php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77751 Writing to SplFileObject in ob_start gives segfault
Submitted: 2019-03-15 19:08 UTC Modified: 2023-10-14 22:02 UTC
From: michael dot mauch at gmx dot de Assigned: dmitry (profile)
Status: Assigned Package: SPL related
PHP Version: 7.3.3 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: michael dot mauch at gmx dot de
New email:
PHP Version: OS:

 

 [2019-03-15 19:08 UTC] michael dot mauch at gmx dot de
Description:
------------
I'm using a function like below to redirect all output to a log file in PHP CLI scripts.

It works until PHP 7.1, but crashes with SIGSEGV in 7.2 and 7.3. If I use old fopen() instead of SplFileObject, it also works with 7.2 and 7.3.

Oracle Linux 7.x at work, Ubuntu 16.04 at home, or even in docker with the official images.


Test script:
---------------
<?php
$logfilename = "/tmp/crash.log";
$logfile = new SplFileObject($logfilename, "w");
ob_start(function ($buffer) use ($logfile) {
    $logfile->fwrite($buffer);
    $logfile->fflush();
    return "";
});
echo "hmm\n";


Expected result:
----------------
# Like with PHP 7.1:

% docker run -it --rm -v "$PWD":/tmp -w /tmp php:7.1-cli /bin/bash -c 'ulimit -c unlimited; php -v; php ./crash.php && echo ok'
PHP 7.1.27 (cli) (built: Mar  9 2019 02:51:22) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
ok



Actual result:
--------------
# But with PHP 7.3:

% docker run -it --rm -v "$PWD":/tmp -w /tmp php:cli /bin/bash -c 'ulimit -c unlimited; php -v; php ./crash.php && echo ok' 
PHP 7.3.3 (cli) (built: Mar  9 2019 00:27:53) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.3, Copyright (c) 1998-2018 Zend Technologies
/bin/bash: line 1:     7 Segmentation fault      (core dumped) php ./crash.php


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-15 19:45 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2019-03-15 19:45 UTC] requinix@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2019-03-15 22:21 UTC] michael dot mauch at gmx dot de
-Status: Feedback +Status: Open
 [2019-03-15 22:21 UTC] michael dot mauch at gmx dot de
% gdb sapi/cli/php core
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sapi/cli/php...done.
[New LWP 16070]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sapi/cli/php -n /home/elmicha/php/crash.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f1f5c884460 in ?? ()
(gdb) bt
#0  0x00007f1f5c884460 in ?? ()
#1  0x000000000070871b in _php_stream_write_buffer (stream=0x7f1f5c884380, buf=0x7f1f5c801a38 "hmm\n", count=4)
    at /usr/local/src/misc/php-7.3.3/main/streams/streams.c:1083
#2  0x000000000070a1dd in _php_stream_write (stream=0x7f1f5c884380, buf=<optimized out>, count=<optimized out>)
    at /usr/local/src/misc/php-7.3.3/main/streams/streams.c:1198
#3  0x000000000064f621 in zim_spl_SplFileObject_fwrite (execute_data=0x7f1f5c81e0d0, return_value=0x7ffdf098a380)
    at /usr/local/src/misc/php-7.3.3/ext/spl/spl_directory.c:2902
#4  0x00000000007e19b8 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/local/src/misc/php-7.3.3/Zend/zend_vm_execute.h:980
#5  execute_ex (ex=0x7f1f5c884380) at /usr/local/src/misc/php-7.3.3/Zend/zend_vm_execute.h:55485
#6  0x0000000000744598 in zend_call_function (fci=0x7f1f5c81e030, fci_cache=<optimized out>)
    at /usr/local/src/misc/php-7.3.3/Zend/zend_execute_API.c:756
#7  0x000000000075c1d5 in zend_fcall_info_call (fci=0x7f1f5c87a070, fcc=0x7f1f5c87a0a8, retval_ptr=retval_ptr@entry=0x7ffdf098a540, 
    args=args@entry=0x0) at /usr/local/src/misc/php-7.3.3/Zend/zend_API.c:3663
#8  0x0000000000706a15 in php_output_handler_op (context=0x7ffdf098a570, handler=0x7f1f5c86e140)
    at /usr/local/src/misc/php-7.3.3/main/output.c:969
#9  php_output_stack_pop (flags=1) at /usr/local/src/misc/php-7.3.3/main/output.c:1230
#10 php_output_end_all () at /usr/local/src/misc/php-7.3.3/main/output.c:339
#11 0x00000000006f0945 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/local/src/misc/php-7.3.3/main/main.c:1889
#12 0x00000000007e38ac in do_cli (argc=3, argv=0x20ec240) at /usr/local/src/misc/php-7.3.3/sapi/cli/php_cli.c:1164
#13 0x000000000043ba7c in main (argc=3, argv=0x20ec240) at /usr/local/src/misc/php-7.3.3/sapi/cli/php_cli.c:1389
(gdb)
 [2019-03-16 02:41 UTC] danack@php.net
Hi, please could you try running it through a new bash shell like*:

bash -c 'sapi/cli/php -n /home/elmicha/php/crash.php'

and see if the problem "goes away"?


* - (or possibly similar
 [2019-03-16 10:08 UTC] michael dot mauch at gmx dot de
Hi,

no, it's the same with bash:

% LC_ALL=C bash --norc -c "ulimit -c unlimited; /usr/local/src/misc/php-7.3.3/sapi/cli/php -n ~/php/crash.php"
bash: line 1: 21765 Segmentation fault      (core dumped) /usr/local/src/misc/php-7.3.3/sapi/cli/php -n ~/php/crash.php

I also tried the crash.php on my Raspberry Pi with PHP 7.2.16 and it also crashes.

It's also the same in Docker:

% docker run -it --rm -v "$PWD":/tmp -w /tmp php:7.3-cli-alpine /bin/sh -c 'ulimit -c unlimited; php -v; php ./crash.php && echo ok' 
  PHP 7.3.3 (cli) (built: Mar  9 2019 00:59:08) ( NTS )
  Copyright (c) 1997-2018 The PHP Group
  Zend Engine v3.3.3, Copyright (c) 1998-2018 Zend Technologies
  Segmentation fault (core dumped)
 [2019-03-16 10:18 UTC] michael dot mauch at gmx dot de
With PHP 7.2.0 it crashes, 7.1.27 doesn't.
 [2019-03-16 10:25 UTC] michael dot mauch at gmx dot de
Tried to find a tutorial for git bisect, but found https://bugs.php.net/bugs-getting-valgrind-log.php instead. Here's with PHP-7.3.3:

% export USE_ZEND_ALLOC=0
% export ZEND_DONT_UNLOAD_MODULES=1
% valgrind --tool=memcheck --num-callers=30 --log-file=php.log sapi/cli/php -n ~/php/crash.php 
zsh: segmentation fault  valgrind --tool=memcheck --num-callers=30 --log-file=php.log sapi/cli/php -n 

==23707== Memcheck, a memory error detector
==23707== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23707== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==23707== Command: sapi/cli/php -n /home/elmicha/php/crash.php
==23707== Parent PID: 17370
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x70A19A: _php_stream_write (streams.c:1191)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2360 is 0 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x70A1A3: _php_stream_write (streams.c:1195)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2388 is 40 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x7086B3: _php_stream_write_buffer (streams.c:1071)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2360 is 0 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 1
==23707==    at 0x7086BF: _php_stream_write_buffer (streams.c:1071)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf23d4 is 116 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x708730: _php_stream_write_buffer (streams.c:1071)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2418 is 184 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x708737: _php_stream_write_buffer (streams.c:1071)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2410 is 176 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x7086CE: _php_stream_write_buffer (streams.c:1078)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2360 is 0 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x708705: _php_stream_write_buffer (streams.c:1080)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2420 is 192 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 8
==23707==    at 0x70F1C0: php_stdiop_write (plain_wrapper.c:339)
==23707==    by 0x70871A: _php_stream_write_buffer (streams.c:1083)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8bf2368 is 8 bytes inside a block of size 224 free'd
==23707==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x70A0A7: _php_stream_free (streams.c:504)
==23707==    by 0x7897E4: zend_objects_store_call_destructors (zend_objects_API.c:56)
==23707==    by 0x7430FA: shutdown_destructors (zend_execute_API.c:242)
==23707==    by 0x7528F6: zend_call_destructors (zend.c:1089)
==23707==    by 0x6F08E4: php_request_shutdown (main.c:1873)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Block was alloc'd at
==23707==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23707==    by 0x728C08: __zend_malloc (zend_alloc.c:2903)
==23707==    by 0x709264: _php_stream_alloc (streams.c:272)
==23707==    by 0x70FF4A: _php_stream_fopen_from_fd (plain_wrapper.c:246)
==23707==    by 0x7103AC: _php_stream_fopen (plain_wrapper.c:1054)
==23707==    by 0x70BC37: _php_stream_open_wrapper_ex (streams.c:2026)
==23707==    by 0x64FE83: spl_filesystem_file_open.isra.3 (spl_directory.c:300)
==23707==    by 0x650113: zim_spl_SplFileObject___construct (spl_directory.c:2283)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x7E2089: zend_execute (zend_vm_execute.h:60881)
==23707==    by 0x752CF2: zend_execute_scripts (zend.c:1568)
==23707==    by 0x6F1C2F: php_execute_script (main.c:2630)
==23707==    by 0x7E4528: do_cli (php_cli.c:997)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707== 
==23707== Invalid read of size 4
==23707==    at 0x70F1C7: php_stdiop_write (plain_wrapper.c:343)
==23707==    by 0x70871A: _php_stream_write_buffer (streams.c:1083)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==23707== 
==23707== 
==23707== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==23707==  Access not within mapped region at address 0x8
==23707==    at 0x70F1C7: php_stdiop_write (plain_wrapper.c:343)
==23707==    by 0x70871A: _php_stream_write_buffer (streams.c:1083)
==23707==    by 0x70A1DC: _php_stream_write (streams.c:1198)
==23707==    by 0x64F620: zim_spl_SplFileObject_fwrite (spl_directory.c:2902)
==23707==    by 0x7E19B7: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:980)
==23707==    by 0x7E19B7: execute_ex (zend_vm_execute.h:55485)
==23707==    by 0x744597: zend_call_function (zend_execute_API.c:756)
==23707==    by 0x75C1D4: zend_fcall_info_call (zend_API.c:3663)
==23707==    by 0x706A14: php_output_handler_op (output.c:969)
==23707==    by 0x706A14: php_output_stack_pop (output.c:1230)
==23707==    by 0x706A14: php_output_end_all (output.c:339)
==23707==    by 0x6F0944: php_request_shutdown (main.c:1889)
==23707==    by 0x7E38AB: do_cli (php_cli.c:1164)
==23707==    by 0x43BA7B: main (php_cli.c:1389)
==23707==  If you believe this happened as a result of a stack
==23707==  overflow in your program's main thread (unlikely but
==23707==  possible), you can try to increase the size of the
==23707==  main thread stack using the --main-stacksize= flag.
==23707==  The main thread stack size used in this run was 8388608.
==23707== 
==23707== HEAP SUMMARY:
==23707==     in use at exit: 1,820,983 bytes in 10,638 blocks
==23707==   total heap usage: 11,496 allocs, 858 frees, 2,160,007 bytes allocated
==23707== 
==23707== LEAK SUMMARY:
==23707==    definitely lost: 0 bytes in 0 blocks
==23707==    indirectly lost: 0 bytes in 0 blocks
==23707==      possibly lost: 1,124,583 bytes in 9,365 blocks
==23707==    still reachable: 696,400 bytes in 1,273 blocks
==23707==         suppressed: 0 bytes in 0 blocks
==23707== Rerun with --leak-check=full to see details of leaked memory
==23707== 
==23707== For counts of detected and suppressed errors, rerun with: -v
==23707== ERROR SUMMARY: 10 errors from 10 contexts (suppressed: 0 from 0)
 [2019-03-16 11:40 UTC] michael dot mauch at gmx dot de
Hah, I found it with git bisect:

./bisect.sh: Zeile 11: 23355 Speicherzugriffsfehler  (Speicherabzug geschrieben) sapi/cli/php ~/php/crash.php
09d3b7386c7c7de1ef89ba04d00e93b2287adb00 is the first bad commit
commit 09d3b7386c7c7de1ef89ba04d00e93b2287adb00
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 18:53:16 2017 +0300

    Resources should be closed during object destructioin, not during freeing.

:040000 040000 5cf00a5f2339e62d800c87ee46d9827a00ad27f8 ffceeb3d9160671f1f22b7ca4d0b682e9bfc0dd4 M      ext
'bisect run' erfolgreich ausgeführt

What I did:

git clone https://github.com/php/php-src.git
cd php-src
git checkout PHP-7.2
git bisect start
git bisect bad HEAD

# git log --oneline
# searched for the first mention of PHP-7.2 from the bottom
# and used the commit before that one in the hope that it was still good
git checkout 6c32d27
./buildconf
./configure --disable-all
make -j10
sapi/cli/php ~/php/crash.php
# worked, therefor:
git bisect good
# made a script to build and run
./bisect.sh
# crashed, therefor:
git bisect bad
# let it search on its own:
git bisect run ./bisect.sh

After a while, it found the "bad" commit.

For completeness, here's the bisect.sh that I used:

#! /bin/bash

make distclean
./buildconf
./configure --disable-all
make -j10
if sapi/cli/php ~/php/crash.php ; then
  exit 0
else
  exit 1
fi
 [2019-03-16 12:42 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-03-16 12:42 UTC] cmb@php.net
Looks like $logfile is destroyed before the OB callback is
called; if $logfile was “declared” as global instead of being
“used”, no segfault occurred.
 [2019-03-16 13:19 UTC] cmb@php.net
-Status: Verified +Status: Open
 [2019-03-16 13:19 UTC] cmb@php.net
Well, the shutdown order is intended[1], likely to cater to
echoing destructors.

[1] <https://github.com/php/php-src/blob/php-7.3.3/main/main.c#L1871-L1876>
 [2019-03-18 10:10 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2019-03-18 10:10 UTC] nikic@php.net
I've committed a partial fix for this in https://github.com/php/php-src/commit/4f034016289f5a52073bfd012899dd3e202742b5. It will prevent the segfault, but not actually write anything into the file for your example. I'm not sure if it should...

@dmitry: Can you please take a look at this? I don't remember why it was necessary to move the stream closing into dtor_obj rather than free_obj.
 [2023-10-14 21:58 UTC] bukka@php.net
-Package: Output Control +Package: Streams related
 [2023-10-14 22:02 UTC] bukka@php.net
-Package: Streams related +Package: SPL related
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 07:01:29 2024 UTC