php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58416 Segmentation fault in command-line PHP
Submitted: 2008-11-17 18:13 UTC Modified: 2010-04-19 03:06 UTC
From: james dot jones at firstinvestors dot com Assigned:
Status: Open Package: ibm_db2 (PECL)
PHP Version: 5.2.5 OS: Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-11-17 18:13 UTC] james dot jones at firstinvestors dot com
Description:
------------
When running the code (in "Reproduce code" section below), I get a segmentation fault during cleanup (after the final echo).


Reproduce code:
---------------
<?php
echo "Connecting...\n";
$db = db2_connect('BOSS', 'bossweb', 'Htw2PsU2');
print_r($db);
echo "\nClosing...\n";
if(FALSE===db2_close($db)) {
	echo "Error while closing...";
}
echo "Closed.\n";
?>

Expected result:
----------------
Connecting...
Resource id #4
Closing...
Closed.


Actual result:
--------------
Connecting...
Resource id #4
Closing...
Closed.
Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-18 04:17 UTC] abhargav at in dot ibm dot com
Hi,

I want to know on which platform you are getting this SegV. I tried it on Ubuntu server and it is working fine. Please send the machine/OS/platform details.

Regards,
Ambrish Bhargava
 [2008-11-18 08:37 UTC] james dot jones at firstinvestors dot com
This is RHEL. uname -a returns:

Linux <omitted> 2.6.18-92.1.6.el5 #1 SMP Fri Jun 20 0
2:36:16 EDT 2008 i686

It's running as a VMWare image on a quad-core Intel box.
 [2009-03-10 17:18 UTC] abhargav at in dot ibm dot com
Hi,

Try latest release.

Regards,
Ambrish Bhargava
 [2009-03-12 16:57 UTC] james dot jones at firstinvestors dot com
Installed ibm_db2 1.8.2, and I'm still getting the Seg fault.
 [2009-04-29 02:27 UTC] timothy dot j dot gustafson at gmail dot com
I am getting the same error on a FreeBSD 7.1 box even after updating to the latest port:

foo@bar$ php -v
PHP 5.2.9 (cli) (built: Apr  7 2009 16:56:45) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Segmentation fault: 11

I get a segfault even when I run just the "-v" command.  Scripts return the same segfault:

foo@bar$ ~/scripts/check-replicator.php 
Segmentation fault: 11
 [2009-05-06 03:28 UTC] abhargav at in dot ibm dot com
Hi,

Can you try following patch (v1.8.2 of IBM_DB2) on ibm_db2.c file and check for SegV.

350,355d349
< 	/* Disconnect from DB. If stmt is allocated, it is freed automatically*/
< 	if ( handle->handle_active ) {
< 		rc = SQLDisconnect((SQLHDBC)handle->hdbc);
< 		rc = SQLFreeHandle(SQL_HANDLE_DBC, handle->hdbc);
< 		rc = SQLFreeHandle(SQL_HANDLE_ENV, handle->henv);
< 	}
356a351,356
> 		/* Disconnect from DB. If stmt is allocated, it is freed automatically*/
> 		if ( handle->handle_active ) {
> 			rc = SQLDisconnect((SQLHDBC)handle->hdbc);
> 			rc = SQLFreeHandle(SQL_HANDLE_DBC, handle->hdbc);
> 			rc = SQLFreeHandle(SQL_HANDLE_ENV, handle->henv);
> 		}
604,605d603
< 	le_conn_struct = zend_register_list_destructors_ex( _php_db2_free_conn_struct, NULL, DB2_CONN_NAME, module_number);
< 	le_pconn_struct = zend_register_list_destructors_ex(NULL, _php_db2_free_pconn_struct, DB2_PCONN_NAME, module_number);
606a605,606
> 	le_conn_struct = zend_register_list_destructors_ex( _php_db2_free_conn_struct, NULL, DB2_CONN_NAME, module_number);
> 	le_pconn_struct = zend_register_list_destructors_ex(NULL, _php_db2_free_pconn_struct, DB2_PCONN_NAME, module_number);	
2535a2536,2541
> 				RETURN_FALSE;
> 			}
> 
> 			rc = SQLFreeHandle( SQL_HANDLE_ENV, conn_res->henv);
> 			if ( rc == SQL_ERROR ) {
> 				_php_db2_check_sql_errors(conn_res->henv, SQL_HANDLE_DENV, rc, 1, NULL, -1, 1 TSRMLS_CC);

Regards,
Ambrish Bhargava
 [2009-05-06 06:11 UTC] abhargav at in dot ibm dot com
Hi,

There is small correction in the patch. Please take following patch to verify:

350,355d349
< 	/* Disconnect from DB. If stmt is allocated, it is freed automatically*/
< 	if ( handle->handle_active ) {
< 		rc = SQLDisconnect((SQLHDBC)handle->hdbc);
< 		rc = SQLFreeHandle(SQL_HANDLE_DBC, handle->hdbc);
< 		rc = SQLFreeHandle(SQL_HANDLE_ENV, handle->henv);
< 	}
356a351,356
> 		/* Disconnect from DB. If stmt is allocated, it is freed automatically*/
> 		if ( handle->handle_active ) {
> 			rc = SQLDisconnect((SQLHDBC)handle->hdbc);
> 			rc = SQLFreeHandle(SQL_HANDLE_DBC, handle->hdbc);
> 			rc = SQLFreeHandle(SQL_HANDLE_ENV, handle->henv);
> 		}
499,500d498
< 	rc = SQLFreeHandle( SQL_HANDLE_STMT, handle->hstmt);
< 
501a500
> 		rc = SQLFreeHandle( SQL_HANDLE_STMT, handle->hstmt);
604,605d602
< 	le_conn_struct = zend_register_list_destructors_ex( _php_db2_free_conn_struct, NULL, DB2_CONN_NAME, module_number);
< 	le_pconn_struct = zend_register_list_destructors_ex(NULL, _php_db2_free_pconn_struct, DB2_PCONN_NAME, module_number);
606a604,605
> 	le_conn_struct = zend_register_list_destructors_ex( _php_db2_free_conn_struct, NULL, DB2_CONN_NAME, module_number);
> 	le_pconn_struct = zend_register_list_destructors_ex(NULL, _php_db2_free_pconn_struct, DB2_PCONN_NAME, module_number);	
2535a2535,2540
> 				RETURN_FALSE;
> 			}
> 
> 			rc = SQLFreeHandle( SQL_HANDLE_ENV, conn_res->henv);
> 			if ( rc == SQL_ERROR ) {
> 				_php_db2_check_sql_errors(conn_res->henv, SQL_HANDLE_ENV, rc, 1, NULL, -1, 1 TSRMLS_CC);

Regards,
Ambrish Bhargava
 [2009-05-11 10:47 UTC] james dot jones at firstinvestors dot com
I applied the patch and I'm still getting the segfault.
 [2009-05-13 05:28 UTC] abhargav at in dot ibm dot com
Hi,

I have added few more checks and also few print statements in the code (as the problem is not reproduced at my end). Please apply following in v1.8.2 of IBM_DB2 extension and send me back the output of the "Repo code" provided by you. The patch is:

347,361c347,366
<       int rc;
<
<       conn_handle *handle = (conn_handle*) rsrc->ptr;
<       /* Disconnect from DB. If stmt is allocated, it is freed automatically*/
<       if ( handle->handle_active ) {
<               rc = SQLDisconnect((SQLHDBC)handle->hdbc);
<               rc = SQLFreeHandle(SQL_HANDLE_DBC, handle->hdbc);
<               rc = SQLFreeHandle(SQL_HANDLE_ENV, handle->henv);
<       }
<       if ( handle != NULL ) {
<               if ( handle->flag_pconnect ) {
<                       /* Important to use regular free, we don't want the handled collected by efree */
<                       pefree(handle, 1);
<               } else {
<                       efree(handle);
---
>       if(rsrc != NULL) {
>               int rc;
>               conn_handle *handle = (conn_handle*) rsrc->ptr;
>               if ( handle != NULL ) {
>                       printf("_php_db2_free_conn_struct\n");
>                       /* Disconnect from DB. If stmt is allocated, it is freed automatically*/
>                       if ( handle->handle_active ) {
>                               rc = SQLDisconnect((SQLHDBC)handle->hdbc);
>                               rc = SQLFreeHandle(SQL_HANDLE_DBC, handle->hdbc);
>                               rc = SQLFreeHandle(SQL_HANDLE_ENV, handle->henv);
>                               printf("CLI handles free\n");
>                       }
>                       if ( handle->flag_pconnect ) {
>                               /* Important to use regular free, we don't want the handled collected by efree */
>                               pefree(handle, 1);
>                       } else {
>                               efree(handle);
>                               handle = NULL;
>                               printf("Handle memory free\n");
>                       }
495,503c500,510
<       int rc;
<
<       stmt_handle *handle = (stmt_handle*) rsrc->ptr;
<
<       rc = SQLFreeHandle( SQL_HANDLE_STMT, handle->hstmt);
<
<       if ( handle ) {
<               _php_db2_free_result_struct(handle);
<               efree(handle);
---
>       if(rsrc != NULL) {
>               int rc;
>               stmt_handle *handle = (stmt_handle*) rsrc->ptr;
>
>               if ( handle != NULL ) {
>                       printf("_php_db2_free_stmt_struct\n");
>                       rc = SQLFreeHandle( SQL_HANDLE_STMT, handle->hstmt);
>                       _php_db2_free_result_struct(handle);
>                       efree(handle);
>                       handle = NULL;
>               }
590c597
<               instance_name = (char *)malloc(strlen(DB2_VAR_INSTANCE) + strlen(tmp_name) + 1);
---
>               instance_name = (char *)emalloc(strlen(DB2_VAR_INSTANCE) + strlen(tmp_name) + 1);
604,606c611,613
<       le_conn_struct = zend_register_list_destructors_ex( _php_db2_free_conn_struct, NULL, DB2_CONN_NAME, module_number);
<       le_pconn_struct = zend_register_list_destructors_ex(NULL, _php_db2_free_pconn_struct, DB2_PCONN_NAME, module_number);
<       le_stmt_struct = zend_register_list_destructors_ex( _php_db2_free_stmt_struct, NULL, DB2_STMT_NAME, module_number);
---
>       le_stmt_struct = zend_register_list_destructors_ex(_php_db2_free_stmt_struct, NULL, DB2_STMT_NAME, module_number);
>       le_conn_struct = zend_register_list_destructors_ex(_php_db2_free_conn_struct, NULL, DB2_CONN_NAME, module_number);
>       le_pconn_struct = zend_register_list_destructors_ex(NULL,_php_db2_free_pconn_struct, DB2_PCONN_NAME, module_number);
618c625
<               free(_php_db2_instance_name);
---
>               efree(_php_db2_instance_name);
620a628
>       printf("PHP_MSHUTDOWN_FUNCTION\n");
2528a2537,2538
>                               SQLFreeHandle( SQL_HANDLE_DBC, conn_res->hdbc);
>                               SQLFreeHandle( SQL_HANDLE_ENV, conn_res->henv);
2534a2545
>                               rc = SQLFreeHandle( SQL_HANDLE_ENV, conn_res->henv);
2538a2550,2555
>                       rc = SQLFreeHandle( SQL_HANDLE_ENV, conn_res->henv);
>                       if ( rc == SQL_ERROR ) {
>                               _php_db2_check_sql_errors(conn_res->henv, SQL_HANDLE_ENV, rc, 1, NULL, -1, 1 TSRMLS_CC);
>                               RETURN_FALSE;
>                       }
>
2542c2559
<                       if (endpconnect) conn_res->flag_pconnect=1;
---
>                       if (endpconnect) conn_res->flag_pconnect = 1;

Regards,
Ambrish Bhargava
 [2009-09-25 15:35 UTC] brent dot halsey at huntington dot com
Hello-  We are experiencing the same issues.  We are running Module release 	1.8.2
Module revision 	$Revision: 1.80 $
Binary data mode (ibm_db2.binmode) 	DB2_BINARY
DB2 instance name (ibm_db2.instance_name) 	db2inst1 

PHP 5.3.0:
System 	Linux pdlmole01 2.6.16.60-0.39.3-smp #1 SMP Mon May 11 11:46:34 UTC 2009 x86_64
Build Date 	Sep 18 2009 08:15:38
Configure Command 	'./configure' '--prefix=/opt/asa/php/php5.3.0/' '--with-apxs2=/opt/asa/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-libxml-dir=/usr/local' '--with-IBM_DB2=/opt/IBM/db2/V8.1' '--with-pdo-odbc=ibm-db2,/home/db2inst1/sqllib' 

I am running some code that worked on PHP 5.2.5 using :
Module release 	1.6.5
Module revision 	$Revision: 1.74 $
Binary data mode (ibm_db2.binmode) 	DB2_BINARY
DB2 instance name (ibm_db2.instance_name) 	db2inst2 
On that install I didn't compile it statically (also a different server, but same code I'm trying to execute):
System 	Linux pdlmid01 2.6.5-7.315-smp #1 SMP Wed Nov 26 13:03:18 UTC 2008 x86_64
Build Date 	May 16 2008 10:41:20
Configure Command 	'./configure' '--prefix=/opt/www/php' '--with-mysql=/usr/local/mysql' '--with-apxs2=/opt/www/apache/bin/apxs' '--with-libxml-dir=/usr/local' 


Any ideas why?  Let me know if you need any additional data.

Thanks!
 [2009-10-07 06:47 UTC] abhargav at in dot ibm dot com
Hi,

Did you get similar issue when using PHP v5.2.5 and IBM_DB2 v1.8.2? And also did you try the patch attached with this mail (This patch is for v1.8.2 of IBM_DB2)?

Regards,
Ambrish Bhargava
 [2010-04-16 11:06 UTC] kontakt at beberlei dot de
I get segfaults too. I am on Ubuntu/Linux + self compiled PHP 5.3.2 with IBM Db2 1.84.

Is there any way I can offer more debug information than the segfault details per se?

I run our PHPUnit Testsuite of Doctrine Project against my branch with an IBM DB2 driver on the console and using xdebug trace I find it to happen in db2_execute()
 [2010-04-16 12:04 UTC] kontakt at beberlei dot de
Ok, i did a gdb debugging session and got the following information regarding the segfault, I hope it helps:

Program received signal SIGSEGV, Segmentation fault.
0x08564373 in _zend_is_inconsistent (ht=0x0, file=0x8aa1b08 "/home/benny/downloads/php-5.3.2/Zend/zend_hash.c", 
    line=875) at /home/benny/downloads/php-5.3.2/Zend/zend_hash.c:53
53		if (ht->inconsistent==HT_OK) {

the backtrace is:

(gdb) bt
#0  0x08564373 in _zend_is_inconsistent (ht=0x0, file=0x8aa1b08 "/home/benny/downloads/php-5.3.2/Zend/zend_hash.c", 
    line=875) at /home/benny/downloads/php-5.3.2/Zend/zend_hash.c:53
#1  0x08566891 in zend_hash_find (ht=0x0, arKey=0xb6a8bb0 "variable", nKeyLength=9, pData=0xbfffcdbc)
    at /home/benny/downloads/php-5.3.2/Zend/zend_hash.c:875
#2  0x012e9e33 in _php_db2_execute_helper (stmt_res=0xb6957b0, data=0x0, bind_cmp_list=1, bind_params=0)
    at /home/whitewashing/downloads/ibm_db2-1.8.4/ibm_db2.c:3886
#3  0x012ea462 in zif_db2_execute (ht=1, return_value=0xb66c844, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=1) at /home/whitewashing/downloads/ibm_db2-1.8.4/ibm_db2.c:4068
#4  0x085850ec in zend_do_fcall_common_helper_SPEC (execute_data=0x8ce976c)
    at /home/benny/downloads/php-5.3.2/Zend/zend_vm_execute.h:313
#5  0x085856a9 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x8ce976c)
    at /home/benny/downloads/php-5.3.2/Zend/zend_vm_execute.h:418
#6  0x08584789 in execute (op_array=0xa9b7154) at /home/benny/downloads/php-5.3.2/Zend/zend_vm_execute.h:104
#7  0x0854aa7a in zend_call_function (fci=0xbfffd10c, fci_cache=0xbfffd130)
    at /home/benny/downloads/php-5.3.2/Zend/zend_execute_API.c:947
#8  0x0832f87c in zim_reflection_method_invokeArgs (ht=2, return_value=0xb6866d8, return_value_ptr=0x0, 
    this_ptr=0xb62e12c, return_value_used=1) at /home/benny/downloads/php-5.3.2/ext/reflection/php_reflection.c:2738
#9  0x085850ec in zend_do_fcall_common_helper_SPEC (execute_data=0x8ce6de0)
    at /home/benny/downloads/php-5.3.2/Zend/zend_vm_execute.h:313
#10 0x085856a9 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x8ce6de0)
    at /home/benny/downloads/php-5.3.2/Zend/zend_vm_execute.h:418
#11 0x08584789 in execute (op_array=0x9c859e8) at /home/benny/downloads/php-5.3.2/Zend/zend_vm_execute.h:104
#12 0x0855831a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/benny/downloads/php-5.3.2/Zend/zend.c:1194
#13 0x084ee9b2 in php_execute_script (primary_file=0xbffff5b4) at /home/benny/downloads/php-5.3.2/main/main.c:2260
#14 0x08615b2f in main (argc=5, argv=0xbffff744) at /home/benny/downloads/php-5.3.2/sapi/cli/php_cli.c:1192
 [2010-04-19 02:57 UTC] abhargav at in dot ibm dot com
Hi,

Thanks for the trace. I am not able to repro this problem at my end, hence sending you the patch. Please apply following patch to the ibm_db2.c file (v1.8.4 of IBM_DB2 extension) and let me know your feed back. 

Here is the patch:
--- PATCH STARTS ---

3886,3899c3886,3906
<                       if ( zend_hash_find(EG(active_symbol_table), curr->varname,
<                               strlen(curr->varname)+1, (void **) &bind_data ) != FAILURE ) {
<                               rc = _php_db2_bind_data( stmt_res, curr, bind_data TSRMLS_CC);
<                               if ( rc == SQL_ERROR ) {
<                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Binding Error 1");
<                                       return rc;
<                               }
<                               curr = curr->next;
<                       } else if ( zend_hash_find(&EG(symbol_table), curr->varname,
<                                               strlen(curr->varname)+1, (void **) &bind_data ) != FAILURE ) {
<                               rc = _php_db2_bind_data( stmt_res, curr, bind_data TSRMLS_CC);
<                               if ( rc == SQL_ERROR ) {
<                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Binding Error 1");
<                                       return rc;
---
>                       if ( curr->varname != NULL) {
>                               if ( zend_hash_find(EG(active_symbol_table), curr->varname,
>                                                       strlen(curr->varname)+1, (void **) &bind_data ) != FAILURE ) {
>                                       rc = _php_db2_bind_data( stmt_res, curr, bind_data TSRMLS_CC);
>                                       if ( rc == SQL_ERROR ) {
>                                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Binding Error 1");
>                                               return rc;
>                                       }
>                                       curr = curr->next;
>                               } else if ( zend_hash_find(&EG(symbol_table), curr->varname,
>                                                       strlen(curr->varname)+1, (void **) &bind_data ) != FAILURE ) {
>                                       rc = _php_db2_bind_data( stmt_res, curr, bind_data TSRMLS_CC);
>                                       if ( rc == SQL_ERROR ) {
>                                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Binding Error 1");
>                                               return rc;
>                                       }
>                                       curr = curr->next;
>                               } else {
>                                       /* value not found in the active symbol table */
>                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Value Not Bound");
>                                       return SQL_ERROR;
3901d3907
<                               curr = curr->next;

--- PATCH ENDS ---

Regards,
Ambrish Bhargava
 [2010-04-19 03:06 UTC] abhargav at in dot ibm dot com
Hi,

Here is my analysis: Looks like @ ibm_db2.c:3886, curr->varname is null and hence SegV is there.

Regards,
Ambrish Bhargava
 [2010-04-19 15:36 UTC] kontakt at beberlei dot de
nope thats not it, sorry. it fails for the same reason:

#0  0x0835d4e6 in zend_hash_find (ht=0x0, arKey=0xabac7f0 "variable", nKeyLength=9, pData=0xbfffa8c4)
    at /home/benny/downloads/php-5.3.2/Zend/zend_hash.c:880
#1  0x023f0149 in _php_db2_execute_helper (stmt_res=<value optimized out>, data=<value optimized out>, bind_cmp_list=1, bind_params=0)
    at /home/benny/code/c/php/ibm_db2/trunk/ibm_db2.c:3887
#2  0x023f0929 in zif_db2_execute (ht=1, return_value=0xab8d544, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/benny/code/c/php/ibm_db2/trunk/ibm_db2.c:4074
#3  0x0837230e in execute_internal (execute_data_ptr=0x8a54e80, return_value_used=1) at /home/benny/downloads/php-5.3.2/Zend/zend_execute.c:1260
#4  0x012eaafe in xdebug_execute_internal (current_execute_data=0x8a54e80, return_value_used=1) at /usr/local/zend/temp/xdebug/xdebug.c:1631
 [2010-04-20 02:43 UTC] kontakt at beberlei dot de
What happens if the variable given to db2_bind_param falls out of scope? say i write an abstraction layer with:

public function bindParam($param, $value)
{
    db2_bind_param($this->_stmt, $param, "value", DB2_PARAM_IN);
}

I call it:

$stmt->bindParam(1, $value);
unset($value);
$stmt->execute();

It would be more than helpful if there were a way to pass a variable, not the name of a variable to db2_bind_param.
 [2010-04-20 14:12 UTC] kontakt at beberlei dot de
I don't know if that is even valid to do, but the following fixes it for me:

Index: ibm_db2.c
===================================================================
--- ibm_db2.c	(revision 298119)
+++ ibm_db2.c	(working copy)
@@ -3883,7 +3883,7 @@
 
 		while (curr != NULL ) {
 			/* Fetch data from symbol table */
-			if ( zend_hash_find(EG(active_symbol_table), curr->varname,
+			if ( zend_hash_find(@EG(active_symbol_table), curr->varname,
 				strlen(curr->varname)+1, (void **) &bind_data ) != FAILURE ) {
 				rc = _php_db2_bind_data( stmt_res, curr, bind_data TSRMLS_CC);
 				if ( rc == SQL_ERROR ) {
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 02:02:08 2014 UTC