php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70079 Segmentation fault after more than 100 SoapClient calls
Submitted: 2015-07-15 06:15 UTC Modified: 2015-07-16 06:03 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dmifedorenko at gmail dot com Assigned: laruence
Status: Closed Package: Unknown/Other Function
PHP Version: 7.0Git-2015-07-15 (Git) OS: Linux vm 3.13.0-37-generic #64-U
Private report: No CVE-ID:
 [2015-07-15 06:15 UTC] dmifedorenko at gmail dot com
Description:
------------
Hello. Almost several weeks I see the same strange bug in last PHP7 master. I can reproduce it on several different PCs in our office (apache2 or nginx), but cant give you fixture to reproduce it.

Description of problem. We have 150 calls of SoapClient to old Jira endpoint (method getIssueByKey) inside foreach. After all data received PHP7 trying render html and falls with seg fault inside outerLayout.inc.php template file. The only content of file is "<?" - two simbols. If I remove include of this file fatal will happen on next template. Looks like inlude broken?

In apache2 log I see entry:
[Wed Jul 15 15:36:45.538571 2015] [core:notice] [pid 9031] AH00051: child pid 9036 exit signal Segmentation fault (11), possible coredump in /tmp

If reduce limit on SoapClient to 80 calles all works perfect, but after about 98 calls include will be broken.

Check out core file's backtrace please:
---
#0  0x00007f688851ed7f in zend_mm_alloc_small (heap=0x7f687e400040, size=56, bin_num=6, __zend_filename=0x7f6888ab3458 "/home/fedorenko/php7/php-src/Zend/zend_list.c",
    __zend_lineno=43, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:1244
#1  0x00007f688851efd6 in zend_mm_alloc_heap (heap=0x7f687e400040, size=56, __zend_filename=0x7f6888ab3458 "/home/fedorenko/php7/php-src/Zend/zend_list.c", __zend_lineno=43,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:1311
#2  0x00007f68885210e0 in _emalloc (size=24, __zend_filename=0x7f6888ab3458 "/home/fedorenko/php7/php-src/Zend/zend_list.c", __zend_lineno=43, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:2210
#3  0x00007f688856cd1b in zend_list_insert (ptr=0x7f687be9ec80, type=2) at /home/fedorenko/php7/php-src/Zend/zend_list.c:43
#4  0x00007f688856cf25 in zend_register_resource (rsrc_pointer=0x7f687be9ec80, rsrc_type=2) at /home/fedorenko/php7/php-src/Zend/zend_list.c:98
#5  0x00007f68884dde47 in _php_stream_alloc (ops=0x7f6888e0dd40 <php_stream_stdio_ops>, abstract=0x7f687c093540, persistent_id=0x0, mode=0x7f6888a99051 "rb",
    __php_stream_call_depth=4, __zend_filename=0x7f6888a9c8e8 "/home/fedorenko/php7/php-src/main/streams/plain_wrapper.c", __zend_lineno=178,
    __zend_orig_filename=0x7f6888a98678 "/home/fedorenko/php7/php-src/main/main.c", __zend_orig_lineno=1340) at /home/fedorenko/php7/php-src/main/streams/streams.c:309
#6  0x00007f68884e717f in _php_stream_fopen_from_fd_int (fd=21, mode=0x7f6888a99051 "rb", persistent_id=0x0, __php_stream_call_depth=3,
    __zend_filename=0x7f6888a9c8e8 "/home/fedorenko/php7/php-src/main/streams/plain_wrapper.c", __zend_lineno=992,
    __zend_orig_filename=0x7f6888a98678 "/home/fedorenko/php7/php-src/main/main.c", __zend_orig_lineno=1340) at /home/fedorenko/php7/php-src/main/streams/plain_wrapper.c:178
#7  0x00007f68884e89c5 in _php_stream_fopen (filename=0x7f687be84298 "/home/fedorenko/baza/app/src/template_partner/baza.farpost.ru/outerLayout.inc.php",
    mode=0x7f6888a99051 "rb", opened_path=0x7fff2427e000, options=16512, __php_stream_call_depth=2,
    __zend_filename=0x7f6888a9c8e8 "/home/fedorenko/php7/php-src/main/streams/plain_wrapper.c", __zend_lineno=1050,
    __zend_orig_filename=0x7f6888a98678 "/home/fedorenko/php7/php-src/main/main.c", __zend_orig_lineno=1340) at /home/fedorenko/php7/php-src/main/streams/plain_wrapper.c:992
#8  0x00007f68884e8c8d in php_plain_files_stream_opener (wrapper=0x7f6888e0de60 <php_plain_files_wrapper>,
    path=0x7f687be84298 "/home/fedorenko/baza/app/src/template_partner/baza.farpost.ru/outerLayout.inc.php", mode=0x7f6888a99051 "rb", options=16512,
    opened_path=0x7fff2427e000, context=0x0, __php_stream_call_depth=1, __zend_filename=0x7f6888a9bcc0 "/home/fedorenko/php7/php-src/main/streams/streams.c",
    __zend_lineno=2061, __zend_orig_filename=0x7f6888a98678 "/home/fedorenko/php7/php-src/main/main.c", __zend_orig_lineno=1340)
    at /home/fedorenko/php7/php-src/main/streams/plain_wrapper.c:1050
#9  0x00007f68884e20e7 in _php_stream_open_wrapper_ex (path=0x7f687be84298 "/home/fedorenko/baza/app/src/template_partner/baza.farpost.ru/outerLayout.inc.php",
    mode=0x7f6888a99051 "rb", options=16520, opened_path=0x7fff2427e000, context=0x0, __php_stream_call_depth=0,
    __zend_filename=0x7f6888a98678 "/home/fedorenko/php7/php-src/main/main.c", __zend_lineno=1340, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/fedorenko/php7/php-src/main/streams/streams.c:2059
#10 0x00007f68884be6e4 in php_stream_open_for_zend_ex (filename=0x7f687be84338 "/home/fedorenko/baza/app/src/template_partner/baza.farpost.ru/outerLayout.inc.php",
    handle=0x7fff2427dfa0, mode=137) at /home/fedorenko/php7/php-src/main/main.c:1340
#11 0x00007f68884be67e in php_stream_open_for_zend (filename=0x7f687be84338 "/home/fedorenko/baza/app/src/template_partner/baza.farpost.ru/outerLayout.inc.php",
    handle=0x7fff2427dfa0) at /home/fedorenko/php7/php-src/main/main.c:1332
#12 0x00007f6888579928 in zend_stream_open (filename=0x7f687be84338 "/home/fedorenko/baza/app/src/template_partner/baza.farpost.ru/outerLayout.inc.php", handle=0x7fff2427dfa0)
    at /home/fedorenko/php7/php-src/Zend/zend_stream.c:131
#13 0x00007f6888579ae1 in zend_stream_fixup (file_handle=0x7fff2427dfa0, buf=0x7fff2427dc50, len=0x7fff2427dc58) at /home/fedorenko/php7/php-src/Zend/zend_stream.c:186
#14 0x00007f68884fbb66 in open_file_for_scanning (file_handle=0x7fff2427dfa0) at Zend/zend_language_scanner.l:508
#15 0x00007f68884fbed6 in compile_file (file_handle=0x7fff2427dfa0, type=2) at Zend/zend_language_scanner.l:578
#16 0x00007f68882aa186 in phar_compile_file (file_handle=0x7fff2427dfa0, type=2) at /home/fedorenko/php7/php-src/ext/phar/phar.c:3311
#17 0x00007f68884fc226 in compile_filename (type=2, filename=0x7f687e4153d0) at Zend/zend_language_scanner.l:647
#18 0x00007f68885ea358 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at /home/fedorenko/php7/php-src/Zend/zend_vm_execute.h:28971
#19 0x00007f68885aea65 in execute_ex (ex=0x7f687e413030) at /home/fedorenko/php7/php-src/Zend/zend_vm_execute.h:406
#20 0x00007f68885aeb77 in zend_execute (op_array=0x7f687e485000, return_value=0x0) at /home/fedorenko/php7/php-src/Zend/zend_vm_execute.h:450
#21 0x00007f6888554cd7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/fedorenko/php7/php-src/Zend/zend.c:1399
---Type <return> to continue, or q <return> to quit---
#22 0x00007f68884c0d74 in php_execute_script (primary_file=0x7fff24280580) at /home/fedorenko/php7/php-src/main/main.c:2475
#23 0x00007f6888612099 in php_handler (r=0x7f687e7733c0) at /home/fedorenko/php7/php-src/sapi/apache2handler/sapi_apache2.c:673
#24 0x00007f688cc14880 in ap_run_handler ()
#25 0x00007f688cc14dc9 in ap_invoke_handler ()
#26 0x00007f688cc2a35c in ap_internal_redirect ()
#27 0x00007f687f81acfc in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#28 0x00007f688cc14880 in ap_run_handler ()
#29 0x00007f688cc14dc9 in ap_invoke_handler ()
#30 0x00007f688cc2a89a in ap_process_async_request ()
#31 0x00007f688cc2ab74 in ap_process_request ()
#32 0x00007f688cc27622 in ?? ()
#33 0x00007f688cc1e370 in ap_run_process_connection ()
#34 0x00007f6889049767 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#35 0x00007f68890499a6 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#36 0x00007f6889049a06 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#37 0x00007f688904a6e0 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#38 0x00007f688cbfac0e in ap_run_mpm ()
#39 0x00007f688cbf43c6 in main ()
---

How can I help you reproduce and fix the problem? :)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-15 06:17 UTC] dmifedorenko at gmail dot com
Source of out client method:

class JiraSoapClient extends SoapClient implements IJiraClient{

	public function getIssueActions($issueKey, $token = null){
		if(is_null($token))
			$token = $this->getDefaultAuthToken();

		return parent::getAvailableActions($token,$issueKey);
	}

}
 [2015-07-15 06:40 UTC] laruence@php.net
give us a script(client and server) which can reproduce that ...
 [2015-07-15 06:40 UTC] laruence@php.net
give us a script(client and server) which can reproduce that ...
 [2015-07-15 06:59 UTC] dmifedorenko at gmail dot com
Sorry but server is not public, it works in locale network only. I cant share full source code of client due to copyrights.

Minimal code example useless without public soap server. Or not?

I got full binary core file, can it help?
 [2015-07-15 09:50 UTC] laruence@php.net
hmm, this kind of backtrace(segfault in zend_mm) implies that the memory is corrupt by some codes before, which make the backtrace kind of useless. we need find who corrupt it..

so.. if no reproduceable scripts ,, no much things we can do. :< thanks
 [2015-07-16 00:02 UTC] dmifedorenko at gmail dot com
Minimal source code to reproduce problem:
---
<?php

class JiraSoapClientEx extends SoapClient {
}

$jiraClient = new JiraSoapClientEx('http://aux.srv.loc:82/rpc/soap/jirasoapservice-v2?wsdl');
$token = $jiraClient->login('admin', 'XXXX');

for ($i = 1;$i<=150;$i++) {
    $jiraClient->getIssue($token, "BAZAR-240424");
}
---

If I change 150 to 80 for example the code will work. Only after about 100 calls to SoapClient the script will fail.

Jira server is still private, we try to find way to open it in public, but that is not easy task.

New backtrace:
---
#0  0x00007fc7bbe79aea in strlen () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fc7b8595651 in format_converter (odp=0x7ffff4d9ef00, fmt=0x7fc7b8b6b111 "s(%d) :  Freeing 0x%.8lX (%zu bytes), script=%s\n", ap=0x7ffff4d9ef48)
    at /home/fedorenko/php7/php-src/main/snprintf.c:993
#2  0x00007fc7b85960d8 in strx_printv (ccp=0x7ffff4d9ef44, buf=0x7ffff4d9f2b0 "[Thu Jul 16 09:51:47 2015]  Script:  '/home/fedorenko/baza/www/index.php'\n", len=512,
    format=0x7fc7b8b6b110 "%s(%d) :  Freeing 0x%.8lX (%zu bytes), script=%s\n", ap=0x7ffff4d9ef48) at /home/fedorenko/php7/php-src/main/snprintf.c:1248
#3  0x00007fc7b8596310 in ap_php_snprintf (buf=0x7ffff4d9f2b0 "[Thu Jul 16 09:51:47 2015]  Script:  '/home/fedorenko/baza/www/index.php'\n", len=512,
    format=0x7fc7b8b6b110 "%s(%d) :  Freeing 0x%.8lX (%zu bytes), script=%s\n") at /home/fedorenko/php7/php-src/main/snprintf.c:1293
#4  0x00007fc7b8590b8f in php_message_handler_for_zend (message=4, data=0x7ffff4da0360) at /home/fedorenko/php7/php-src/main/main.c:1435
#5  0x00007fc7b8625b55 in zend_message_dispatcher (message=4, data=0x7ffff4da0360) at /home/fedorenko/php7/php-src/Zend/zend.c:996
#6  0x00007fc7b85f2742 in zend_mm_check_leaks (heap=0x7fc7ae600040) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:1905
#7  0x00007fc7b85f2a40 in zend_mm_shutdown (heap=0x7fc7ae600040, full=0, silent=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:1973
#8  0x00007fc7b85f3886 in shutdown_memory_manager (silent=0, full_shutdown=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:2392
#9  0x00007fc7b8591a66 in php_request_shutdown (dummy=0x0) at /home/fedorenko/php7/php-src/main/main.c:1837
#10 0x00007fc7b86e3816 in php_apache_request_dtor (r=0x7fc7ae8530a0) at /home/fedorenko/php7/php-src/sapi/apache2handler/sapi_apache2.c:513
#11 0x00007fc7b86e4141 in php_handler (r=0x7fc7ae8530a0) at /home/fedorenko/php7/php-src/sapi/apache2handler/sapi_apache2.c:685
#12 0x00007fc7bcce6880 in ap_run_handler ()
#13 0x00007fc7bcce6dc9 in ap_invoke_handler ()
#14 0x00007fc7bccfc89a in ap_process_async_request ()
#15 0x00007fc7bccfcb74 in ap_process_request ()
#16 0x00007fc7bccf9622 in ?? ()
#17 0x00007fc7bccf0370 in ap_run_process_connection ()
#18 0x00007fc7b911b767 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#19 0x00007fc7b911b9a6 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#20 0x00007fc7b911c60e in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#21 0x00007fc7bccccc0e in ap_run_mpm ()
#22 0x00007fc7bccc63c6 in main ()
---
New minimal backtrace still useless?
 [2015-07-16 00:05 UTC] dmifedorenko at gmail dot com
Sorry this is right bt from minimal code:
---
#0  0x00007f4e23034aea in strlen () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f4e1f750651 in format_converter (odp=0x7fffea0f4660, fmt=0x7f4e1fd26111 "s(%d) :  Freeing 0x%.8lX (%zu bytes), script=%s\n", ap=0x7fffea0f46a8)
    at /home/fedorenko/php7/php-src/main/snprintf.c:993
#2  0x00007f4e1f7510d8 in strx_printv (ccp=0x7fffea0f46a4, buf=0x7fffea0f4a10 "[Thu Jul 16 10:04:08 2015]  Script:  '/home/fedorenko/baza/www/test.php'\n", len=512,
    format=0x7f4e1fd26110 "%s(%d) :  Freeing 0x%.8lX (%zu bytes), script=%s\n", ap=0x7fffea0f46a8) at /home/fedorenko/php7/php-src/main/snprintf.c:1248
#3  0x00007f4e1f751310 in ap_php_snprintf (buf=0x7fffea0f4a10 "[Thu Jul 16 10:04:08 2015]  Script:  '/home/fedorenko/baza/www/test.php'\n", len=512,
    format=0x7f4e1fd26110 "%s(%d) :  Freeing 0x%.8lX (%zu bytes), script=%s\n") at /home/fedorenko/php7/php-src/main/snprintf.c:1293
#4  0x00007f4e1f74bb8f in php_message_handler_for_zend (message=4, data=0x7fffea0f5ac0) at /home/fedorenko/php7/php-src/main/main.c:1435
#5  0x00007f4e1f7e0b55 in zend_message_dispatcher (message=4, data=0x7fffea0f5ac0) at /home/fedorenko/php7/php-src/Zend/zend.c:996
#6  0x00007f4e1f7ad742 in zend_mm_check_leaks (heap=0x7f4e15800040) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:1905
#7  0x00007f4e1f7ada40 in zend_mm_shutdown (heap=0x7f4e15800040, full=0, silent=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:1973
#8  0x00007f4e1f7ae886 in shutdown_memory_manager (silent=0, full_shutdown=0) at /home/fedorenko/php7/php-src/Zend/zend_alloc.c:2392
#9  0x00007f4e1f74ca66 in php_request_shutdown (dummy=0x0) at /home/fedorenko/php7/php-src/main/main.c:1837
#10 0x00007f4e1f89e816 in php_apache_request_dtor (r=0x7f4e15a0a0a0) at /home/fedorenko/php7/php-src/sapi/apache2handler/sapi_apache2.c:513
#11 0x00007f4e1f89f141 in php_handler (r=0x7f4e15a0a0a0) at /home/fedorenko/php7/php-src/sapi/apache2handler/sapi_apache2.c:685
#12 0x00007f4e23ea1880 in ap_run_handler ()
#13 0x00007f4e23ea1dc9 in ap_invoke_handler ()
#14 0x00007f4e23eb789a in ap_process_async_request ()
#15 0x00007f4e23eb7b74 in ap_process_request ()
#16 0x00007f4e23eb4622 in ?? ()
#17 0x00007f4e23eab370 in ap_run_process_connection ()
#18 0x00007f4e202d6767 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#19 0x00007f4e202d69a6 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#20 0x00007f4e202d6a06 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#21 0x00007f4e202d76e0 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#22 0x00007f4e23e87c0e in ap_run_mpm ()
#23 0x00007f4e23e813c6 in main ()
 [2015-07-16 02:59 UTC] laruence@php.net
hmm, or maybe you could grant me a ssh access to that box? (if it is possible please sent it to me via mail). thanks
 [2015-07-16 04:57 UTC] dmifedorenko at gmail dot com
We setup public Jira with minimal rights to reproduce problem.

I sent you test case file via email, please dont public it for everyone :)

Thank you.
 [2015-07-16 06:03 UTC] laruence@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence
 [2015-07-16 06:03 UTC] laruence@php.net
thanks, I got it.

could you please help to verify does the following patch fixed the problem?

diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index e0a749f..60dd9dd 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -507,6 +507,7 @@ try_again:
 		if (stream) {
 			php_stream_auto_cleanup(stream);
 			add_property_resource(this_ptr, "httpsocket", stream->res);
+			GC_REFCOUNT(stream->res)++;
 			add_property_long(this_ptr, "_use_proxy", use_proxy);
 		} else {
 			php_url_free(phpurl);
@@ -524,6 +525,7 @@ try_again:
 		zend_resource *ret = zend_register_resource(phpurl, le_url);

 		add_property_resource(this_ptr, "httpurl", ret);
+		GC_REFCOUNT(ret)++;
 		/*zend_list_addref(ret);*/

 		if (context &&


thanks
 [2015-07-16 07:01 UTC] dmifedorenko at gmail dot com
Yes it does! Thank you, now I can get all 150 issues without error.

Can you add patch to PHP7 master please?
 [2015-07-16 10:37 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=deeb6379cb26d457badae58df4f24bc30a334ebe
Log: Fixed bug #70079 (Segmentation fault after more than 100 SoapClient calls)
 [2015-07-16 10:37 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2015-07-21 14:20 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=deeb6379cb26d457badae58df4f24bc30a334ebe
Log: Fixed bug #70079 (Segmentation fault after more than 100 SoapClient calls)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=deeb6379cb26d457badae58df4f24bc30a334ebe
Log: Fixed bug #70079 (Segmentation fault after more than 100 SoapClient calls)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 22:01:35 2017 UTC