PHP :: Bug #70877 :: Segmentation fault with SQLite and Doctrine DBAL 2.4

Bug #70877	Segmentation fault with SQLite and Doctrine DBAL 2.4
Submitted:	2015-11-07 21:27 UTC	Modified:	2015-11-08 15:27 UTC
From:	saschaprolic at googlemail dot com	Assigned:
Status:	Not a bug	Package:	PDO SQLite
PHP Version:	7.0.0RC6	OS:	Ubuntu 15.10
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-11-07 21:27 UTC] saschaprolic at googlemail dot com

Description:
------------
As for now I cannot point to the exact problem, but I can show you how to reproduce it.

Using Doctrine DBAL 2.4 (no problem with 2.5, though) an the query-builder I get a segmentation fault using pdo_sqlite backend (I didn't test other backends so far).

See also failing travis builds here: https://travis-ci.org/prooph/snapshot-doctrine-adapter/builds/89525669

This segmentation fault occurs always on travis and I verified it on my local machine using PHP 7.0.0 RC6 on Ubuntu 15.10.

Test script:
---------------
$queryBuilder
            ->delete('some_table')
            ->where('aggregate_type = :aggregate_type')
            ->andWhere('aggregate_id = :aggregate_id')
            ->andWhere('last_version < :last_version')
            ->setParameter('aggregate_type', 'testType')
            ->setParameter('aggregate_id', 'someId')
            ->setParameter('last_version', 1);
$queryBuilder->getSql();

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-08 03:03 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2015-11-08 03:03 UTC] laruence@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2015-11-08 13:29 UTC] saschaprolic at googlemail dot com

A much shorter test-script is here:

<?php

require 'vendor/autoload.php';

$queryBuilder = new Doctrine\DBAL\Query\QueryBuilder(\Doctrine\DBAL\DriverManager::getConnection([
    'driver' => 'pdo_sqlite',
    'dbname' => ':memory:'
]));

$queryBuilder->delete('table')
    ->where('aggregate_type = :aggregate_type')
    ->andWhere('aggregate_id = :aggregate_id')
    ->andWhere('last_version < :last_version')
    ->setParameter('aggregate_type', 'some type string')
    ->setParameter('aggregate_id', 'some id')
    ->setParameter('last_version', 1);
echo $queryBuilder->getSQL();


gdb /opt/php/7.0.0-RC6/bin/php core
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /opt/php/7.0.0-RC6/bin/php...done.
[New LWP 3744]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/opt/php/7.0.0-RC6/bin/php run.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000843744 in zend_call_method (object=object@entry=0x7f0db2b342a8, obj_ce=obj_ce@entry=0x7f0db2b69d20, 
    fn_proxy=fn_proxy@entry=0x7f0db2b69e50, function_name=function_name@entry=0xde8661 "__tostring", function_name_len=function_name_len@entry=10, 
    retval_ptr=retval_ptr@entry=0x7fffb60c20a0, param_count=0, arg1=0x0, arg2=0x0) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_interfaces.c:35
35      {
(gdb) bt
#0  0x0000000000843744 in zend_call_method (object=object@entry=0x7f0db2b342a8, obj_ce=obj_ce@entry=0x7f0db2b69d20, 
    fn_proxy=fn_proxy@entry=0x7f0db2b69e50, function_name=function_name@entry=0xde8661 "__tostring", function_name_len=function_name_len@entry=10, 
    retval_ptr=retval_ptr@entry=0x7fffb60c20a0, param_count=0, arg1=0x0, arg2=0x0) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_interfaces.c:35
#1  0x000000000085ef13 in zend_std_cast_object_tostring (readobj=0x7f0db2b342a8, writeobj=0x7fffb60c2100, type=<optimized out>)
    at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_object_handlers.c:1527
#2  0x000000000081b7ba in _zval_get_string_func (op=op@entry=0x7f0db2b342a8) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_operators.c:839
#3  0x000000000072bfee in _zval_get_string (op=0x7f0db2b342a8) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_operators.h:266
#4  php_implode (delim=delim@entry=0x7f0db2199400, arr=<optimized out>, return_value=return_value@entry=0x7f0db2166430)
    at /home/sasa/Downloads/php-7.0.0RC6/ext/standard/string.c:1244
#5  0x000000000072c49d in zif_implode (execute_data=<optimized out>, return_value=0x7f0db2166430)
    at /home/sasa/Downloads/php-7.0.0RC6/ext/standard/string.c:1325
#6  0x00000000008b0214 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_vm_execute.h:714
#7  0x000000000086755b in execute_ex (ex=<optimized out>) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_vm_execute.h:414
#8  0x00000000008147b1 in zend_call_function (fci=fci@entry=0x7fffb60c23d0, fci_cache=fci_cache@entry=0x7fffb60c23a0)
    at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_execute_API.c:854
#9  0x000000000084398b in zend_call_method (object=object@entry=0x7f0db2b342a8, obj_ce=<optimized out>, obj_ce@entry=0x7f0db2b69d20, 
    fn_proxy=fn_proxy@entry=0x7f0db2b69e50, function_name=function_name@entry=0xde8661 "__tostring", function_name_len=function_name_len@entry=10, 
    retval_ptr=retval_ptr@entry=0x7fffb60c24b0, param_count=0, arg1=0x0, arg2=0x0) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_interfaces.c:104
#10 0x000000000085ef13 in zend_std_cast_object_tostring (readobj=0x7f0db2b342a8, writeobj=0x7fffb60c2510, type=<optimized out>)
    at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_object_handlers.c:1527
#11 0x000000000081b7ba in _zval_get_string_func (op=op@entry=0x7f0db2b342a8) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_operators.c:839
#12 0x000000000072bfee in _zval_get_string (op=0x7f0db2b342a8) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_operators.h:266
#13 php_implode (delim=delim@entry=0x7f0db21993e0, arr=<optimized out>, return_value=return_value@entry=0x7f0db2166280)
    at /home/sasa/Downloads/php-7.0.0RC6/ext/standard/string.c:1244
#14 0x000000000072c49d in zif_implode (execute_data=<optimized out>, return_value=0x7f0db2166280)
    at /home/sasa/Downloads/php-7.0.0RC6/ext/standard/string.c:1325
#15 0x00000000008b0214 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_vm_execute.h:714
#16 0x000000000086755b in execute_ex (ex=<optimized out>) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_vm_execute.h:414
#17 0x00000000008147b1 in zend_call_function (fci=fci@entry=0x7fffb60c27e0, fci_cache=fci_cache@entry=0x7fffb60c27b0)
    at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_execute_API.c:854
#18 0x000000000084398b in zend_call_method (object=object@entry=0x7f0db2b342a8, obj_ce=<optimized out>, obj_ce@entry=0x7f0db2b69d20, 
    fn_proxy=fn_proxy@entry=0x7f0db2b69e50, function_name=function_name@entry=0xde8661 "__tostring", function_name_len=function_name_len@entry=10, 
    retval_ptr=retval_ptr@entry=0x7fffb60c28c0, param_count=0, arg1=0x0, arg2=0x0) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_interfaces.c:104
#19 0x000000000085ef13 in zend_std_cast_object_tostring (readobj=0x7f0db2b342a8, writeobj=0x7fffb60c2920, type=<optimized out>)
    at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_object_handlers.c:1527
#20 0x000000000081b7ba in _zval_get_string_func (op=op@entry=0x7f0db2b342a8) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_operators.c:839
#21 0x000000000072bfee in _zval_get_string (op=0x7f0db2b342a8) at /home/sasa/Downloads/php-7.0.0RC6/Zend/zend_operators.h:266
#22 php_implode (delim=delim@entry=0x7f0db21993c0, arr=<optimized out>, return_value=return_value@entry=0x7f0db21660d0)
    at /home/sasa/Downloads/php-7.0.0RC6/ext/standard/string.c:1244
#23 0x000000000072c49d in zif_implode (execute_data=<optimized out>, return_value=0x7f0db21660d0)

[2015-11-08 13:29 UTC] saschaprolic at googlemail dot com

-Status: Feedback +Status: Open

[2015-11-08 13:29 UTC] saschaprolic at googlemail dot com

I submitted a shorter test script and backtrace.

[2015-11-08 15:17 UTC] laruence@php.net

-Status: Open +Status: Not a bug

[2015-11-08 15:17 UTC] laruence@php.net

This is not a bug, that is because in Doctrine/DBAL/Query/QueryBuilder.php Line:749, in method "public function andWhere($where)"

it calls func_get_args after changed the $where parameter, it's a knew change, that in PHP7 func_get_args will always return the current value of the paramters not the initial value.

so, I think this method should fix it's by move the func_get_args above of the assignement to $where

thanks

[2015-11-08 15:27 UTC] laruence@php.net

oh, btw, the segfault is because of recursively calls to __toString then stack overflow

[2015-11-08 22:35 UTC] saschaprolic at googlemail dot com

Even if the implementation is faulty, PHP should trigger an error or exception but not just seg fault.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 21:00:01 2025 UTC