php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60104 Segmentation Fault in pdo_sqlite when using sqliteCreateFunction()
Submitted: 2011-10-20 16:39 UTC Modified: 2011-11-08 10:11 UTC
From: patrickallaert@php.net Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: trunk-SVN-2011-10-20 (SVN) OS: Gentoo Linux
Private report: No CVE-ID:
 [2011-10-20 16:39 UTC] patrickallaert@php.net
Description:
------------
PHP 5.4 / trunk segfault while using phpunit.
It only happens with one specific test, however, it looks like that test content 
is not relevant at all, emptying its content or putting a 
"die" at the end of that test avoid the segfault. It must happen in the phpunit 
code after the execution of that test.

Tested using trunk @rev 318251

See the backtrace which is more relevant.

Actual result:
--------------
(gdb) bt
#0  0x0000000000922721 in ZEND_SEND_VAL_SPEC_CONST_HANDLER 
(execute_data=0x7fcee7305910) at /home/patrick.allaert/Projets/php-
src/Zend/zend_vm_execute.h:2361
#1  0x0000000000919b46 in execute (op_array=0x7fcee5293f78) at 
/home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:410
#2  0x00000000008dbb61 in zend_execute_scripts (type=8, retval=0x0, file_count=3) 
at /home/patrick.allaert/Projets/php-src/Zend/zend.c:1272
#3  0x0000000000852760 in php_execute_script (primary_file=0x7ffff390c1a0) at 
/home/patrick.allaert/Projets/php-src/main/main.c:2414
#4  0x0000000000a25095 in do_cli (argc=6, argv=0x7ffff390c548) at 
/home/patrick.allaert/Projets/php-src/sapi/cli/php_cli.c:983
#5  0x0000000000a25fad in main (argc=6, argv=0x7ffff390c548) at 
/home/patrick.allaert/Projets/php-src/sapi/cli/php_cli.c:1356

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-20 23:55 UTC] felipe@php.net
Please, paste the test source at somewhere.
 [2011-10-20 23:55 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-10-21 07:30 UTC] patrickallaert@php.net
<?php
class SegfaultTest extends PHPUnit_Framework_TestCase
{
    protected $handler;

    public function setUp()
    {
        try
        {
            $this->handler = new PDO( "sqlite::memory:" );
            $this->handler->sqliteCreateFunction( 'md5', array( 
'ezcQuerySqliteFunctions', 'md5Impl' ), 1 );
        }
        catch ( PDOException $e )
        {
            $this->markTestSkipped(
                'PDO session could not be created: ' . $e->getMessage()
            );
        }
    }

    public function tearDown()
    {
        unset( $this->handler );
    }

    public function testOne()
    {
    }

    public function testTwo()
    {
    }
}
 [2011-10-21 10:15 UTC] patrickallaert@php.net
The segfault appears the second time it executes $this->handler-
>sqliteCreateFunction() in the setUp().

If unset() isn't used in tearDown(), then there is no crash.
 [2011-10-26 09:04 UTC] patrickallaert@php.net
-Summary: Segmentation Fault +Summary: Segmentation Fault in pdo_sqlite when using sqliteCreateFunction()
 [2011-10-26 09:32 UTC] patrickallaert@php.net
Automatic comment from SVN on behalf of patrickallaert
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318424
Log: Added test for #60104
 [2011-10-26 09:34 UTC] patrickallaert@php.net
I have been able to reproduce it without PHPUnit.
I committed ext/pdo_sqlite/tests/bug60104.phpt to make it easier.
 [2011-11-02 18:26 UTC] patrickallaert@php.net
-Status: Feedback +Status: Open
 [2011-11-04 19:13 UTC] patrickallaert@php.net
Automatic comment from SVN on behalf of patrickallaert
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318784
Log: Added test for #60104
 [2011-11-04 19:51 UTC] tony2001@php.net
Dmitry, could you take a look at it?
Looks like something is wrong with that caching thingie in the executor.. 

(gdb) f 0
#0  ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f9d1c0) at /local/qa/5_4_valgrind/Zend/zend_vm_execute.h:28949
28949           if ((EX(fbc)->common.fn_flags & ZEND_ACC_STATIC) != 0) {
(gdb) p *execute_data.fbc 
$10 = {type = 90 'Z', common = {type = 90 'Z', function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, scope = 0x5a5a5a5a5a5a5a5a, 
    fn_flags = 1515870810, prototype = 0x5a5a5a5a5a5a5a5a, num_args = 1515870810, required_num_args = 1515870810, arg_info = 0x5a5a5a5a5a5a5a5a}, 
  op_array = {type = 90 'Z', function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, scope = 0x5a5a5a5a5a5a5a5a, 
    fn_flags = 1515870810, prototype = 0x5a5a5a5a5a5a5a5a, num_args = 1515870810, required_num_args = 1515870810, arg_info = 0x5a5a5a5a5a5a5a5a, 
    refcount = 0x5a5a5a5a5a5a5a5a, opcodes = 0x5a5a5a5a5a5a5a5a, last = 1515870810, vars = 0x5a5a5a5a5a5a5a5a, last_var = 1515870810, T = 1515870810, 
    brk_cont_array = 0x5a5a5a5a5a5a5a5a, last_brk_cont = 1515870810, try_catch_array = 0x5a5a5a5a5a5a5a5a, last_try_catch = 1515870810, 
    static_variables = 0x5a5a5a5a5a5a5a5a, this_var = 1515870810, filename = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    line_start = 1515870810, line_end = 1515870810, doc_comment = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    doc_comment_len = 1515870810, early_binding = 1515870810, literals = 0x5a5a5a5a5a5a5a5a, last_literal = 1515870810, 
    run_time_cache = 0x5a5a5a5a5a5a5a5a, last_cache_slot = 1515870810, reserved = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 
      0x5a5a5a5a5a5a5a5a}}, internal_function = {type = 90 'Z', function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype = 0x5a5a5a5a5a5a5a5a, num_args = 1515870810, required_num_args = 1515870810, 
    arg_info = 0x5a5a5a5a5a5a5a5a, handler = 0x5a5a5a5a5a5a5a5a, module = 0x5a5a5a5a5a5a5a5a}}
 [2011-11-04 19:51 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2011-11-08 07:19 UTC] dmitry@php.net
I would say that the problem in "magic" PDO extension design. It creates and destroys method tables at runtime. See pdo_hash_methods() at pdo_dbh.c. As result ZE can't cache bindings of for such methods.

The problem may be solved in few ways.
1) Fix PDO
2) Introduce additional fn_flag that disables method caching
3) Disable method caching for classes with custom get_method handler

I think (2) is the simplest solution that won't make performance degradation. PDO fix would make it faster and reduce memory usage, but it's much more serious task. I just don't have time to do it myself.
 [2011-11-08 10:00 UTC] patrickallaert@php.net
If 2) is implemented right now, could 1) be made for a minor version of 5.4 
without breaking the ABI?
 [2011-11-08 10:11 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318907
Log: Fixed bug #60104 (Segmentation Fault in pdo_sqlite when using sqliteCreateFunction())
 [2011-11-08 10:11 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2011-11-08 10:11 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e86830273b4fb86a69cdb634a603be8a04e83846
Log: Fixed bug #60104 (Segmentation Fault in pdo_sqlite when using sqliteCreateFunction())
 [2012-07-24 23:39 UTC] rasmus@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e86830273b4fb86a69cdb634a603be8a04e83846
Log: Fixed bug #60104 (Segmentation Fault in pdo_sqlite when using sqliteCreateFunction())
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e86830273b4fb86a69cdb634a603be8a04e83846
Log: Fixed bug #60104 (Segmentation Fault in pdo_sqlite when using sqliteCreateFunction())
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 03:02:42 2014 UTC