php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69749 Arbitrary Segmentation fault when using DB2_ROWCOUNT_PREFETCH_ON
Submitted: 2015-06-02 18:45 UTC Modified: -
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: chad dot hirsch at allegiantair dot com Assigned:
Status: Open Package: ibm_db2 (PECL)
PHP Version: Irrelevant OS: RHEL 6.6 and previous
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-06-02 18:45 UTC] chad dot hirsch at allegiantair dot com
Description:
------------
 Import the provided IXF files with the following commands:
db2 import from test_table1.ixf of ixf messages import_table1.log "create into test_table1"
db2 import from test_table2.ixf of ixf messages import_table2.log "create into test_table2"
Execute 'php testDb2.php -h' to get list of options:
USAGE
-n<hostname>
-u<username>
-p<password>
-s<schema>
-d	will show more detail
-x	exclude last row
-r	do NOT call db2_num_rows
If you execute 'php testDb2.php' it will output:
Segmentation fault (core dumped)
However, if you execute 'php testDb2.php -r' (do NOT call db2_num_rows after query) it outputs:
Ok
Completed successfully
Also, if you execute 'php testDb2.php -x' (skip last row of result set) it also outputs:
Ok
Completed successfully
If this query is modified in ANY way the symptom will go away. If the query is run against a DIFFERENT DATASET the symptom will go away. However, some other apparently arbitrary combination of query structure and dataset will again trigger the problem. We have no way of predicting what queries/datasets will cause the problem. It took quite a while to isolate an exact dataset, etc that would cause the issue with this particular query.
The issue only happens after the LAST row of a dataset is read AFTER using db2_num_rows to get the dataset size.

This particular example has a decent sized dataset but that is not required to get the error. We've seen the error occur on very small sets. This is just the one that we were able to isolate.

From one of our devs:
"We have tried a variety of ibm_db2 driver versions and they all have the same issue. The particular core dump provided is for an RHEL 6 box running php 5.3.3 but we've seen the issue on all RHEL boxes running different versions of php (5.2.17, etc). I realize these versions are old but we're constrained to those versions.

I've been tracking this error ever since we've tried using ibm_db2.so on RHEL boxes (about 3 years). I don't know for sure but I'm fairly certain that I've been able to reproduce the issue with current php versions as well but it was a while back and I don't have proof of that."


Test script:
---------------
Its larger than twenty lines, and includes the data set as well to reproduce the issue.
https://docs.google.com/file/d/0B9u76idUSF-DNUxyWXZMUFVXZThVUHNYMDBZTERzcHljOFo4/edit?usp=docslist_api


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-17 00:11 UTC] chad dot hirsch at allegiantair dot com
Here is a core dump backtrace we were able to generate.

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f2c5f9b9827 in __intel_ssse3_rep_memcpy () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
#0  0x00007f2c5f9b9827 in __intel_ssse3_rep_memcpy () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#1  0x00007f2c5fc3610e in csmGetCursorBuf(db2UCinterface*, char**, unsigned long*, unsigned long*, CSM_ROWPOSN**, unsigned long*, void*, unsigned long, unsigned int) () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#2  0x00007f2c5f701dd0 in clientbo_get_data_span_buffers(CLIENTBO_PARMS*, void*, long, long) () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#3  0x00007f2c5fb7340b in clientboTimestampToChar(CLIENTBO_PARMS*) () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#4  0x00007f2c5fa4b018 in CLI_callbDrdaOutput(db2UCinterface*) () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#5  0x00007f2c5f75edad in csmFetch(db2UCinterface*, db2UCCursorInfo*) () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#6  0x00007f2c5f9fc2a5 in CLI_sqlFetch(CLI_STATEMENTINFO*, unsigned long, long, long, unsigned int*, unsigned short*, sqlca*, CLI_ERRORHEADERINFO*) () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#7  0x00007f2c5facde3c in SQLFetch () from /opt/ibm/db2/V10.5//lib64/libdb2.so.1
No symbol table info available.
#8  0x00007f2c61ea6d1e in _php_db2_bind_fetch_helper (ht=1, return_value=0x7f2c74360028, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>, op=2) at /rpmbuild/BUILD/g4-php52-ibm_db2-1.9.6/ibm_db2.c:5549
        argc = 1
        rc = <value optimized out>
        i = <value optimized out>
        row_number = -1
        stmt = 0x7f2c73d11660
        stmt_res = 0x7f2c73d8da48
        column_type = <value optimized out>
        lob_bind_type = -2
        row_data = <value optimized out>
        out_length = <value optimized out>
        loc_length = <value optimized out>
        tmp_length = <value optimized out>
        out_ptr = <value optimized out>
#9  0x00007f2c61ea810f in zif_db2_fetch_object (ht=<value optimized out>, return_value=0x7f2c74360028, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>) at /rpmbuild/BUILD/g4-php52-ibm_db2-1.9.6/ibm_db2.c:5954
No locals.
#10 0x00007f2c676b0b43 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.2.17/Zend/zend_vm_execute.h:200
        return_reference = 0 '\000'
        opline = <value optimized out>
        original_return_value = <value optimized out>
        current_scope = 0x0
        current_this = 0x0
        return_value_used = <value optimized out>
        should_change_scope = 0 '\000'
        ctor_opline = <value optimized out>
#11 0x00007f2c6769cb8c in execute (op_array=0x7f2c73ce78f8) at /usr/src/debug/php-5.2.17/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x7f2c732e13c8, function_state = {function_symbol_table = 0x4, function = 0x7f2c72e3e520, reserved = {0x1d, 0x7fff1355e938, 0x7f2c6768599d, 0x7f2c73deb138}}, fbc = 0x0, op_array = 0x7f2c73ce78f8, object = 0x0, Ts = 0x7fff1355e750, CVs = 0x7fff1355e730, original_in_execution = 1 '\001', symbol_table = 0x7f2c73cb7688, prev_execute_data = 0x7fff1355ec40, old_error_reporting = 0x0}
#12 0x00007f2c676b04be in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff1355ec40) at /usr/src/debug/php-5.2.17/Zend/zend_vm_execute.h:234
        opline = 0x7f2c73df4d80
        original_return_value = 0x7fff13561388
        current_scope = 0x0
        current_this = 0x0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
        ctor_opline = <value optimized out>
#13 0x00007f2c6769cb8c in execute (op_array=0x7f2c7348e370) at /usr/src/debug/php-5.2.17/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x7f2c73df4d80, function_state = {function_symbol_table = 0x7f2c73cb7688, function = 0x7f2c73ce78f8, reserved = {0x7f2c74392c40, 0x7f2c73047db0, 0x7f2c742f0f88, 0x7f2c74392c40}}, fbc = 0x7f2c73ce78f8, op_array = 0x7f2c7348e370, object = 0x7f2c7406da48, Ts = 0x7fff1355e960, CVs = 0x7fff1355e930, original_in_execution = 1 '\001', symbol_table = 0x7f2c73d40088, prev_execute_data = 0x7fff13564020, old_error_reporting = 0x0}
#14 0x00007f2c676b04be in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff13564020) at /usr/src/debug/php-5.2.17/Zend/zend_vm_execute.h:234
        opline = 0x7f2c730351a8
        original_return_value = 0x7fff13564170
        current_scope = 0x0
        current_this = 0x0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
        ctor_opline = <value optimized out>
#15 0x00007f2c6769cb8c in execute (op_array=0x7f2c7373c138) at /usr/src/debug/php-5.2.17/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x7f2c730351a8, function_state = {function_symbol_table = 0x7f2c73d40088, function = 0x7f2c7348e370, reserved = {0x3, 0x1, 0x7f2c6764ad47, 0x7f2c7373c4c0}}, fbc = 0x7f2c7348e370, op_array = 0x7f2c7373c138, object = 0x0, Ts = 0x7fff1355f120, CVs = 0x7fff1355ede0, original_in_execution = 0 '\000', symbol_table = 0x7f2c679da648, prev_execute_data = 0x0, old_error_reporting = 0x0}
#16 0x00007f2c67679127 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.2.17/Zend/zend.c:1134
        files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area = 0x7fff135641f0, reg_save_area = 0x7fff13564180}}
        i = <value optimized out>
        file_handle = 0x7fff135664b0
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        local_retval = 0x0
#17 0x00007f2c67635ae2 in php_execute_script (primary_file=0x7fff135664b0) at /usr/src/debug/php-5.2.17/main/main.c:2040
        realfile = '\000' <repeats 16 times>, "\001\000\000\000\000\000\000\000\a\000\000\000\000\000\000\000\240s\346s,\177\000\000ɱ`g,\177\000\000PVV\023\377\177\000\000\a\000\000\000,\177\000\000\001\000\000\000\000\000\000\000Ȁ\376r,\177\000\000\300\244\235g,\177\000\000\336\003kg,\177\000\000\000`\357q,\177\000\000Xp\026s,\177\000\000Xp\026s,\177\000\000\350\r\324s,\177\000\000\000\000\000\000\000\000\000\000\210^V\023\377\177\000\000\000\000\000\000\000\000\000\000PVV\023\377\177\000\000pq\026s,\177\000\000PVV\023\377\177\000\000\300\244\235g,\177\000\000P)\026s,\177\000\000PVV\023\377\177\000\000:\255mg,\177\000\000\370p\026s,\177\000\000PVV\023\377\177\000\000X9\000s,\177"...
        __orig_bailout = 0x7fff135663e0
        __bailout = {{__jmpbuf = {139828693673152, -5592474576795369486, 139828883426968, 0, -4294967295, 139828871112536, -5592474575652421646, -5492875959356522510}, __mask_was_saved = 0, __saved_mask = {__val = {139828857067182, 0, 139828892431816, 140733517812464, 139828690602326, 0, 0, 128, 139828690020376, 139828693671808, 139828693672352, 139828890170968, 0, 18446744069414584321, 139828689892623, 0}}}}
        prepend_file_p = <value optimized out>
        append_file_p = 0x0
        prepend_file = {type = 0 '\000', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\000'}
        append_file = {type = 0 '\000', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\000'}
        old_cwd = 0x7fff13564200 "/"
        retval = 0
#18 0x00007f2c676ed775 in php_handler (r=0x7f2c72ed0e98) at /usr/src/debug/php-5.2.17/sapi/apache2handler/sapi_apache2.c:639
        zfd = {type = 5 '\005', filename = 0x7f2c7353f840 "/usr2/newweb/hotel/hotelmanifest2.php", opened_path = 0x0, handle = {fd = 1936966456, fp = 0x7f2c7373c338, stream = {handle = 0x7f2c7373c338, reader = 0x7f2c6764bc30 <_php_stream_read>, closer = 0x7f2c67636ba0 <stream_closer_for_zend>, fteller = 0x7f2c67636b90 <stream_fteller_for_zend>, interactive = 0}}, free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {139828880599912, 5592816168829288434, 139828883426968, 0, -4294967295, 139828871112536, -5592474576797466638, -5492875929557041166}, __mask_was_saved = 0, __saved_mask = {__val = {18446744069414584321, 139828871112536, 139828742579445, 139828880913536, 139828846619964, 139828883426968, 1, 139828883426968, 139828712809627, 139828884321696, 140733517817036, 5901285066078, 139828890210064, 1724976, 139828883428600, 50}}}}
        ctx = 0x7f2c72fe0150
        conf = 0x7f2c72c9a948
        brigade = 0x7f2c72fe1518
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = 0x0
#19 0x00007f2c720e4cd0 in ap_run_handler (r=0x7f2c72ed0e98) at /usr/src/debug/httpd-2.2.15/server/config.c:158
        pHook = <value optimized out>
        n = <value optimized out>
        rv = <value optimized out>
#20 0x00007f2c720e858e in ap_invoke_handler (r=0x7f2c72ed0e98) at /usr/src/debug/httpd-2.2.15/server/config.c:376
        handler = <value optimized out>
        p = <value optimized out>
        result = 0
        old_handler = 0x7f2c72cd56e0 "php5-script"
        ignore = <value optimized out>
#21 0x00007f2c720f3c50 in ap_process_request (r=0x7f2c72ed0e98) at /usr/src/debug/httpd-2.2.15/modules/http/http_request.c:282
        access_status = <value optimized out>
#22 0x00007f2c720f0ac8 in ap_process_http_connection (c=0x7f2c72fb92e8) at /usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
        r = 0x7f2c72ed0e98
        csd = 0x0
#23 0x00007f2c720ec7d8 in ap_run_process_connection (c=0x7f2c72fb92e8) at /usr/src/debug/httpd-2.2.15/server/connection.c:43
        pHook = <value optimized out>
        n = <value optimized out>
        rv = <value optimized out>
#24 0x00007f2c720f8ad7 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
        current_conn = <value optimized out>
        csd = 0x7f2c72fb90f8
        ptrans = 0x7f2c72fb9078
        allocator = 0x7f2c72fb6f70
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        pollset = 0x7f2c72fb7298
        sbh = 0x7f2c72fb7290
        bucket_alloc = 0x7f2c72fc3228
        last_poll_idx = 1
#25 0x00007f2c720f8dea in make_child (s=0x7f2c72bfb880, slot=14) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:763
        pid = 0
#26 0x00007f2c720f9a6c in perform_idle_server_maintenance (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:898
        i = <value optimized out>
        idle_count = <value optimized out>
        ws = <value optimized out>
        free_length = <value optimized out>
        free_slots = {7, 14, 23, 24, 23, 24, 25, 26, 251, 252, 253, 254, 255, 240, 241, 242, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243}
        last_non_dead = <value optimized out>
        total_non_dead = <value optimized out>
#27 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:1102
        status = 0
        pid = {pid = -1, in = 0x7f2c72c1f768, out = 0x7f2c72bf2240, err = 0x7f2c7230fd08}
        child_slot = <value optimized out>
        exitwhy = APR_PROC_EXIT
        processed_status = <value optimized out>
        index = <value optimized out>
        remaining_children_to_start = 0
        rv = <value optimized out>
#28 0x00007f2c720d09b0 in main (argc=1, argv=0x7fff13566a48) at /usr/src/debug/httpd-2.2.15/server/main.c:763
        c = 0 '\000'
        configtestonly = <value optimized out>
        confname = 0x7f2c720fb35e "conf/httpd.conf"
        def_server_root = 0x7f2c720fb353 "/etc/httpd"
        temp_error_log = 0x0
        error = <value optimized out>
        process = 0x7f2c72bfb880
        server_conf = 0x7f2c72bfb880
        pglobal = 0x7f2c72bf2148
        pconf = 0x7f2c72bf4158
        plog = 0x7f2c72c262e8
        ptemp = 0x7f2c72c2d318
        pcommands = 0x7f2c72bf6168
        opt = 0x7f2c72bf6260
        rv = <value optimized out>
        mod = <value optimized out>
        optarg = 0x0
        signal_server = <value optimized out>
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Sep 20 07:01:26 2019 UTC