PHP :: Bug #34766 :: Upgrade from 5.04 to 5.05 for the soap module causes a crash

Bug #34766	Upgrade from 5.04 to 5.05 for the soap module causes a crash
Submitted:	2005-10-06 19:27 UTC	Modified:	2005-10-07 15:24 UTC
From:	amistry at am-productions dot biz	Assigned:	dmitry (profile)
Status:	Closed	Package:	SOAP related
PHP Version:	5CVS-2005-10-06 (snap)	OS:	FreeBSD 5.4-STABLE
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2005-10-06 19:27 UTC] amistry at am-productions dot biz

Description:
------------
I'm running FreeBSD 5.4-STABLE with PHP 5.05 (I can also reproduce 
this with the same version on 7-CURRENT) and something in the soap 
module is causing php/apache to crash.
I'm using the soap module to connect to MapPoint to retrieve location 
coordinates.  This problem doesn't happen with the 5.04 soap module.  
Thanks for any help or suggestions.  Let me know if I need to provide 
any more debug information.

Reproduce code:
---------------
http://am-productions.biz/soap-crash-code.txt

Expected result:
----------------
The latitude and longitude will be displayed.  2 floating point numbers.

Actual result:
--------------
I've also tried without xdebug and I get the same problem.

The backtrace follows:
(gdb) bt
#0  0x48c8f729 in php_openssl_sockop_cast ()
   from /usr/local/lib/php/20041030/openssl.so
#1  0x080f0e6e in _php_stream_cast ()
#2  0x48c5c7a6 in stream_alive () 
from /usr/local/lib/php/20041030/soap.so
#3  0x48c5e376 in make_http_soap_request ()
   from /usr/local/lib/php/20041030/soap.so
#4  0x48c4b449 in zif_SoapClient___doRequest ()
   from /usr/local/lib/php/20041030/soap.so
#5  0x0810ebb4 in zend_call_function ()
#6  0x0810dd70 in call_user_function_ex ()
#7  0x0810dc93 in call_user_function ()
#8  0x48c49705 in do_request () 
from /usr/local/lib/php/20041030/soap.so
#9  0x48c49d58 in do_soap_call () 
from /usr/local/lib/php/20041030/soap.so
#10 0x48c4ae66 in zif_SoapClient___call ()
   from /usr/local/lib/php/20041030/soap.so
#11 0x0813bb84 in execute_internal ()
#12 0x4850f822 in xdebug_execute_internal ()
   from /usr/local/lib/php/20041030/xdebug.so
#13 0x0814639f in zend_do_fcall_common_helper ()
#14 0x081467e5 in zend_do_fcall_by_name_handler ()
#15 0x0813bce3 in execute ()
#16 0x4850f6ff in xdebug_execute () 
from /usr/local/lib/php/20041030/xdebug.so
#17 0x081190fd in zend_execute_scripts ()

When I compile with debug it don't crash, but I get the following from valgrind:
> valgrind -v ./soap-crash.php
==76689== Memcheck, a memory error detector for x86-linux.
==76689== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward.
==76689== Using valgrind-2.1.0, a program supervision framework for 
x86-linux.
==76689== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward.
==76689== Valgrind library directory: /usr/local/lib/valgrind
==76689== Command line
==76689==    /usr/local/bin/php
==76689==    ./soap-crash.php
[snip]
==76689== Invalid read of size 4
==76689==    at 0x3CBC87FE: stream_alive 
(in /usr/local/lib/php/20041030-debug/soap.so)
==76689==    by 0x3CBCAB04: make_http_soap_request 
(in /usr/local/lib/php/20041030-debug/soap.so)
==76689==    by 0x3CBB42F8: zif_SoapClient___doRequest 
(in /usr/local/lib/php/20041030-debug/soap.so)
==76689==    by 0x812BC7E: zend_call_function (zend_execute_API.c:900)
==76689==  Address 0x3CD5E2B0 is 172 bytes inside a block of size 184 
free'd
==76689==    at 0x3C04068F: free 
(in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==76689==    by 0x811EC77: _efree (zend_alloc.c:288)
==76689==    by 0x810625B: _php_stream_free (streams.c:394)
==76689==    by 0x3CBD0025: make_http_soap_request 
(in /usr/local/lib/php/20041030-debug/soap.so)
==76689== 
==76689== Invalid read of size 4
==76689==    at 0x8105EE6: _php_stream_free (streams.c:276)
==76689==    by 0x3CBCAB22: make_http_soap_request 
(in /usr/local/lib/php/20041030-debug/soap.so)
==76689==    by 0x3CBB42F8: zif_SoapClient___doRequest 
(in /usr/local/lib/php/20041030-debug/soap.so)
==76689==    by 0x812BC7E: zend_call_function (zend_execute_API.c:900)
==76689==  Address 0x3CD5E270 is 108 bytes inside a block of size 184 
free'd
==76689==    at 0x3C04068F: free 
(in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==76689==    by 0x811EC77: _efree (zend_alloc.c:288)
==76689==    by 0x810625B: _php_stream_free (streams.c:394)
==76689==    by 0x3CBD0025: make_http_soap_request 
(in /usr/local/lib/php/20041030-debug/soap.so)
39.9993431382:-83.0282030224
==76689== discard syms at 0x3CC4E000-0x3CC61000 
in /usr/local/lib/php/20041030-debug/openssl.so due to munmap()
...
[snip]
==76689== 
==76689== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 
0)
==76689== 
==76689== 1 errors in context 1 of 2:
==76689== Invalid read of size 4
==76689==    at 0x8105EE6: _php_stream_free (streams.c:276)
==76689==    by 0x3CBCAB22: ???
==76689==    by 0x3CBB42F8: ???
==76689==    by 0x812BC7E: zend_call_function (zend_execute_API.c:900)
==76689==  Address 0x3CD5E270 is 108 bytes inside a block of size 184 
free'd
==76689==    at 0x3C04068F: free 
(in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==76689==    by 0x811EC77: _efree (zend_alloc.c:288)
==76689==    by 0x810625B: _php_stream_free (streams.c:394)
==76689==    by 0x3CBD0025: ???
==76689== 
==76689== 1 errors in context 2 of 2:
==76689== Invalid read of size 4
==76689==    at 0x3CBC87FE: ???
==76689==    by 0x3CBCAB04: ???
==76689==    by 0x3CBB42F8: ???
==76689==    by 0x812BC7E: zend_call_function (zend_execute_API.c:900)
==76689==  Address 0x3CD5E2B0 is 172 bytes inside a block of size 184 
free'd
==76689==    at 0x3C04068F: free 
(in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==76689==    by 0x811EC77: _efree (zend_alloc.c:288)
==76689==    by 0x810625B: _php_stream_free (streams.c:394)
==76689==    by 0x3CBD0025: ???
==76689== IN SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
==76689== 
==76689== malloc/free: in use at exit: 25688 bytes in 1256 blocks.
==76689== malloc/free: 17054 allocs, 15798 frees, 1803278 bytes 
allocated.
==76689== 
--76689--     TT/TC: 0 tc sectors discarded.
--76689--            12196 chainings, 0 unchainings.
--76689-- translate: new     18231 (348936 -> 4090151; ratio 117:10)
--76689--            discard 5546 (112149 -> 1228612; ratio 109:10).
--76689--  dispatch: 6750000 jumps (bb entries), of which 1038840 
(15%) were unchained.
--76689--            394/57108 major/minor sched events.  23094 
tt_fast misses.
--76689-- reg-alloc: 2771 t-req-spill, 736256+18439 orig+spill uis, 
89674 total-reg-r.
--76689--    sanity: 311 cheap, 13 expensive checks.
--76689--    ccalls: 83904 C calls, 56% saves+restores avoided (279758 
bytes)
--76689--            119336 args, avg 0.88 setup instrs each (27234 
bytes)
--76689--            0% clear the stack (251712 bytes)
--76689--            27617 retvals, 31% of reg-reg movs avoided (17002 
bytes)

From valgrind without debugging:
==63537== Invalid read of size 4
==63537==    at 0x3CBA877E: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x810EBF3: zend_call_function (in /usr/local/bin/php)
==63537==  Address 0x3C3A405C is 144 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== Invalid read of size 4
==63537==    at 0x80F0E61: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FE0 is 20 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== Invalid read of size 4
==63537==    at 0x80F0E67: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FEC is 32 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== Invalid read of size 4
==63537==    at 0x80F0E98: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FD8 is 12 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== Invalid read of size 4
==63537==    at 0x3C7786D3: php_openssl_sockop_cast (in /usr/local/lib/php/20041030/openssl.so)
==63537==    by 0x80F0EAD: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FDC is 16 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== Invalid read of size 4
==63537==    at 0x3C778729: php_openssl_sockop_cast (in /usr/local/lib/php/20041030/openssl.so)
==63537==    by 0x80F0EAD: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x0 is not stack'd, malloc'd or free'd
==63537== 
==63537== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==63537==    at 0x3C778729: php_openssl_sockop_cast (in /usr/local/lib/php/20041030/openssl.so)
==63537==    by 0x80F0EAD: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== Core dumping not implemented. Please re-run valgrind after fixing the crash.
==63537== 
==63537== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
==63537== 
==63537== 1 errors in context 1 of 6:
==63537== Invalid read of size 4
==63537==    at 0x3C778729: php_openssl_sockop_cast (in /usr/local/lib/php/20041030/openssl.so)
==63537==    by 0x80F0EAD: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x0 is not stack'd, malloc'd or free'd
==63537== 
==63537== 1 errors in context 2 of 6:
==63537== Invalid read of size 4
==63537==    at 0x3C7786D3: php_openssl_sockop_cast (in /usr/local/lib/php/20041030/openssl.so)
==63537==    by 0x80F0EAD: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FDC is 16 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== 1 errors in context 3 of 6:
==63537== Invalid read of size 4
==63537==    at 0x80F0E98: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FD8 is 12 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== 1 errors in context 4 of 6:
==63537== Invalid read of size 4
==63537==    at 0x80F0E67: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FEC is 32 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== 1 errors in context 5 of 6:
==63537== Invalid read of size 4
==63537==    at 0x80F0E61: _php_stream_cast (in /usr/local/bin/php)
==63537==    by 0x3CBA87A5: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==  Address 0x3C3A3FE0 is 20 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== 
==63537== 1 errors in context 6 of 6:
==63537== Invalid read of size 4
==63537==    at 0x3CBA877E: stream_alive (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CBAA375: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x3CB97448: zif_SoapClient___doRequest (in /usr/local/lib/php/20041030/soap.so)
==63537==    by 0x810EBF3: zend_call_function (in /usr/local/bin/php)
==63537==  Address 0x3C3A405C is 144 bytes inside a block of size 148 free'd
==63537==    at 0x3C04068F: free (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==63537==    by 0x8103452: _efree (in /usr/local/bin/php)
==63537==    by 0x80EDEB2: _php_stream_free (in /usr/local/bin/php)
==63537==    by 0x3CBAE520: make_http_soap_request (in /usr/local/lib/php/20041030/soap.so)
==63537== IN SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
==63537== 
==63537== malloc/free: in use at exit: 861808 bytes in 15842 blocks.
==63537== malloc/free: 29817 allocs, 13975 frees, 2153218 bytes allocated.
==63537== 
--63537--     TT/TC: 0 tc sectors discarded.
--63537--            13063 chainings, 0 unchainings.
--63537-- translate: new     17778 (321794 -> 3873538; ratio 120:10)
--63537--            discard 0 (0 -> 0; ratio 0:10).
--63537--  dispatch: 8012963 jumps (bb entries), of which 1424353 (17%) were unchained.
--63537--            630/64237 major/minor sched events.  19359 tt_fast misses.
--63537-- reg-alloc: 2738 t-req-spill, 698906+17165 orig+spill uis, 87922 total-reg-r.
--63537--    sanity: 400 cheap, 16 expensive checks.
--63537--    ccalls: 76540 C calls, 57% saves+restores avoided (257794 bytes)
--63537--            108640 args, avg 0.88 setup instrs each (24370 bytes)
--63537--            0% clear the stack (229620 bytes)
--63537--            25754 retvals, 32% of reg-reg movs avoided (16044 bytes)
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-06 20:57 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

..and PLEASE DO NOT provide any valgrind traces when not asked for..

[2005-10-06 21:58 UTC] amistry at am-productions dot biz

With the latest CVS version I get the crash.
http://am-productions.biz/docs/php5-cvs-snap.txt

[2005-10-06 22:35 UTC] sniper@php.net

Assigned to the maintainer.

[2005-10-07 14:17 UTC] dmitry@php.net

Probably fixed in CVS.
I cannot test because http://am-productions.biz/soap-crash-code.txt is not available.

[2005-10-07 15:24 UTC] amistry at am-productions dot biz

Sorry bad link:
http://am-productions.biz/docs/soap-crash-code.txt

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 11:01:28 2024 UTC