php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70272 Segfault in pdo_mysql
Submitted: 2015-08-14 17:12 UTC Modified: 2015-08-18 13:38 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: laruence@php.net Assigned: laruence
Status: Closed Package: Scripting Engine problem
PHP Version: 7.0.0beta3 OS:
Private report: No CVE-ID:
 [2015-08-14 17:12 UTC] laruence@php.net
Description:
------------
A segfault can be see if the STMT object have smaller object handle than the DBH object.

the reason is we destroy objects in shutdown in reverse order, so, if the STMT object have smaller handle(means is will be access later then dbh object). a segfault can be see in shutdown 


Test script:
---------------
<?php
$a = new Stdclass();
$a->a = &$a;

$b = new StdClass();

$db = new PDO("mysql:host=127.0.01;dbname=test", "root");
$b = NULL;

$a->c = $db;
$a->b = $db->prepare("select 1");
gc_disable();
?>

Expected result:
----------------
no segfault

Actual result:
--------------
segfault with backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000737a8b in pdo_mysql_stmt_dtor (stmt=0x7ffff06761c0)
    at /home/huixinchen/opensource/trunk/ext/pdo_mysql/mysql_statement.c:93
93			while (mysql_more_results(S->H->server)) {
(gdb) bt
#0  0x0000000000737a8b in pdo_mysql_stmt_dtor (stmt=0x7ffff06761c0)
    at /home/huixinchen/opensource/trunk/ext/pdo_mysql/mysql_statement.c:93
#1  0x0000000000730de3 in php_pdo_free_statement (stmt=0x7ffff06761c0)
    at /home/huixinchen/opensource/trunk/ext/pdo/pdo_stmt.c:2320
#2  0x0000000000730fc7 in pdo_dbstmt_free_storage (std=0x7ffff0676310)
    at /home/huixinchen/opensource/trunk/ext/pdo/pdo_stmt.c:2356
#3  0x0000000000a45573 in zend_objects_store_free_object_storage (objects=0x13f4dd0 <executor_globals+816>)
    at /home/huixinchen/opensource/trunk/Zend/zend_objects_API.c:102
#4  0x00000000009e1aaa in shutdown_executor () at /home/huixinchen/opensource/trunk/Zend/zend_execute_API.c:356
#5  0x00000000009f9b14 in zend_deactivate () at /home/huixinchen/opensource/trunk/Zend/zend.c:969
#6  0x000000000096456d in php_request_shutdown (dummy=0x0) at /home/huixinchen/opensource/trunk/main/main.c:1814
#7  0x0000000000aba5f5 in do_cli (argc=2, argv=0x13f8e50) at /home/huixinchen/opensource/trunk/sapi/cli/php_cli.c:1139
#8  0x0000000000abae68 in main (argc=2, argv=0x13f8e50) at /home/huixinchen/opensource/trunk/sapi/cli/php_cli.c:1338
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-15 04:55 UTC] laruence@php.net
and a quick fix could be(however it is ugly, I will try to think about a more general fix before I commit this): https://gist.github.com/laruence/8597dda5c15d5af7f898
 [2015-08-15 07:38 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-08-18 13:38 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-08-18 16:23 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dca6d1027a4b4c544c283d0021c0725b9a27cfeb
Log: Fixed bug #70272 (Segfault in pdo_mysql)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dca6d1027a4b4c544c283d0021c0725b9a27cfeb
Log: Fixed bug #70272 (Segfault in pdo_mysql)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon May 29 04:01:35 2017 UTC