php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66470 PHP crash (php segmentation fault)
Submitted: 2014-01-12 09:10 UTC Modified: 2014-12-30 10:42 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: os at irj dot ru Assigned:
Status: No Feedback Package: MySQL related
PHP Version: 5.5.8 OS: Linux Debian Sid x64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-01-12 09:10 UTC] os at irj dot ru
Description:
------------
Hellow.

PHP Crashed on Debian Sid x64 
This error occurred on some pages
You can download full core dump file: https://www.dropbox.com/s/azy1r6e725w21v0/core.php5-cgi.11199

root@home:/var/log/dumps# dpkg -l | grep php5
ii  php5-cgi                              5.5.8+dfsg-1                   amd64   server-side, HTML-embedded scripting language (CGI binary)
ii  php5-cli                              5.5.8+dfsg-1                   amd64        command-line interpreter for the php5 scripting language
ii  php5-common                           5.5.8+dfsg-1                   amd64        Common files for packages built from the php5 source
ii  php5-curl                             5.5.8+dfsg-1                   amd64        CURL module for php5
ii  php5-dbg                              5.5.8+dfsg-1                   amd64        Debug symbols for PHP5
ii  php5-dev                              5.5.8+dfsg-1                   amd64        Files for PHP5 module development
ii  php5-gd                               5.5.8+dfsg-1                   amd64        GD module for php5
ii  php5-json                             1.3.2-2                        amd64        JSON module for php5
ii  php5-mcrypt                           5.5.8+dfsg-1                   amd64        MCrypt module for php5
ii  php5-mysqlnd                          5.5.8+dfsg-1                   amd64        MySQL module for php5 (Native Driver)

root@home:/var/log/dumps# gdb /usr/bin/php5-cgi core.php5-cgi.11199 
GNU gdb (GDB) 7.6.1 (Debian 7.6.1-1)
...
(gdb) bt
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x103c300, size=33) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_alloc.c:1910
#1  0x00000000006acf92 in _estrndup (s=0x13c717c "Всё для кормления", length=32) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_alloc.c:2650
#2  0x00000000006d0b04 in _zval_copy_ctor_func (zvalue=0x143bc80) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_variables.c:123
#3  0x00007fb347fc4902 in _zval_copy_ctor (zvalue=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_variables.h:45
#4  mysqlnd_rset_zval_ptr_dtor (zv=0x1429f88, type=<optimized out>, copy_ctor_called=0x7fffb835ffaf "\001") at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqlnd/mysqlnd_result.c:110
#5  0x00007fb347fc4c16 in php_mysqlnd_res_free_buffered_data_pub (result=0x139b460) at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqlnd/mysqlnd_result.c:200
#6  0x00007fb347fc4e05 in php_mysqlnd_res_free_result_buffers_pub (result=0x139b460) at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqlnd/mysqlnd_result.c:244
#7  0x00007fb347fc3cba in mysqlnd_internal_free_result_contents (result=0x139b460) at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqlnd/mysqlnd_result.c:274
#8  0x00007fb347fc3cea in mysqlnd_internal_free_result (result=0x139b460) at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqlnd/mysqlnd_result.c:291
#9  0x00007fb347fc3e98 in php_mysqlnd_res_free_result_pub (result=0x139b460, implicit=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqlnd/mysqlnd_result.c:1307
#10 0x00007fb342e2bce0 in mysqli_result_free_storage (object=0x14236f8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/ext/mysqli/mysqli.c:270
#11 0x00000000006f9a34 in zend_objects_store_del_ref_by_handle_ex (handle=80, handlers=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects_API.c:226
#12 0x00000000006f9a53 in zend_objects_store_del_ref (zobject=0x141e7a8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects_API.c:178
#13 0x00000000006c1b90 in _zval_dtor (zvalue=0x141e7a8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_variables.h:35
#14 i_zval_ptr_dtor (zval_ptr=0x141e7a8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_execute.h:81
#15 _zval_ptr_dtor (zval_ptr=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_execute_API.c:426
#16 0x00000000006f3b17 in zend_object_std_dtor (object=0x141e5c8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects.c:54
#17 0x00000000006f3b49 in zend_objects_free_object_storage (object=0x141e5c8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects.c:137
#18 0x00000000006f9a34 in zend_objects_store_del_ref_by_handle_ex (handle=81, handlers=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects_API.c:226
#19 0x00000000006f9a53 in zend_objects_store_del_ref (zobject=0x141ec68) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects_API.c:178
#20 0x00000000006c1b90 in _zval_dtor (zvalue=0x141ec68) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_variables.h:35
#21 i_zval_ptr_dtor (zval_ptr=0x141ec68) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_execute.h:81
#22 _zval_ptr_dtor (zval_ptr=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_execute_API.c:426
#23 0x00000000006f3b17 in zend_object_std_dtor (object=0x141eb80) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects.c:54
#24 0x00000000006f3b49 in zend_objects_free_object_storage (object=0x141eb80) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects.c:137
#25 0x00000000006f9a34 in zend_objects_store_del_ref_by_handle_ex (handle=82, handlers=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects_API.c:226
#26 0x00000000006f9a53 in zend_objects_store_del_ref (zobject=0x141eb50) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_objects_API.c:178
#27 0x000000000077e535 in _zval_dtor (zvalue=0x141eb50) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_variables.h:35
#28 i_zval_ptr_dtor (zval_ptr=0x141eb50) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_execute.h:81
#29 i_free_compiled_variables (execute_data=0x7fb34c0be8c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_execute.c:1510
#30 zend_leave_helper_SPEC (execute_data=0x7fb34c0be8c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:399
#31 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be8c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#32 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#33 0x000000000078218c in zend_do_fcall_common_helper_SPEC (execute_data=0x7fb34c0be7c8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#34 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be7c8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#35 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#36 0x000000000078218c in zend_do_fcall_common_helper_SPEC (execute_data=0x7fb34c0be6b8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#37 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be6b8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#38 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#39 0x000000000078218c in zend_do_fcall_common_helper_SPEC (execute_data=0x7fb34c0be5a8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#40 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be5a8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#41 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#42 0x0000000000780b72 in ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER (execute_data=0x7fb34c0be488) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:13370
#43 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be488) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#44 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#45 0x000000000078218c in zend_do_fcall_common_helper_SPEC (execute_data=0x7fb34c0be320) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#46 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be320) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#47 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#48 0x000000000078218c in zend_do_fcall_common_helper_SPEC (execute_data=0x7fb34c0be1c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:584
#49 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be1c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#50 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#51 0x00000000007816bf in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fb34c0be0c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:2748
#52 0x00000000006fb718 in execute_ex (execute_data=0x7fb34c0be0c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_vm_execute.h:363
#53 0x00000000006c1949 in dtrace_execute_ex (execute_data=<optimized out>) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_dtrace.c:73
#54 0x00000000006d3330 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend.c:1316
#55 0x0000000000673585 in php_execute_script (primary_file=primary_file@entry=0x7fffb83634c0) at /build/php5-EG7b3R/php5-5.5.8+dfsg/main/main.c:2506
#56 0x000000000046138a in main (argc=1, argv=0x7fffb83637f8) at /build/php5-EG7b3R/php5-5.5.8+dfsg/sapi/cgi/cgi_main.c:2454


Test script:
---------------
<?php
class app_catalog_categories extends app_models
{
        ...
	use app_object_sql {
		save as SQLSave;
		destroy as SQLDestoy;
	}

public function getAllCategories()
	{
		$db = new app_db;
		$db->query("SELECT * FROM `app_catalog_category` WHERE `public` = '1' ORDER BY `position`");
	
		$objects = array();
		while ($row = $db->fetch())
		{
			$object = new app_catalog_category;
			$objects[] = $object->setAttributes($row); // if comment wish line script work ok! PHP don't crash. 
		}
	
		return $objects;
	}
...      
}

..
<?php 
trait app_object_sql
{
	/**
	 * Return avail attributes for object
	 * @return array
	 */
	abstract function getSQLAttributes();
	
	/**
	 * Setup SQL Attributes to object
	 * @param array $attributes
	 */
	public function setAttributes(array $attributes)
	{
		foreach ($attributes as $attribute => $value) {
			if (array_search($attribute, $this->getSQLAttributes()) !== false) {
				$this->$attribute = $value;
			}
		}
		return $this;
	}

Then i rewrite two method like

public function setAttributes(array $attributes)
	{
		foreach ($attributes as $attribute => $value) {
			if (array_search($attribute, $this->getSQLAttributes()) !== false) {
				$this->$attribute = $value;
			}
		}
		//return $this;
	}


public function getAllCategories()
	{
		$db = new app_db;
		$db->query("SELECT * FROM `app_catalog_category` FORCE INDEX (`position`) WHERE `public` = '1' ORDER BY `position`");
	
		$objects = array();
		while ($row = $db->fetch())
		{
			$object = new app_catalog_category;
			$object->setAttributes($row);
			$objects[] = $object;
		}
	
		return $objects;
	}

php-cgi not crashed

Expected result:
----------------
segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-12 09:16 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Package: *General Issues +Package: MySQL related -Assigned To: +Assigned To: mysql
 [2014-01-12 09:16 UTC] pajoye@php.net
changing category

looks like a mysqlnd free issue.
 [2014-01-13 00:26 UTC] johannes@php.net
-Status: Assigned +Status: Feedback -Assigned To: mysql +Assigned To:
 [2014-01-13 00:26 UTC] johannes@php.net
#1  0x00000000006acf92 in _estrndup (s=0x13c717c "Всё для кормления", length=32) at /build/php5-EG7b3R/php5-5.5.8+dfsg/Zend/zend_alloc.c:2650

This should never segfault. This indicates some corruption. Can you please provide a reproducible test case or at least try to run it through valgrind?
 [2014-03-05 09:56 UTC] gasolwu@php.net
I think i got same problem here, The backtrace stack seem like the same.

#0  0x00000000005450b0 in _zend_mm_free_int ()
#1  0x000000000055bc85 in _zval_ptr_dtor ()
#2  0x00000000004fcd7e in php_mysqlnd_res_free_buffered_data_pub ()
#3  0x00000000004fcc9d in php_mysqlnd_res_free_result_buffers_pub ()

I have different version of OS and PHP as below.

FreeBSD host 9.1-RELEASE-p5 FreeBSD 9.1-RELEASE-p5 #0: Sat Jul 27 01:14:23 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd6

PHP 5.4.17 (cli) (built: Jul 29 2013 02:01:00)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
 [2014-03-05 10:05 UTC] pajoye@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

We still need a repro script.
 [2014-12-30 10:42 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 08:01:28 2024 UTC