Skip to content

ext/sqlite3: fix wrong pointer types passed to the free list comparator.#21483

Open
devnexen wants to merge 2 commits intophp:PHP-8.5from
devnexen:sqlite3_layer_fix
Open

ext/sqlite3: fix wrong pointer types passed to the free list comparator.#21483
devnexen wants to merge 2 commits intophp:PHP-8.5from
devnexen:sqlite3_layer_fix

Conversation

@devnexen
Copy link
Member

@devnexen devnexen commented Mar 21, 2026

SQLite3Stmt::close() and SQLite3Result::finalize() passed php_sqlite3_stmt pointer types instead of sqlite3_stmt pointers to zend_llist_del_element, causing the comparator to never match and both methods to silently become no-ops.

Regression introduced in 5eae6d1 ("Don't store the object zval directly").

@devnexen
ext/sqlite3: fix wrong pointer types passed to the free list comparator.
18d287e 
SQLite3Stmt::close() and SQLite3Result::finalize() passed
php_sqlite3_stmt pointer types instead of sqlite3_stmt pointers
to zend_llist_del_element, causing the comparator to never match
and both methods to silently become no-ops.

Regression introduced in 5eae6d1 ("Don't store the object
zval directly").
@devnexen devnexen marked this pull request as ready for review March 21, 2026 08:31
@devnexen devnexen requested a review from ndossche March 21, 2026 08:32
ndossche
ndossche reviewed Mar 21, 2026
View reviewed changes
Copy link
Member

@ndossche ndossche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure?

https://github.com/devnexen/php-src/blob/18d287e5b50301dd36171e4f3fb0760b23a95021/ext/sqlite3/sqlite3.c#L2265
shows that ->stmt is dereferenced there, and the initialization shows:
https://github.com/devnexen/php-src/blob/18d287e5b50301dd36171e4f3fb0760b23a95021/ext/sqlite3/sqlite3.c#L2417
i.e. elements of type php_sqlite3_stmt * should be added.

@devnexen
Copy link
Member Author

devnexen commented Mar 21, 2026

The pb resides in the second argument not the first

static int php_sqlite3_compare_stmt_free(php_sqlite3_stmt **stmt_obj_ptr, sqlite3_stmt *statement )

@devnexen
Copy link
Member Author

devnexen commented Mar 21, 2026

by the way here an unchanged line which does not need fix.

ndossche
ndossche requested changes Mar 21, 2026
View reviewed changes
Copy link
Member

@ndossche ndossche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay but then the patch here is incomplete as well.
The signature of php_sqlite3_compare_stmt_free is wrong then, as well as its contents. Probably other calls to the linked list code should also be adapted.
In fact, looking at devnexen@bc74cff this code might've always been wrong?

@devnexen
ext/sqlite3: compare php_sqlite3_stmt pointers consistently.
c66dde1 
The comparator and all call sites now use php_sqlite3_stmt
pointers, matching the type stored in the free list.
ndossche
ndossche approved these changes Mar 21, 2026
View reviewed changes
Copy link
Member

@ndossche ndossche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is right, but would like a second opinion too.

@ndossche
Copy link
Member

ndossche commented Mar 21, 2026

I also believe this fixes a real long-standing bug that should be backported at a later point after this one is merged in 8.5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndossche ndossche ndossche approved these changes

Assignees

No one assigned

Labels

Extension: sqlite3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devnexen @ndossche