PHP :: Bug #70017 :: soap_client construct cause crash

Bug #70017

soap_client construct cause crash

Submitted:

2015-07-08 07:46 UTC

Modified:

2021-03-14 04:22 UTC

Votes:	5
Avg. Score:	3.6 ± 1.5
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	1 (33.3%)

From:

simon dot minotto at gmail dot com

Assigned:

cmb (profile)

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

7.0.0alpha2

OS:

ubuntu 15.04 server

Private report:

CVE-ID:

None

View Developer Edit

[2015-07-08 07:46 UTC] simon dot minotto at gmail dot com

Description:
------------
Bug report.

I have a segmentation fault using soap_client
I didn't success reproducing it outside my framework (based on symfony 1.0) with a simple script

Code around the exception : 

file_put_contents("/tmp/doing", "\nconstucting soap client with url ".$wsdl."\n", FILE_APPEND);
$soapClient = new SoapClient($wsdl);
file_put_contents("/tmp/doing", "\nsoap client constructed\n", FILE_APPEND);


Content of /tmp/doing after execution : 


(I replace http by h ttp to avoid ticketing spam detection)

constucting soap client with url h  ttp://trunk-tv1-services-php7test1.brainsonic.com/wsdl_test

soap client constructed

constucting soap client with url h ttp://trunk-tv1-services-php7test1.brainsonic.com/wsdl_test
<ENDOFFILE>


strace of first soap_client construct call : (with strace php <myscript>)
http://pastebin.com/XvnknwrN





strace of second soap_client construct call (jsut before crash) : 

http://pastebin.com/jALzymJ6


My configure line : './configure' '--with-apxs2=/usr/bin/apxs' '--with-mysqli' '--enable-soap' '--enable-sockets' '--enable-sysvsem' '--with-xsl' '--enable-zip' '--enable-mbstring' '--with-curl' '--with-mcrypt' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/lib' '--enable-exif' '--with-openssl' '--enable-pcntl'

on Ubuntu 15

Test script:
---------------
http://pastebin.com/bBZ0iPqu
-> Not reproducing the issue with this code


Actual result:
--------------
http://pastebin.com/kYnMQEqB

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-08 07:49 UTC] simon dot minotto at gmail dot com

http://php7test1.cloudapp.net/phpinfo.php
-> You can find here a php info (used for apache & cli)

[2015-07-10 11:41 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2015-07-10 11:41 UTC] laruence@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2015-07-10 12:32 UTC] simon dot minotto at gmail dot com

-Status: Feedback +Status: Open

[2015-07-10 12:32 UTC] simon dot minotto at gmail dot com

The backtrace is lready generated and attached to this ticket : 

http://pastebin.com/kYnMQEqB

Core was generated by `php /srv/www/trunk.php7test1.brainsonic.com/html/plugins/bsPlaylistPlugin/test/'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=2, heap=0x7fa5b6400040) at /mnt/php-7.0.0alpha2/Zend/zend_alloc.c:1244
1244                    heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (size=<optimized out>, bin_num=2, heap=0x7fa5b6400040) at /mnt/php-7.0.0alpha2/Zend/zend_alloc.c:1244
#1  zend_mm_alloc_heap (size=19, heap=0x7fa5b6400040) at /mnt/php-7.0.0alpha2/Zend/zend_alloc.c:1311
#2  _emalloc (size=19) at /mnt/php-7.0.0alpha2/Zend/zend_alloc.c:2210
#3  0x00000000007e1e32 in _estrdup (s=0x7fa5b4344c60 "getMediasByTagName") at /mnt/php-7.0.0alpha2/Zend/zend_alloc.c:2309
#4  0x00000000006b8372 in load_wsdl (this_ptr=this_ptr@entry=0x7fa5b64196f0, struri=struri@entry=0x7fa5b4243cd8 "http://trunk-tv1-services-php7test1.brainsonic.com/wsdl_test") at /mnt/php-7.0.0alpha2/ext/soap/php_sdl.c:1126
#5  0x00000000006b9015 in get_sdl (this_ptr=this_ptr@entry=0x7fa5b64196f0, uri=0x7fa5b4243cd8 "http://trunk-tv1-services-php7test1.brainsonic.com/wsdl_test", cache_wsdl=cache_wsdl@entry=0) at /mnt/php-7.0.0alpha2/ext/soap/php_sdl.c:3302
#6  0x000000000068ee53 in zim_SoapClient_SoapClient (execute_data=0x7fa5b64196d0, return_value=<optimized out>) at /mnt/php-7.0.0alpha2/ext/soap/soap.c:2534
#7  0x000000000089af84 in ZEND_DO_FCALL_SPEC_HANDLER () at /mnt/php-7.0.0alpha2/Zend/zend_vm_execute.h:834
#8  0x0000000000846b5b in execute_ex (ex=<optimized out>) at /mnt/php-7.0.0alpha2/Zend/zend_vm_execute.h:403
#9  0x000000000089e4a7 in zend_execute (op_array=0x7fa5b6480000, return_value=<optimized out>) at /mnt/php-7.0.0alpha2/Zend/zend_vm_execute.h:447
#10 0x00000000008058f5 in zend_execute_scripts (type=8, retval=0x2, retval@entry=0x0, file_count=2) at /mnt/php-7.0.0alpha2/Zend/zend.c:1389
#11 0x00000000007a569b in php_execute_script (primary_file=0x7ffc7a2eb120) at /mnt/php-7.0.0alpha2/main/main.c:2472
#12 0x000000000089fe59 in do_cli (argc=19, argv=0x2) at /mnt/php-7.0.0alpha2/sapi/cli/php_cli.c:967
#13 0x0000000000437a70 in main (argc=19, argv=0x2) at /mnt/php-7.0.0alpha2/sapi/cli/php_cli.c:1334

[2015-07-15 09:59 UTC] laruence@php.net

could you please paste out the wsdl_test file?

[2015-07-15 10:32 UTC] simon dot minotto at gmail dot com

Sure :)
http://pastebin.com/3kEtd6dA

I will let the VM running all day.

Thanks

[2015-07-16 15:18 UTC] laruence@php.net

Hmm, I can not reproduce this.  valgrind clean as well(could you please try run with latest master snapshot?):

$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php /tmp/1.php
==29654== Memcheck, a memory error detector
==29654== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==29654== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==29654== Command: sapi/cli/php /tmp/1.php
==29654==

before first soap client construct

after first soap client construct
array(9) {
  ["playlistFolderId"]=>
  int(1)
  ["maxPerPage"]=>
  int(5)
  ["page"]=>
  int(1)
  ["additionnalParameters"]=>
  string(0) ""
  ["sessionId"]=>
  string(0) ""
  ["APIKey"]=>
  string(10) "brainsonic"
  ["format"]=>
  string(0) ""
  ["login_username"]=>
  string(0) ""
  ["login_password"]=>
  string(0) ""
}
string(114) "<playlist_menu version="1.0">
<playlist_folder_config>
<items>
</items>
</playlist_folder_config>
</playlist_menu>"

end soap client construct
==29654==
==29654== HEAP SUMMARY:
==29654==     in use at exit: 7,338 bytes in 79 blocks
==29654==   total heap usage: 79,500 allocs, 79,421 frees, 6,789,427 bytes allocated
==29654==
==29654== LEAK SUMMARY:
==29654==    definitely lost: 40 bytes in 1 blocks
==29654==    indirectly lost: 0 bytes in 0 blocks
==29654==      possibly lost: 0 bytes in 0 blocks
==29654==    still reachable: 7,298 bytes in 78 blocks
==29654==         suppressed: 0 bytes in 0 blocks
==29654== Rerun with --leak-check=full to see details of leaked memory
==29654==
==29654== For counts of detected and suppressed errors, rerun with: -v
==29654== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

thanks

[2015-07-16 15:18 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-07-17 07:48 UTC] simon dot minotto at gmail dot com

New (failed) test with php7 beta1 : 
http://pastebin.com/ixZ5B4kh


New (PASS) test with php-src MASTER (php 7.0.0DEV)
http://pastebin.com/FZ3MmSxP

My test pass (ok) BUT I have the following extra content :

[Fri Jul 17 04:46:27 2015]  Script:  '/srv/www/damlp/plugins/trunk/bsPlaylistPlugin/test/functional/services/bsPlaylistServicesActionsTest.php'
/root/php/php-src/Zend/zend_objects.c(161) :  Freeing 0x7F3866CC9900 (200 bytes), script=/srv/www/damlp/plugins/trunk/bsPlaylistPlugin/test/functional/services/bsPlaylistServicesActionsTest.php
[Fri Jul 17 04:46:27 2015]  Script:  '/srv/www/damlp/plugins/trunk/bsPlaylistPlugin/test/functional/services/bsPlaylistServicesActionsTest.php'
/root/php/php-src/Zend/zend_objects.c(161) :  Freeing 0x7F386635DC00 (200 bytes), script=/srv/www/damlp/plugins/trunk/bsPlaylistPlugin/test/functional/services/bsPlaylistServicesActionsTest.php
Last leak repeated 1 time
[Fri Jul 17 04:46:27 2015]  Script:  '/srv/www/damlp/plugins/trunk/bsPlaylistPlugin/test/functional/services/bsPlaylistServicesActionsTest.php'
/root/php/php-src/Zend/zend_objects.c(161) :  Freeing 0x7F3865E15900 (200 bytes), script=/srv/www/damlp/plugins/trunk/bsPlaylistPlugin/test/functional/services/bsPlaylistServicesActionsTest.php
Last leak repeated 5 times
=== Total 9 memory leaks detected ===



If a reconfigure & compile php without --enable-debug, everything is now fine :)

[2021-03-03 14:42 UTC] cmb@php.net

-Status: Assigned +Status: Feedback -Assigned To: laruence +Assigned To: cmb

[2021-03-03 14:42 UTC] cmb@php.net

> If a reconfigure & compile php without --enable-debug, everything is now fine :)

These memory leaks are only reported for debug builds.  Anyhow, do
you still get crashes or leaks with any of the actively supported
PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-03-14 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 12:00:01 2025 UTC