php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77734 Seg Fault caused by php_mysqlnd_free_field_metadata
Submitted: 2019-03-13 09:27 UTC Modified: 2019-05-07 09:16 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: scott at exussum dot co dot uk Assigned:
Status: Duplicate Package: PDO MySQL
PHP Version: 7.3.3 OS: Ubuntu 18.04
Private report: No CVE-ID: None
 [2019-03-13 09:27 UTC] scott at exussum dot co dot uk
Description:
------------
Stack trace below. This appears to happen randomly. Its generated by a long running script running lots of SQL. happens at a differnt point each time so hard to debug the actual cause.

Backtrace generated below. I can get more info from gdb if needed.

The same script runs fine with php7.2 with no issues.



Actual result:
--------------
Program terminated with signal SIGSEGV, Segmentation fault.

#0  php_mysqlnd_free_field_metadata (meta=0x7f9d7f401018) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result_meta.c:38
#1  mysqlnd_mysqlnd_res_meta_free_pub (meta=0x7f9d7f7fb8e0) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result_meta.c:106
#2  0x00007f9d8495b5ea in mysqlnd_mysqlnd_res_free_result_contents_internal_pub (result=0x7f9d7f7fb048) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result.c:300
#3  0x00007f9d8495bfe0 in mysqlnd_mysqlnd_res_free_result_internal_pub (result=0x7f9d7f7fb048) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result.c:316
#4  0x00007f9d8495bcf8 in mysqlnd_mysqlnd_res_free_result_pub (result=0x7f9d7f7fb048, implicit=<optimized out>)
    at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/mysqlnd/mysqlnd_result.c:1498
#5  0x00007f9d82d86811 in pdo_mysql_stmt_dtor (stmt=0x7f9d7f6c7300) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/pdo_mysql/mysql_statement.c:53
#6  0x00007f9d84732f52 in php_pdo_free_statement (stmt=0x7f9d7f6c7300) at /build/php7.3-u8qUgX/php7.3-7.3.3/ext/pdo/pdo_stmt.c:2333


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-15 08:13 UTC] panychek at gmail dot com
We got the same thing. We have a long running CLI script too (Debian 9), and it works fine with PHP 7.2.
The only difference is that we are using the MySQLi extension, not PDO.

Our trace:
Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000055ae4184fd16 in php_mysqlnd_free_field_metadata (meta=0x7fd4ba201018) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result_meta.c:36
#1  0x000055ae41850801 in mysqlnd_mysqlnd_res_meta_free_pub (meta=0x7fd4ba585e60) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result_meta.c:106
#2  0x000055ae418458ce in mysqlnd_mysqlnd_res_free_result_contents_internal_pub (result=0x7fd4ba585048) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result.c:300
#3  0x000055ae41845a6d in mysqlnd_mysqlnd_res_free_result_internal_pub (result=0x7fd4ba585048) at /usr/src/php-src/ext/mysqlnd/mysqlnd_result.c:316
#4  0x000055ae4184d136 in mysqlnd_mysqlnd_res_free_result_pub (result=0x7fd4ba585048, implicit=0 '\000') at /usr/src/php-src/ext/mysqlnd/mysqlnd_result.c:1507
#5  0x000055ae4164d122 in mysqli_result_free_storage (object=0x7fd4ba47e310) at /usr/src/php-src/ext/mysqli/mysqli.c:262
#6  0x000055ae41955f6e in zend_objects_store_del (object=0x7fd4ba47e310) at /usr/src/php-src/Zend/zend_objects_API.c:194
 [2019-04-15 08:41 UTC] nikic@php.net
Would it be possible for you to run the CLI script under "USE_ZEND_ALLOC=0 valgrind php script.php" and provide the resulting log?
 [2019-04-15 10:06 UTC] scott at exussum dot co dot uk
I dont have all debug symbols, working on getting more

This is the trace though - hope it helps in some way ?

==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x421F165: ???
==32515==    by 0x2324D8F7: ???
==32515==    by 0x2324D8F7: ???
==32515==    by 0x2324D91D: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x2324D8F7: ???
==32515== 
+------------------------------------+
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x421F144: ???
==32515==    by 0x228FE0E7: ???
==32515==    by 0x228FE0E7: ???
==32515==    by 0x228FE0EB: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x228FE0E7: ???
==32515== 
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x3C7C92: zend_string_equal_val (zend_string.c:403)
==32515==    by 0x40DCFC: zend_string_equal_content (zend_string.h:310)
==32515==    by 0x40DCFC: zend_fast_equal_strings (zend_operators.h:734)
==32515==    by 0x40DCFC: ZEND_IS_EQUAL_SPEC_CV_CV_HANDLER (zend_vm_execute.h:48290)
==32515==    by 0x42730C: execute_ex (zend_vm_execute.h:60509)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CA422: zif_array_filter (array.c:6059)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CDF54: zif_call_user_func_array (basic_functions.c:4942)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x42DC69: zend_execute (zend_vm_execute.h:60881)
==32515==    by 0x39E3F2: zend_execute_scripts (zend.c:1568)
==32515==    by 0x33CD0F: php_execute_script (main.c:2630)
==32515== 
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x210DA389: ???
==32515==    by 0x21014C47: ???
==32515==    by 0x21014C47: ???
==32515==    by 0x21015AB0: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x21014C47: ???
==32515== 
==32515== Conditional jump or move depends on uninitialised value(s)
==32515==    at 0x210DA389: ???
==32515==    by 0x23661DD7: ???
==32515==    by 0x23661DD7: ???
==32515==    by 0x23662C3B: ???
==32515==    by 0x9A3F4FF: ???
==32515==    by 0x23661DD7: ???
==32515== 

vex: the `impossible' happened:
   isZeroU
vex storage: T total 3415284120 bytes allocated
vex storage: P total 640 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

host stacktrace:
==32515==    at 0x38083F48: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38084064: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380842A1: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380842CA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3809F682: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38145428: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3815256D: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38156692: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x381572C6: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x38159188: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3815A1D6: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x3814320C: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380A1C0B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380D296B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380D45CF: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==32515==    by 0x380E3946: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 32515)
==32515==    at 0xBAAE4C0: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==32515==    by 0xBA8D13F: EC_POINT_mul (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==32515==    by 0x8E8304CBD4DD2CFF: ???
==32515==    by 0x2148606F: ???
==32515==    by 0xBA95B39: EC_KEY_generate_key (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==32515==    by 0xB76DD24: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==32515==    by 0xB771967: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==32515==    by 0xB77B145: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==32515==    by 0x1B322514: ??? (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B30DEA7: PQconnectPoll (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B30EAAD: ??? (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B30F426: PQconnectdb (in /usr/lib/x86_64-linux-gnu/libpq.so.5.8)
==32515==    by 0x1B0F9302: pdo_pgsql_handle_factory (pgsql_driver.c:1225)
==32515==    by 0xA0330DD: zim_PDO_dbh_constructor (pdo_dbh.c:356)
==32515==    by 0x42D597: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==32515==    by 0x42D597: execute_ex (zend_vm_execute.h:55485)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CDD71: zif_call_user_func (basic_functions.c:4916)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x3D097F: zend_std_call_issetter (zend_object_handlers.c:316)
==32515==    by 0x3D3F98: zend_std_has_property (zend_object_handlers.c:1659)
==32515==    by 0x3E337C: ZEND_ISSET_ISEMPTY_PROP_OBJ_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:32444)
==32515==    by 0x428388: execute_ex (zend_vm_execute.h:58895)
==32515==    by 0x38FBA5: zend_call_function (zend_execute_API.c:756)
==32515==    by 0x2CDF54: zif_call_user_func_array (basic_functions.c:4942)
==32515==    by 0x42B7B4: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:892)
==32515==    by 0x42B7B4: execute_ex (zend_vm_execute.h:55481)
==32515==    by 0x42DC69: zend_execute (zend_vm_execute.h:60881)
==32515==    by 0x39E3F2: zend_execute_scripts (zend.c:1568)
==32515==    by 0x33CD0F: php_execute_script (main.c:2630)
==32515==    by 0x430108: do_cli (php_cli.c:997)
==32515==    by 0x1F68DB: main (php_cli.c:1389)
 [2019-04-15 10:15 UTC] nikic@php.net
Unfortunately these all look like false positives (the ??? are likely from PCRE JIT and zend_string_equal_val is expected) and valgrind itself crashed before it got to anything interesting :(
 [2019-04-15 10:48 UTC] scott at exussum dot co dot uk
Anything else I can do for debugging ? I can make it happen fairly often
 [2019-05-07 08:02 UTC] sjon at hortensius dot net
I think this bug is duplicated by #77955 which has a better stacktrace with debug-symbols
 [2019-05-07 09:16 UTC] sjon@php.net
-Status: Open +Status: Duplicate
 [2019-05-07 09:16 UTC] sjon@php.net
duplicate of bug #77955 (which has a better backtrace)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu May 23 23:01:26 2019 UTC