php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71931 Soap cache_wsdl WSDL_CACHE_MEMORY option on CLI
Submitted: 2016-03-31 10:34 UTC Modified: 2018-01-01 20:42 UTC
Votes:28
Avg. Score:4.2 ± 0.9
Reproduced:25 of 25 (100.0%)
Same Version:4 (16.0%)
Same OS:6 (24.0%)
From: nikspijkerman at gmail dot com Assigned:
Status: Duplicate Package: SOAP related
PHP Version: 7.0.4 OS: Ubuntu 14.04
Private report: No CVE-ID: None
 [2016-03-31 10:34 UTC] nikspijkerman at gmail dot com
Description:
------------
Using the SoapClient option cache_wsdl: WSDL_CACHE_MEMORY and/or WSDL_CACHE_BOTH from the Symfony 2.8 Console causes a segmentation fault. Using WSDL_CACHE_DISK does not throw an error.

Simply executing the script from a plain PHP file does not seem to reproduce the fault.

[New LWP 29769]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php app/console provider:generate_dfp_services'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f91f03700db in zend_hash_destroy ()
(gdb) bt
#0  0x00007f91f03700db in zend_hash_destroy ()
#1  0x00007f91dfaa7f31 in delete_type_persistent () from /usr/lib/php/20151012/soap.so
#2  0x00007f91f03701dd in zend_hash_destroy ()
#3  0x00007f91dfaaf3e1 in ?? () from /usr/lib/php/20151012/soap.so
#4  0x00007f91dfaaf44f in ?? () from /usr/lib/php/20151012/soap.so
#5  0x00007f91f03700d2 in zend_hash_destroy ()
#6  0x00007f91dfa7ff0b in zm_shutdown_soap () from /usr/lib/php/20151012/soap.so
#7  0x00007f91f0366313 in module_destructor ()
#8  0x00007f91f035eedc in ?? ()
#9  0x00007f91f0370c48 in zend_hash_graceful_reverse_destroy ()
#10 0x00007f91f035fea5 in zend_shutdown ()
#11 0x00007f91f0303f6b in php_module_shutdown ()
#12 0x00007f91f01f4486 in main ()

Test script:
---------------
use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;

class MySoapClientCommand extends ContainerAwareCommand
{
    protected function configure()
    {
        $this->setName('app:mysoapclient');
    }
    protected function execute(InputInterface $input, OutputInterface $output)
    {
        $wsdl = 'https://ads.google.com/apis/ads/publisher/v201502/ActivityService?wsdl';
        $client = new \SoapClient($wsdl, ['cache_wsdl' => WSDL_CACHE_MEMORY]);
    }
}

Then from the CLI:
$ php app/console app:mysoapclient


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-11 18:03 UTC] colin at mollenhour dot com
I have an almost identical segfault backtrace in a project not related to Symphony. I removed the option for WSDL_CACHE_BOTH and will see if it resolved the issue but either way seems to be a bug in the SOAP module.

PHP 7.0.5 - Ubuntu 14.04 - ondrej/php build
 [2016-05-19 09:12 UTC] johan-php at localhost dot nl
It's still there in 7.0.6 (Ubuntu 16.04).
 [2016-10-04 23:45 UTC] dominic at varspool dot com
Still present in 7.0.11

Seen this in Ondrej Sury's builds, but also in the Docker library images (https://hub.docker.com/_/php/) which are completely different, so it's unlikely to be related to packaging.

Here's a bt with debugging symbols against 7.0.11

Program received signal SIGSEGV, Segmentation fault.
0x00005555557b9dab in zend_hash_destroy ()
(gdb) bt
#0  0x00005555557b9dab in zend_hash_destroy ()
#1  0x00007fffe7e81f51 in delete_type_persistent (zv=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/php_schema.c:2459
#2  0x00005555557b9ead in zend_hash_destroy ()
#3  0x00007fffe7e89401 in delete_psdl_int (p=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/php_sdl.c:3130
#4  0x00007fffe7e8946f in delete_psdl (zv=0x555556f0fc90) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/php_sdl.c:3150
#5  0x00005555557b9da2 in zend_hash_destroy ()
#6  0x00007fffe7e59f0b in zm_shutdown_soap (type=<optimized out>, module_number=41) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/soap.c:598
#7  0x00005555557affa3 in module_destructor ()
#8  0x00005555557a8a4c in ?? ()
#9  0x00005555557ba918 in zend_hash_graceful_reverse_destroy ()
#10 0x00005555557a9a15 in zend_shutdown ()
#11 0x000055555574d20b in php_module_shutdown ()
#12 0x000055555563cb36 in main ()
 [2016-10-04 23:49 UTC] dominic at varspool dot com
Sorry, more symbols:

#0  zend_hash_destroy (ht=0x55555656c0f0) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_hash.c:1278
#1  0x00007fffe7e81f51 in delete_type_persistent (zv=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/php_schema.c:2459
#2  0x00005555557b9ead in zend_hash_destroy (ht=0x5555563500f0) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_hash.c:1265
#3  0x00007fffe7e89401 in delete_psdl_int (p=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/php_sdl.c:3130
#4  0x00007fffe7e8946f in delete_psdl (zv=0x555556627c60) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/php_sdl.c:3150
#5  0x00005555557b9da2 in zend_hash_destroy (ht=0x555556351320) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_hash.c:1276
#6  0x00007fffe7e59f0b in zm_shutdown_soap (type=<optimized out>, module_number=41) at /build/php7.0-j_qgKJ/php7.0-7.0.11/ext/soap/soap.c:598
#7  0x00005555557affa3 in module_destructor (module=module@entry=0x555555c27430) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_API.c:2505
#8  0x00005555557a8a4c in module_destructor_zval (zv=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend.c:615
#9  0x00005555557ba918 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=<optimized out>, ht=<optimized out>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_hash.c:1026
#10 _zend_hash_del_el (p=0x555555c1c550, idx=40, ht=0x555555b87860 <module_registry>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_hash.c:1050
#11 zend_hash_graceful_reverse_destroy (ht=ht@entry=0x555555b87860 <module_registry>) at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_hash.c:1502
#12 0x00005555557ae39c in zend_destroy_modules () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend_API.c:1984
#13 0x00005555557a9a15 in zend_shutdown () at /build/php7.0-j_qgKJ/php7.0-7.0.11/Zend/zend.c:840
#14 0x000055555574d20b in php_module_shutdown () at /build/php7.0-j_qgKJ/php7.0-7.0.11/main/main.c:2362
#15 0x000055555563cb36 in main (argc=7, argv=0x555555b8ad20) at /build/php7.0-j_qgKJ/php7.0-7.0.11/sapi/cli/php_cli.c:1359
 [2016-10-20 07:00 UTC] fedoreyev at gmail dot com
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/php-7.1.0d/bin/php...done.

warning: core file may not match specified executable file.
[New LWP 21224]
Missing separate debuginfo for /lib64/libmysqlclient.so.18
Try: yum --enablerepo='*debug*' install /usr/lib/debug/.build-id/97/92a5f335292ffd1eca1fefeb50672acaae2e07.debug
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/opt/php-7.1.0d/bin/php /home/vlru/adventure/app/console_test yading --env=dr'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000a2464d in zend_string_release (s=0x7f4ceb3be9b0) at /usr/local/src/php-7.1.0RC4/Zend/zend_string.h:270
270		if (!ZSTR_IS_INTERNED(s)) {
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-20.el7_2.x86_64 freetype-2.4.11-11.el7.x86_64 glibc-2.17-106.el7_2.8.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.13.2-12.el7_2.x86_64 libcom_err-1.42.9-7.el7.x86_64 libcurl-7.29.0-25.el7.centos.x86_64 libgcc-4.8.5-4.el7.x86_64 libgcrypt-1.5.3-12.el7_1.1.x86_64 libgpg-error-1.12-3.el7.x86_64 libidn-1.28-4.el7.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 libmcrypt-2.5.8-13.el7.x86_64 libpng-1.5.13-7.el7_2.x86_64 libselinux-2.2.2-6.el7.x86_64 libssh2-1.4.3-10.el7_2.1.x86_64 libstdc++-4.8.5-4.el7.x86_64 libtidy-0.99.0-31.20091203.el7.x86_64 libxml2-2.9.1-6.el7_2.3.x86_64 libxslt-1.1.28-5.el7.x86_64 nspr-4.11.0-1.el7_2.x86_64 nss-3.21.0-9.el7_2.x86_64 nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64 nss-util-3.21.0-2.2.el7_2.x86_64 openldap-2.4.40-9.el7_2.x86_64 openssl-libs-1.0.1e-51.el7_2.5.x86_64 pcre-8.32-15.el7_2.1.x86_64 xz-libs-5.1.2-12alpha.el7.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) bt
#0  0x0000000000a2464d in zend_string_release (s=0x7f4ceb3be9b0) at /usr/local/src/php-7.1.0RC4/Zend/zend_string.h:270
#1  0x0000000000a287af in zend_hash_destroy (ht=0x1bbd2f0) at /usr/local/src/php-7.1.0RC4/Zend/zend_hash.c:1251
#2  0x00000000007e3727 in delete_type_persistent (zv=0x1b8eb18) at /usr/local/src/php-7.1.0RC4/ext/soap/php_schema.c:2459
#3  0x0000000000a28714 in zend_hash_destroy (ht=0x1b8da00) at /usr/local/src/php-7.1.0RC4/Zend/zend_hash.c:1238
#4  0x00000000007f1a17 in delete_psdl_int (p=0x1be5340) at /usr/local/src/php-7.1.0RC4/ext/soap/php_sdl.c:3130
#5  0x00000000007f1ad7 in delete_psdl (zv=0x1b8d430) at /usr/local/src/php-7.1.0RC4/ext/soap/php_sdl.c:3150
#6  0x0000000000a287ea in zend_hash_destroy (ht=0x1b00000) at /usr/local/src/php-7.1.0RC4/Zend/zend_hash.c:1257
#7  0x00000000007b3963 in zm_shutdown_soap (type=1, module_number=33) at /usr/local/src/php-7.1.0RC4/ext/soap/soap.c:598
#8  0x0000000000a1dc9c in module_destructor (module=0x19866d0) at /usr/local/src/php-7.1.0RC4/Zend/zend_API.c:2499
#9  0x0000000000a12021 in module_destructor_zval (zv=0x7ffd2f850270) at /usr/local/src/php-7.1.0RC4/Zend/zend.c:632
#10 0x0000000000a27dfd in _zend_hash_del_el_ex (ht=0x1444dc0 <module_registry>, idx=32, p=0x19ba5a0, prev=0x0) at /usr/local/src/php-7.1.0RC4/Zend/zend_hash.c:1000
#11 0x0000000000a27ec8 in _zend_hash_del_el (ht=0x1444dc0 <module_registry>, idx=32, p=0x19ba5a0) at /usr/local/src/php-7.1.0RC4/Zend/zend_hash.c:1023
#12 0x0000000000a291b5 in zend_hash_graceful_reverse_destroy (ht=0x1444dc0 <module_registry>) at /usr/local/src/php-7.1.0RC4/Zend/zend_hash.c:1479
#13 0x0000000000a1bc57 in zend_destroy_modules () at /usr/local/src/php-7.1.0RC4/Zend/zend_API.c:1978
#14 0x0000000000a1268d in zend_shutdown () at /usr/local/src/php-7.1.0RC4/Zend/zend.c:860
#15 0x0000000000984084 in php_module_shutdown () at /usr/local/src/php-7.1.0RC4/main/main.c:2401
#16 0x0000000000af4610 in main (argc=4, argv=0x197cb30) at /usr/local/src/php-7.1.0RC4/sapi/cli/php_cli.c:1393
 [2016-11-02 13:31 UTC] kevin dot letord at openclassrooms dot com
Still present in 7.0.12 on MacOS X

Process:               php [62107]
Path:                  /usr/local/Cellar/php70/7.0.12_5/bin/php
Identifier:            php
Version:               0
Code Type:             X86-64 (Native)
Parent Process:        zsh [701]
Responsible:           iTerm2 [696]
User ID:               502

Date/Time:             2016-11-02 14:17:24.450 +0100
OS Version:            Mac OS X 10.11.6 (15G1108)
Report Version:        11
Anonymous UUID:        82D86DB1-0CCB-203A-1A50-3F1ED24A48DD


Time Awake Since Boot: 17000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000000010d6d6d75

VM Regions Near 0x10d6d6d75:
    VM_ALLOCATE            000000010d200000-000000010d400000 [ 2048K] rw-/rwx SM=PRV  
--> 
    MALLOC_LARGE           000000010e400000-000000010e640000 [ 2304K] rw-/rwx SM=PRV  

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   php                           	0x0000000109f5396c zend_hash_destroy + 348
1   php                           	0x0000000109dcbb43 delete_type_persistent + 342
2   php                           	0x0000000109f53895 zend_hash_destroy + 133
3   php                           	0x0000000109dd424c delete_psdl_int + 105
4   php                           	0x0000000109dd407a delete_psdl + 17
5   php                           	0x0000000109f53962 zend_hash_destroy + 338
6   php                           	0x0000000109da71b6 zm_shutdown_soap + 82
7   php                           	0x0000000109f4c1c7 module_destructor + 117
8   php                           	0x0000000109f43e5e module_destructor_zval + 17
9   php                           	0x0000000109f531e8 _zend_hash_del_el_ex + 308
10  php                           	0x0000000109f544d1 zend_hash_graceful_reverse_destroy + 175
11  php                           	0x0000000109f43fe5 zend_shutdown + 225
12  php                           	0x0000000109ee7117 php_module_shutdown + 42
13  php                           	0x0000000109fd1ff4 main + 1381
14  libdyld.dylib                 	0x00007fff8c3e55ad start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x00007fff7989f420  rbx: 0x0000010000000000  rcx: 0x00000000001f8100  rdx: 0x0000000000132480
  rdi: 0x000000010d6d6d70  rsi: 0x000000010abe9200  rbp: 0x00007fff560e5d10  rsp: 0x00007fff560e5ce0
   r8: 0x0000000000000000   r9: 0x00007faa79c2be80  r10: 0x000000008c2dd4b2  r11: 0x00007faa79c00000
  r12: 0x00007faa7a03fa80  r13: 0x000000010a532db2  r14: 0x00007faa79c78fc0  r15: 0x00007faa7a03fe20
  rip: 0x0000000109f5396c  rfl: 0x0000000000010202  cr2: 0x000000010d6d6d75
  
Logical CPU:     0
Error Code:      0x00000004
Trap Number:     14


lldb

(lldb) bt
* thread #1: tid = 0x442c0, 0x00007fff9c37d8ea libsystem_kernel.dylib`__kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGSEGV
  * frame #0: 0x00007fff9c37d8ea libsystem_kernel.dylib`__kill + 10
    frame #1: 0x0000000101dcc1cb php`zend_mm_panic + 52
    frame #2: 0x0000000101dcd2a2 php`zend_mm_free_heap + 733
    frame #3: 0x0000000101e0099b php`zend_hash_destroy + 395
    frame #4: 0x0000000101c78b43 php`delete_type_persistent + 342
    frame #5: 0x0000000101e00895 php`zend_hash_destroy + 133
    frame #6: 0x0000000101c8124c php`delete_psdl_int + 105
    frame #7: 0x0000000101c8107a php`delete_psdl + 17
    frame #8: 0x0000000101e00962 php`zend_hash_destroy + 338
    frame #9: 0x0000000101c541b6 php`zm_shutdown_soap + 82
    frame #10: 0x0000000101df91c7 php`module_destructor + 117
    frame #11: 0x0000000101df0e5e php`module_destructor_zval + 17
    frame #12: 0x0000000101e001e8 php`_zend_hash_del_el_ex + 308
    frame #13: 0x0000000101e014d1 php`zend_hash_graceful_reverse_destroy + 175
    frame #14: 0x0000000101df0fe5 php`zend_shutdown + 225
    frame #15: 0x0000000101d94117 php`php_module_shutdown + 42
    frame #16: 0x0000000101e7eff4 php`main + 1381
    frame #17: 0x00007fff8c3e55ad libdyld.dylib`start + 1
    frame #18: 0x00007fff8c3e55ad libdyld.dylib`start + 1
 [2016-11-02 22:49 UTC] gcarrette at wayfair dot com
Here is a self-contained simple script you can use to reproduce this at will.
The script was derived from a bug report 50722, but adds a real wsdl reference url. I also get the same error in a more complex application, with only 1 wsdl
file. The work around is to stick with WSDL_CACHE_DISK and avoid MEMORY/BOTH.

$wsdl_url = 'https://webservices.sandbox.netsuite.com/wsdl/v2013_2_0/netsuite.wsdl';

$wsdl_xml = file_get_contents($wsdl_url);

for($j = 1; $j <= 6; $j++) {
 $status = file_put_contents("wsdl-file-$j.wsdl", $wsdl_xml);
 if ($status === false) {
   echo "ERROR: Failed to write wsdl-file-$j.wsdl\n";
 }
}

ini_set('soap.wsdl_cache_enabled', 1);
ini_set('soap.wsdl_cache', WSDL_CACHE_MEMORY);
ini_set('soap.wsdl_cache_limit', 5); // Note: Cache size of 5.

function test($x)
{
  $client1 = new SoapClient("./wsdl-file-1.wsdl");
  $client2 = new SoapClient("./wsdl-file-2.wsdl");
  $client3 = new SoapClient("./wsdl-file-3.wsdl");
  $client4 = new SoapClient("./wsdl-file-4.wsdl");
  $client5 = new SoapClient("./wsdl-file-5.wsdl");

  return $x; //web server segfaults or corrupt XML returned
}

$server = new SoapServer("./wsdl-file-6.wsdl");
$server->addFunction("test");
$server->handle();

test(null);
 [2016-11-24 03:32 UTC] bddenhartog at gmail dot com
I have this same issue running PHP-CGI under IIS.

The server is Windows Server 2012 R2 Datacenter.
 [2017-01-27 07:58 UTC] tentje at gmail dot com
The issue persists in PHP 7.1.1
 [2017-05-15 14:37 UTC] tech at enuygun dot com
Issue still exists in 7.1.4 and 7.1.5, debian jessie with sury php packages.
 [2017-06-08 17:19 UTC] nunojsferreira at gmail dot com
I am experiencing the exact same problem in a containerized symfony app based on docker image from docker hub php:7.1-apache more specifically PHP 7.1.5 (cli) (built: May 13 2017 00:13:21) ( NTS )

When disabling the WSDL_CACHE_BOTH to just DISK or NONE seem to prevent the issue from happening.

I was experiencing the problem randomly. CURLing the exact same request could segfault  or not.

Probably not relevant but its also a symfony 2.8 app.
 [2017-11-16 14:18 UTC] mike dot grinspan at gmail dot com
Issue persists on ubuntu 17.04 (zesty) with PHP 7.1.11 (ondrej/php)
 [2018-01-01 20:42 UTC] nikic@php.net
Based on the backtrace (and the fact that it only happens when the WSDL memory cache is enabled) this is very likely the same issue as bug #75502, which is now fixed.
 [2018-01-01 20:42 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 00:01:23 2019 UTC