php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68768 Mysqli segfaults on get_result call to stored procedure using cursors
Submitted: 2015-01-07 18:32 UTC Modified: 2020-11-05 15:55 UTC
Votes:5
Avg. Score:4.2 ± 0.7
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: yicheng at heroengine dot com Assigned: girgias (profile)
Status: Closed Package: MySQLi related
PHP Version: 5.5Git-2015-01-07 (Git) OS: Linux Fedora 20
Private report: No CVE-ID: None
 [2015-01-07 18:32 UTC] yicheng at heroengine dot com
Description:
------------
Given this sample stored procedure: 

DELIMITER //
drop procedure IF EXISTS `testProcedure`;
CREATE DEFINER=`root`@`%` PROCEDURE `testProcedure`(IN `v_username` VARCHAR(255))
    MAIN:BEGIN
        DECLARE done INT DEFAULT 0;
        DECLARE p_username VARCHAR(255) DEFAULT 'default';
        DECLARE sub CURSOR FOR SELECT 'Jon Jones' AS Acct_Username;
        DECLARE CONTINUE HANDLER FOR NOT FOUND SET done = 1;
        OPEN sub;
        read_loop: LOOP
            FETCH sub INTO p_username;
            IF done=1 THEN
                LEAVE read_loop;
            END IF;
        END LOOP read_loop;
        CLOSE sub;
        SELECT 'Some kind of message' AS Msg, '200000' AS Num,CURDATE() AS current;
    END;
//

Executing the above procedure from the mysql command line retrieves the following results:

MySQL [AMS]> CALL testProcedure('yicheng');//
+----------------------+--------+------------+
| Msg                  | Num    | current    |
+----------------------+--------+------------+
| Some kind of message | 200000 | 2015-01-07 |
+----------------------+--------+------------+
1 row in set (0.00 sec)

Calling the same procedure from mysqli (e.g. the test script) will result in a segmentation fault, as shown in the following line from apache error_log:

[Wed Jan 07 13:09:50.161212 2015] [core:notice] [pid 4653:tid 140193375778624] AH00052: child pid 22786 exit signal Segmentation fault (11)

Curiously, taking out the select statement from the procedure will remove the segfault but will still cause a php error due to attempting to call fetch_array on a non-object.

Also, if I insert another select statement before the call to OPEN sub, this will also avert the segfault although it will now cause two result sets to be returned.

Test script:
---------------
$mysqli = new mysqli("host", "user", "pass", "DBNAME");

$sql = "CALL testProcedure(?)";
$username = "yicheng";

$statement = $mysqli->prepare($sql);
$statement->bind_param("s", $username);
$statement->execute();
$result = $statement->get_result();
echo "Get Results<br/>\n";
while ($row = $result->fetch_array(MYSQLI_ASSOC)) {
    echo var_export($row, TRUE)."<br/>\n";
}
			i
echo "Closing Mysqli<br/>\n";
$mysqli->close();



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-07 18:38 UTC] aharvey@php.net
-Status: Open +Status: Feedback
 [2015-01-07 18:38 UTC] aharvey@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2015-01-07 20:44 UTC] yicheng at heroengine dot com
-Status: Feedback +Status: Open
 [2015-01-07 20:44 UTC] yicheng at heroengine dot com
Thread 1 (Thread 0x7ffff79c3840 (LWP 24631)):
#0  mysqlnd_fetch_stmt_row_cursor (result=0x7ffff79c0738, param=0x7ffff79c0c10, flags=1, fetched_anything=0x1 <error: Cannot access memory at address 0x1>, tsrm_ls=0x10174e0)
    at /home/yicheng/Downloads/php-5.5.9/ext/mysqlnd/mysqlnd_ps.c:995
        ret = (unknown: 16872672)
        stmt = 0x7ffff79be4f0
        buf = " \272\001\000\000\000\000"
        row_packet = 0x7ffff79c0738
#1  0x00000000007048aa in php_mysqlnd_res_fetch_into_pub (result=0x7ffff79c0738, flags=1, return_value=0x7ffff79c0c10, extension=MYSQLND_MYSQLI, tsrm_ls=0x10174e0)
    at /home/yicheng/Downloads/php-5.5.9/ext/mysqlnd/mysqlnd_result.c:1485
        fetched_anything = 0 '\000'
#2  0x00000000005d9dac in php_mysqli_fetch_into_hash_aux (tsrm_ls=0x10174e0, fetchtype=<optimized out>, result=<optimized out>, return_value=0x7ffff79c0c10)
    at /home/yicheng/Downloads/php-5.5.9/ext/mysqli/mysqli.c:1219
No locals.
#3  php_mysqli_fetch_into_hash (ht=<optimized out>, return_value=0x7ffff79c0c10, return_value_ptr=<optimized out>, this_ptr=0x7ffff79c0438, return_value_used=<optimized out>, tsrm_ls=0x10174e0, 
    override_flags=override_flags@entry=0, into_object=into_object@entry=0) at /home/yicheng/Downloads/php-5.5.9/ext/mysqli/mysqli.c:1272
        result = <optimized out>
        mysql_result = 0x7ffff79c0438
        fetchtype = 1
        ctor_params = 0x0
        ce = 0x0
#4  0x00000000005e3298 in zif_mysqli_fetch_array (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>, 
    tsrm_ls=<optimized out>) at /home/yicheng/Downloads/php-5.5.9/ext/mysqli/mysqli_nonapi.c:350
No locals.
#5  0x00007ffff11e30dd in xdebug_execute_internal (current_execute_data=0x7ffff7984460, fci=0x0, return_value_used=1, tsrm_ls=0x10174e0) at /home/yicheng/Downloads/xdebug-2.2.5/xdebug.c:1553
        edata = <optimized out>
        fse = 0x1314b10
        cur_opcode = <optimized out>
        do_return = 0
        function_nr = 6
        restore_error_handler_situation = 0
        tmp_error_cb = 0x0
#6  0x0000000000843e1e in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>, tsrm_ls=0x10174e0) at /home/yicheng/Downloads/php-5.5.9/Zend/zend_vm_execute.h:552
        ret = 0x7ffff7984100
        opline = <optimized out>
        should_change_scope = 1 '\001'
        fbc = 0x1212750
#7  0x00000000007b32eb in execute_ex (execute_data=0x7ffff7984460, tsrm_ls=0x10174e0) at /home/yicheng/Downloads/php-5.5.9/Zend/zend_vm_execute.h:363
        ret = <optimized out>
        original_in_execution = 0 '\000'
#8  0x00007ffff11e20fb in xdebug_execute_ex (execute_data=0x7ffff7984460, tsrm_ls=<optimized out>) at /home/yicheng/Downloads/xdebug-2.2.5/xdebug.c:1437
        op_array = 0x7ffff79b9720
        edata = <optimized out>
        dummy = 0x101a8c8
        fse = 0x1312090
        xfse = <optimized out>
        magic_cookie = 0x0
        do_return = 0
        function_nr = 0
        le = <optimized out>
        clear = 1
        return_val = 0x0
#9  0x00000000007883c3 in zend_execute_scripts (type=type@entry=8, tsrm_ls=tsrm_ls@entry=0x10174e0, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/yicheng/Downloads/php-5.5.9/Zend/zend.c:1316
        files = {{gp_offset = 48, fp_offset = 0, overflow_arg_area = 0x7fffffffa8a0, reg_save_area = 0x7fffffffa830}}
        i = 1
        file_handle = 0x7fffffffcbb0
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
---Type <return> to continue, or q <return> to quit---
#10 0x000000000071a6eb in php_execute_script (primary_file=primary_file@entry=0x7fffffffcbb0, tsrm_ls=tsrm_ls@entry=0x10174e0) at /home/yicheng/Downloads/php-5.5.9/main/main.c:2506
        realfile = "/home/yicheng/p4_1666/yicheng-HEROENGINE-HEWKST03-Ubuntu/web/MAIN/AMS/public/test_mysqli_cli.php\000\210[ ;\000\000\000\024^y\000\000\000\000\000\001\000\000\000\000\000\000\000\200Nw\360\330uD\210\000\204[ ;\000\000\000\200\355\206\353\326O9\253\000\204[ ;\000\000\000\222\274& ;\000\000\000\340t\001\001\000\000\000\000\030N\204\000\000\000\000\000\340t\001\001\000\000\000\000\340t\001\001\000\000\000\000\bQ\001\001\000\000\000\000"...
        __orig_bailout = 0x7fffffffcc30
        __bailout = {{__jmpbuf = {140737488342064, 1591329364349861654, 16872512, 19996368, 0, 16872512, 1591329367629807382, -1591328964377002218}, __mask_was_saved = 0, __saved_mask = {__val = {416611827788, 
                538985832, 0, 7600157958838642735, 253945935712, 77, 16872672, 19033704, 19996368, 140737488342272, 96, 19033704, 0, 16872512, 7426434, 19996368}}}}
        prepend_file_p = <optimized out>
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, free_filename = 0 '\000'}
        old_cwd = 0x7fffffffa8b0 ""
        retval = 0
#11 0x000000000084620c in do_cli (argc=2, argv=0x1017400, tsrm_ls=0x10174e0) at /home/yicheng/Downloads/php-5.5.9/sapi/cli/php_cli.c:994
        __orig_bailout = 0x7fffffffddd0
        __bailout = {{__jmpbuf = {140737488346576, 1591329363715473174, 140737488346564, 0, 0, 16734912, 1591329364347764502, -1591328302247657706}, __mask_was_saved = 0, __saved_mask = {__val = {16872672, 
                16873888, 253942562044, 16872720, 16873936, 77, 7420677, 7420624, 32, 8, 7418462, 0, 8, 4311702208, 16863136, 8192}}}}
        c = <optimized out>
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x1017440 "./test_mysqli_cli.php", opened_path = 0x0, handle = {fd = -140797872, fp = 0x7ffff79b9850, stream = {handle = 0x7ffff79b9850, isatty = 0, 
              mmap = {len = 950, pos = 0, map = 0x7ffff7ff6000, buf = 0x7ffff7ff6000 <error: Cannot access memory at address 0x7ffff7ff6000>, old_handle = 0x1311f40, 
                old_closer = 0x79ead0 <zend_stream_stdio_closer>}, reader = 0x79eb00 <zend_stream_stdio_reader>, fsizer = 0x79ea70 <zend_stream_stdio_fsizer>, closer = 0x79ebe0 <zend_stream_mmap_closer>}}, 
          free_filename = 0 '\000'}
        behavior = <optimized out>
        reflection_what = 0x0
        request_started = 1
        exit_status = 0
        php_optarg = 0x0
        php_optind = 2
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = <optimized out>
        interactive = 0
        lineno = 1
        param_error = <optimized out>
        hide_argv = 0
#12 0x00000000004335be in main (argc=2, argv=0x1017400) at /home/yicheng/Downloads/php-5.5.9/sapi/cli/php_cli.c:1378
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 1591329363715473174, 140737488346564, 0, 0, 16734912, 1591329363733298966, -1591328840252473578}, __mask_was_saved = 0, __saved_mask = {__val = {539461051, 253942530944, 
                16867344, 0, 253940077760, 140737488346736, 140737488346720, 4131212846, 4288704, 4294967295, 253937903414, 253942104512, 140737349878992, 254241942936, 253942085312, 1}}}}
        tsrm_ls = 0x10174e0
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 1
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x1019a60 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>
 [2015-09-16 11:11 UTC] kevin dot smith at ricardo dot com
Was this problem every resolved?
 [2020-11-05 15:55 UTC] girgias@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: girgias
 [2020-11-05 15:55 UTC] girgias@php.net
Related To: Bug #72413
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 02:01:28 2024 UTC