.8
Private report: No CVE-ID: None
 [2007-02-26 13:19 UTC] ulf dot moeller at secardeo dot com
I am seeing segfaults in an Apache web server which I believe to be related to the OCI8 extension.

While a php script is being executed, the Instant Client repeatedly calls php_oci_lob_callback() which in turn uses _erealloc() to get additional memory. When the memory limit from php.ini (32M in this case) is exceeded, _erealloc() calls zend_error() from the macro CHECK_MEMORY_LIMIT in order to report a fatal error "Allowed memory size of 33554432 bytes exhausted".

Then _zend_bailout() is called and a longjmp to php_request_shutdown() is done. php_oci_lob_free() is called to free data.

At this point, in the PHP debug version the hash table consistency check fails and the webserver is shut down with ".../Zend/zend_hash.c(108) : Bailed out without a bailout address!" In the no-debug version, consistency is not checked and Instant Client crashes trying to free the data.

I do not know exactly where the table turns inconsistent.

Here is a backtrace:

(gdb) bt
#0  0xfd6af530 in kohfrr ()
   from xxx/instantclient_10_2/
#1  0xfd6b00f8 in kohfrw ()
   from xxx/instantclient_10_2/
#2  0xfd1c01e0 in kpufdesc ()
   from xxx/instantclient_10_2/
#3  0xfe1c72f0 in php_oci_lob_free ()
   from xxx/modules/
#4  0xfe1bfb48 in php_oci_descriptor_list_dtor ()
   from xxx/modules/
#5  0xfe32fcd8 in list_entry_destructor ()
   from xxx/modules/
#6  0xfe32d1b0 in zend_hash_apply_deleter ()
   from xxx/modules/
#7  0xfe32d49c in zend_hash_graceful_reverse_destroy ()
   from xxx/modules/
#8  0xfe32ff24 in zend_destroy_rsrc_list ()
   from xxx/modules/
#9  0xfe313ce8 in shutdown_executor ()
   from xxx/modules/
#10 0xfe324598 in zend_deactivate ()
   from xxx/modules/
#11 0xfe2ca650 in php_request_shutdown ()
   from xxx/modules/
#12 0xfe348ad0 in php_apache_request_dtor ()
   from xxx/modules/
#13 0xfe3494b8 in php_handler ()
   from xxx/modules/
#14 0x0006d89c in ap_run_handler ()
#15 0x0006e5b8 in ap_invoke_handler ()
#16 0x00050f58 in ap_process_request ()
#17 0x000473e8 in ap_process_http_connection ()
#18 0x000823a8 in ap_run_process_connection ()
#19 0x000829e0 in ap_process_connection ()
#20 0x0006aa90 in child_main ()
#21 0x0006ac20 in make_child ()
#22 0x0006ae0c in startup_children ()
#23 0x0006b658 in ap_mpm_run ()
#24 0x00077b80 in main ()


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-26 13:24 UTC] tony2001 at phpclub dot net
Please provide short but complete reproduce code.
 [2007-03-07 07:42 UTC] ulf dot moeller at secardeo dot com
Here is the script. The error occurs whenever a file read from the database is too large to fit within the memory limit. For example, we can reproduce the eror with a 1.5 meg file with memory_limit = 2M.

	$REAL_PATH = "/xxx/htdocs/";
	$REAL_URL = "";
include_once($REAL_PATH . "_phplib/_dblib.php");
$newstable = "NEWS"; // org: NEWS
$atttable = "ATTACHMENT"; // org: ATTACHMENT
$view = "ARTIKELS"; // org: ARTIKELS

$db = new oracleQuery($EEANEWS_USER,$EEANEWS_PASS,$PRODDB);

if($id != ""){
	$SQL = "SELECT typ from $atttable where id='$id'";
	$typus = $db->getResult();
	$typ = $typus["TYP"][0];

    header("Cache-Control: ");// leave blank to avoid IE errors
    header("Pragma: ");// leave blank to avoid IE errors
    //header(sprintf('Content-Type: %s', $file['FILETYPE']));
		case "PDF":
			header("Content-Type: application/pdf");
			$file_ext = 'document.pdf';
		case "DOC":
			header("Content-Type: application/msword");
			$file_ext = 'document.doc';
		case "XLS":
			header("Content-Type: application/msexcel");
			$file_ext = 'document.xls';
		case "PPT":
			header("Content-Type: application/");
			$file_ext = 'document.ppt';
		case "JPG":
			header("Content-Type: image/jpeg");
			$file_ext = 'bild.jpg';
		case "GIF":
			header("Content-Type: image/gif");
			$file_ext = 'bild.gif';
		case "BMP":
			header("Content-Type: image/bmp");
			$file_ext = 'bild.bmp';
		case "EXE":
			header("Content-Type: application/octet-stream");
			$file_ext = 'datei.exe';
		case "ZIP":
			header("Content-Type: application/zip");
			$file_ext = '';
			header("Content-Type: application/octet-stream");

    $SQL="SELECT data FROM $atttable WHERE id='$id'";

    header(sprintf('Content-Disposition: attachment; filename=%s',$file_ext));

        echo $result;
    } else {
} else {
function error(){
<body bgcolor="#FFFFFF">
<center><b><font face="Arial">
Der Anhang wurde nicht gefunden.
 [2007-03-07 07:47 UTC] tony2001 at phpclub dot net
I don't know such OCI8 method.
 [2007-03-07 08:36 UTC] tony2001 at phpclub dot net
Please don't forget to specify version of Instant Client and version of OCI8.

With OIC the only error I can see is "Warning: Unknown(): ORA-24909: call in progress. Current operation cancelled".
Oracle9 native client does segfault, but only with PHP4 (which you shouldn't be using anyway).
 [2007-03-08 03:11 UTC] ulf dot moeller at secardeo dot com
Oracle Instant Client is version, used with PHP 4.
 [2007-03-29 04:34 UTC] tony2001 at phpclub dot net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on

In case this was a website problem, the change will show
up on the website in short time.
Thank you for the report, and for helping us make PECL better.

 [2007-08-16 19:10 UTC] wade dot ziegler at swgas dot com
It looks like this bug fix has not made it into the PHP 5.2.3 release.  I'm getting the same result so I have to downgrade back to PHP 4.
 [2007-08-17 04:42 UTC] tony at daylessday dot org
>It looks like this bug fix has not made it into the PHP 5.2.3 release. 
Of course it did.

>I'm getting the same result so I have to downgrade back to PHP 4.
Wha? PHP4 surely doesn't have this fix, OCI8 in PHP4 is unsupported for years.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Mar 27 15:04:44 2023 UTC