php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70242 Segmentation fault in mysql driver
Submitted: 2015-08-11 19:31 UTC Modified: 2015-08-18 12:00 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: neclimdul at gmail dot com Assigned:
Status: Duplicate Package: MySQL related
PHP Version: 7.0Git-2015-08-11 (Git) OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: neclimdul at gmail dot com
New email:
PHP Version: OS:

 

 [2015-08-11 19:31 UTC] neclimdul at gmail dot com
Description:
------------
compiled against commit: a658465ef2ff7e4

I'm not seeing this in normal site operations but in some of the Drupal functional tests there are a bunch of database operations going on and a couple of them are triggering this segmentation fault.

#0  0x00000000005a7654 in pdo_mysql_stmt_dtor (stmt=0x7fffecc48a80)
    at /usr/src/php-src/ext/pdo_mysql/mysql_statement.c:93
#1  0x00000000005a3bfa in php_pdo_free_statement (stmt=0x7fffecc48a80)
    at /usr/src/php-src/ext/pdo/pdo_stmt.c:2320
#2  0x000000000076def2 in zend_objects_store_del (object=0x7fffecc48bd0)
    at /usr/src/php-src/Zend/zend_objects_API.c:181
#3  0x00000000005fc8fc in spl_dual_it_free_storage (_object=0x7fffecc78e10)
    at /usr/src/php-src/ext/spl/spl_iterators.c:2318
#4  0x000000000076def2 in zend_objects_store_del (object=0x7fffecc78e10)
    at /usr/src/php-src/Zend/zend_objects_API.c:181
#5  0x000000000076904b in i_zval_ptr_dtor (zval_ptr=0x7fffecc02958)
    at /usr/src/php-src/Zend/zend_variables.h:57
#6  zend_object_std_dtor (object=0x7fffecc02800)
    at /usr/src/php-src/Zend/zend_objects.c:68
#7  0x000000000076db81 in zend_objects_store_free_object_storage (objects=0x7fffed354cf8, 
    objects@entry=0xd843f0 <executor_globals+816>)
    at /usr/src/php-src/Zend/zend_objects_API.c:102
#8  0x0000000000720803 in shutdown_executor ()
    at /usr/src/php-src/Zend/zend_execute_API.c:356
#9  0x000000000072fe9b in zend_deactivate () at /usr/src/php-src/Zend/zend.c:969
#10 0x00000000006cefd2 in php_request_shutdown (dummy=<optimized out>)
    at /usr/src/php-src/main/main.c:1814
#11 0x00000000007cbc04 in do_cli (argc=-315273992, argv=0x7fffed800000)
    at /usr/src/php-src/sapi/cli/php_cli.c:1139
#12 0x0000000000433e20 in main (argc=-315273992, argv=0x7fffed800000)
    at /usr/src/php-src/sapi/cli/php_cli.c:1338

I haven't yet been able to narrow this to a simple test case. 

Config:
./configure \
    --prefix=$HOME/tmp/usr \
    --with-config-file-path=$HOME/tmp/usr/etc \
    --with-config-file-scan-dir=$HOME/tmp/usr/etc/conf.d/ \
    --disable-all \
    --enable-inline-optimization \
    --enable-opcache \
    --enable-phar \
    --enable-fpm \
    --enable-session \
    --enable-filter \
    --enable-json \
    --enable-libxml \
    --enable-xml \
    --enable-simplexml \
    --enable-dom \
    --enable-ctype \
    --enable-tokenizer \
    --enable-mbstring \
    --enable-bcmath \
    --enable-pcntl \
    --enable-ftp \
    --enable-exif \
    --enable-calendar \
    --enable-sysvmsg \
    --enable-sysvsem \
    --enable-sysvshm \
    --with-curl \
    --enable-hash \
    --with-mcrypt \
    --with-iconv \
    --with-gd \
    --with-jpeg-dir=/usr \
    --with-png-dir=/usr \
    --enable-gd-native-ttf \
    --enable-gd-jis-conv \
    --with-openssl \
    --enable-pdo \
    --enable-mysqlnd \
    --with-pdo-mysql \
    --with-sqlite3=/usr \
    --with-pdo-sqlite=/usr \
    --with-gettext=/usr \
    --enable-zip \
    --with-zlib-dir=/usr \
    --with-zlib=/usr \
    --with-mysqli=$MYSQL_CONFIG \
    --with-mysql-sock=/var/run/mysqld/mysqld.sock

Linked against mariadb: 10.0.21+maria-1~vivid



Test script:
---------------
Don't have simple test. Currently using this shell command against the Drupal test suite.
 
gdb --args /home/.../tmp/usr/bin/php ./core/scripts/run-tests.sh --url 'http://localhost.local/d8' --sqlite './test.sqlite' --dburl 'mysql://user:pass@localhost.local:3306/drupal8' --php '/home/.../tmp/usr/bin/php' --test-id 1 --color --die-on-fail --execute-test 'Drupal\aggregator\Tests\Migrate\d6\MigrateAggregatorItemTest'


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-12 02:44 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-08-12 02:44 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2015-08-12 16:59 UTC] neclimdul at gmail dot com
I've tried digging into this for a test case and can't figure it out. I have worked with some of the Migration guys that wrote these tests and we can't find a pattern between the passing tests and the ones that segfault.

I can provide some additional information into the backtrace though. When the segmentation fault occurs the server structure still exists but it seems like most of the properties have been reclaimed. For example S->H->server->data->host and S->H->server->data->unix_socket are invalid memory addresses.

I tried to debug this further but I got lost in the macro indirection and can't find the actual implementation of mysql_more_results().

Any direction would be appreciated and if someone wants to chat in a quicker medium, I'm available through email, hangouts, and am connected to freenode.
 [2015-08-18 10:17 UTC] laruence@php.net
duplicated to #70272 which has more comments and patch, so close this one, thanks
 [2015-08-18 12:00 UTC] cmb@php.net
-Status: Feedback +Status: Duplicate
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Feb 28 15:01:35 2024 UTC