Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pdo lazy object crash #18114

Closed
YuanchengJiang opened this issue Mar 19, 2025 · 5 comments · Fixed by #18116
Closed

pdo lazy object crash #18114

YuanchengJiang opened this issue Mar 19, 2025 · 5 comments · Fixed by #18116
Assignees
@nielsdos
Labels
Bug Category: Engine Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$cls = new finfo();
$db = new PDO('sqlite::memory:');
var_dump($y, @$y->queryString);
$x = $db->query('select 1 as queryString');
var_dump($x, $x->queryString);
$y = $x->fetch(PDO::FETCH_LAZY);
$fusion = $y;
foreach($fusion as $file_content_type){
echo "\n-- File having data of type ". $file_content_type ." --\n";
foreach($file_modes as $file_mode) {
create_files ( __DIR__, 1, $file_content_type, 0755, 512, "w", "fseek_ftell_rewind_variation"
,1,"bytes",".tmp");
}
}

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1382:9: runtime error: member access within misaligned address 0x742e316e6f697461 for type 'zend_refcounted' (aka 'struct _zend_refcounted'), which requires 4 byte alignment
0x742e316e6f697461: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1382:9 in

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

cd586623b65c86b423883eda20411634e49084ba

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

cd58662

Operating System

No response
@nielsdos
Copy link
Member

Reduced:

<?php
$db = new PDO('sqlite::memory:');
$x = $db->query('select 1 as queryString');
foreach ($x->fetch(PDO::FETCH_LAZY) as $entry) {
}

@nielsdos
Copy link
Member

Fun fun, so it leaks on 8.3-8.4 and it crashes on master

@nielsdos
Copy link
Member

Caused by 0537968, somehow...

@nielsdos
Copy link
Member

The problem is that the queryString property is now no longer initialized...

@nielsdos nielsdos self-assigned this Mar 19, 2025
@nielsdos nielsdos changed the title SEGV Zend/zend_types.h pdo lazy object crash Mar 19, 2025
nielsdos added a commit to nielsdos/php-src that referenced this issue Mar 19, 2025
@nielsdos
Fix phpGH-18114: pdo lazy object crash
09afbc7 
Since 0537968, the properties are no longer initialized.
So we call object_properties_init to handle that correctly.
Lower branches have a memory leak, but that requires a separate fix.
@nielsdos nielsdos linked a pull request Mar 19, 2025 that will close this issue
Fix GH-18114: pdo lazy object crash #18116
Merged
nielsdos added a commit to nielsdos/php-src that referenced this issue Mar 19, 2025
@nielsdos
Fix phpGH-18114: pdo lazy object crash
34d8da2 
Since 0537968, the properties are no longer initialized.
So we call object_properties_init to handle that correctly.
Lower branches have a memory leak, but that requires a separate fix.
@nielsdos
Copy link
Member

Reopening as a reminder to also solve the leak problem on lower branches

@nielsdos nielsdos reopened this Mar 19, 2025
nielsdos added a commit to nielsdos/php-src that referenced this issue Mar 20, 2025
@nielsdos
Fix memory leak when destroying PDORow
2aef13c 
This should call zend_object_std_dtor() to clean the property table etc.
This also has a semantic influence because previously weak refs were not
notified for example.

This fixes the final issue in phpGH-18114 (the crash was master-only and
fixed already).
Closes phpGH-18114.
@nielsdos nielsdos mentioned this issue Mar 20, 2025
Closed
@nielsdos nielsdos linked a pull request Mar 20, 2025 that will close this issue
Fix memory leak when destroying PDORow #18123
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
3 participants
@devnexen @nielsdos @YuanchengJiang