#49937 [NEW]: Race condition in PDOStatement
From: basa...@php.net Operating system: Linux PHP version: 5.2.11 PHP Bug Type: PDO related Bug description: Race condition in PDOStatement Description: There is a race condition in pdo's stmt PDOStatement class. This class is dynamically created and it adds a member named queryString (inside pdo_stmt_init). zend_declare_property_null allocates property using malloc. Later pdo_dbstmt_ce is copied to other hashes in pdo_dbstmt_new. zend_hash_copy increments refcount of pdo_dbstmt_ce->queryString property. In multithreaded php refcount increment was not atomic. It was causing refcount to become 0 and hence efree was trying to delete something which was allocated from malloc. There is a php benchmark kit named olio and can be downloaded from : https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/viewproductdetail-start?productref=olio-php-1.0-a-...@cds-cds_smi The bug is easily reproducible with olio php benchmark inside Sun Web Server. Expected result: Correct functionality Actual result: -- Stack trace : -- Program terminated with signal 11, Segmentation fault. #0 0x2ba1630451e0 in _zend_mm_free_int () from /home/sun/webserver7/bin/libphp5.so #1 0x2ba163084aa0 in zend_std_write_property () from /home/sun/webserver7/bin/libphp5.so #2 0x2ba162ebfc4a in pdo_stmt_construct () from /home/sun/webserver7/bin/libphp5.so #3 0x2ba162ec0073 in zim_PDO_query () from /home/sun/webserver7/bin/libphp5.so #4 0x2ba1630999f9 in zend_do_fcall_common_helper_SPEC () from /home/sun/webserver7/bin/libphp5.so #5 0x2ba16308705f in execute () from /home/sun/webserver7/bin/libphp5.so #6 0x2ba1630993d8 in zend_do_fcall_common_helper_SPEC () from /home/sun/webserver7/bin/libphp5.so #7 0x2ba16308705f in execute () from /home/sun/webserver7/bin/libphp5.so #8 0x2ba1630630fa in zend_execute_scripts () from /home/sun/webserver7/bin/libphp5.so #9 0x2ba1630188bb in php_execute_script () from /home/sun/webserver7/bin/libphp5.so #10 0x2ba1630ee465 in php5_execute () -- Edit bug report at http://bugs.php.net/?id=49937&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49937&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49937&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49937&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49937&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49937&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49937&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49937&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49937&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49937&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49937&r=support Expected behavior: http://bugs.php.net/fix.php?id=49937&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49937&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49937&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49937&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49937&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=49937&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49937&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49937&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49937&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49937&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49937&r=mysqlcfg
Bug #49937 [PATCH]: [PATCH] Race condition in PDOStatement
Edit report at http://bugs.php.net/bug.php?id=49937&edit=1 ID: 49937 Patch added by: basa...@php.net Reported by:basa...@php.net Summary:[PATCH] Race condition in PDOStatement Status: Assigned Type: Bug Package:PDO related Operating System: Linux PHP Version:5.2.11 Assigned To:basantk Block user comment: N New Comment: The following patch has been added/updated: Patch Name: pdo_race_condition_fix Revision: 1282695197 URL: http://bugs.php.net/patch-display.php?bug=49937&patch=pdo_race_condition_fix&revision=1282695197 Previous Comments: [2010-08-24 20:31:38] paj...@php.net Please >attach< the patch to this report, upload it if you prefer. There is a upload field for this exact purpose. Comments are for comments, not for patches (which may loose their text format). [2010-08-24 20:17:04] basa...@php.net pajoye, patch is already there in bug log. Look at the patch submitted at 2009- 10-23 16:15 UTC. Http link to the same patch has been provided in comments posted at 2009-11-17 01:51 UTC. I posted the http link of the patch because it makes it easier to commit. (Unfortunately bug database don't have easy way to refer to comments #). [2010-08-24 19:38:20] kkaminski at itens dot pl basantk: I used the patch you published in pdo_bug_52trunk.txt (this is complete patch, riight?). The patch fixed my original problem but introduced a new one - in pdo's constructor. As far I understood the code it is something with memory (de)allocation for queryString property. I don't have access to crash dumps at the moment, but I will provide full stack trace tomorrow. [2010-08-24 19:24:42] paj...@php.net Can you attach the patch to the report please? Much more easier to follow/review :) ---- [2010-08-24 18:45:42] basa...@php.net pajoye, my first patch was a rough patch which used zval_add_ref_atomic. Second patch posted on 2009-11-17 is my final patch. This patch doesn't need any enhancement to php core and it worked for me and several others without crashes. I had tested with iplanet web server on Solaris and Linux and I believe it will work with other multithreaded web servers. Please review the patch posted on 2009-11-17, kkaminski, which patch did you tested. You should test the revised patch submitted on 2009-11-17. Please post the stack trace of the crash if you tested the right patch. Unfortunately php's bug tracker is very primitive in terms of feature. Apache's bug tracker is lot better :-) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=49937 -- Edit this bug report at http://bugs.php.net/bug.php?id=49937&edit=1
Bug #49937 [PATCH]: [PATCH] Race condition in PDOStatement
Edit report at http://bugs.php.net/bug.php?id=49937&edit=1 ID: 49937 Patch added by: basa...@php.net Reported by:basa...@php.net Summary:[PATCH] Race condition in PDOStatement Status: Feedback Type: Bug Package:PDO related Operating System: Linux PHP Version:5.2.11 Assigned To:basantk Block user comment: N New Comment: The following patch has been added/updated: Patch Name: pdo_race_condition_fix_53.patch Revision: 1285197073 URL: http://bugs.php.net/patch-display.php?bug=49937&patch=pdo_race_condition_fix_53.patch&revision=1285197073 Previous Comments: [2010-09-23 01:06:58] basa...@php.net kkaminski, I am not sure if you have applied the patch and compiled correctly. I have not seen the crash after the fix. I had ran the benchmark test under stress for hours after this patch without any issue. Also it has been confirmed by one of the olio user. [2010-09-21 15:12:55] paj...@php.net What's the status on this patch? Does it fix the issue shown in kkaminski at itens dot pl's last backtrace? Does it apply to 5.3 as well? If yes, please provide against 5.3+. [2010-08-25 08:27:31] kkaminski at itens dot pl basantk: As promised call stack (Visual Studio 2010) for my new problem below: php5ts.dll!_zend_mm_free_int(_zend_mm_heap * heap, void * p) Line 1979 + 0x84 bytesC php5ts.dll!_efree(void * ptr) Line 2311 + 0xb bytesC php5ts.dll!_zval_ptr_dtor(_zval_struct * * zval_ptr) Line 415 + 0x25 bytes C php5ts.dll!zend_std_write_property(_zval_struct * object, _zval_struct * member, _zval_struct * value, void * * * tsrm_ls) Line 417 + 0xc bytes C php_pdo.dll!pdo_stmt_construct(_pdo_stmt_t * stmt, _zval_struct * object, _zend_class_entry * dbstmt_ce, _zval_struct * ctor_args, void * * * tsrm_ls) Line 447 C php_pdo.dll!zim_PDO_prepare(int ht, _zval_struct * return_value, _zval_struct * * return_value_ptr, _zval_struct * this_ptr, int return_value_used, void * * * tsrm_ls) Line 581 + 0x16 bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 200 + 0x3d bytesC php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 235 C php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 235 C php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 235 C php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 235 C php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 235 C php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 235 C php5ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 322 + 0x11 bytesC php5ts.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 92 + 0xc bytes C php5ts.dll!ZEND_INCLUDE_OR_E
