|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-09-15 10:36 UTC] twosee@php.net
[2021-09-23 12:58 UTC] nikic@php.net
[2021-09-23 13:03 UTC] nikic@php.net
[2023-04-07 18:37 UTC] monika at gmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 12:01:31 2024 UTC |
Description: ------------ Executing a curl_multi_cleanup() on a multi handle holding references to an already freed easy handle is not allowed. This issue only appears in a cycle, where the destruction order guarantees (i.e. adding easy handle to multi handle increases RC of easy handle) are not upheld. The issue exists in PHP 8.0+, when a proper get_gc handle was added for curl handles. Test script: --------------- <?php // inspired from ext/curl/tests/bug77535.phpt class MyHttpClient { private $mh; public function sendRequest() { $this->mh = curl_multi_init(); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, 'https://http2.golang.org/serverpush'); curl_setopt($curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0); curl_setopt($curl, CURLOPT_WRITEFUNCTION, function ($ch, $data) { return \strlen($data); // Closure preserves $this reference, creates cycle }); curl_multi_setopt($this->mh, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX); curl_multi_setopt($this->mh, CURLMOPT_PUSHFUNCTION, function() { return CURL_PUSH_OK; }); curl_multi_add_handle($this->mh, $curl); while (curl_multi_exec($this->mh, $s) === CURLM_CALL_MULTI_PERFORM || curl_multi_info_read($this->mh) === false); gc_collect_cycles(); } } $buzz = new MyHttpClient(); $buzz->sendRequest(); Expected result: ---------------- No segfault Actual result: -------------- Segfault, valgrind output: ==21019== Invalid write of size 1 ==21019== at 0x52367B4: Curl_http_done (http.c:1551) ==21019== by 0x5256CF7: multi_done (multi.c:560) ==21019== by 0x5256FC9: curl_multi_cleanup (multi.c:2270) ==21019== by 0x436334: curl_multi_free_obj (multi.c:551) ==21019== by 0x92B9E8: zend_objects_store_del (zend_objects_API.c:200) ==21019== by 0x849172: rc_dtor_func (zend_variables.c:57) ==21019== by 0x92409C: i_zval_ptr_dtor (zend_variables.h:44) ==21019== by 0x924563: zend_object_std_dtor (zend_objects.c:70) ==21019== by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588) ==21019== by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367) ==21019== by 0x834741: shutdown_executor (zend_execute_API.c:391) ==21019== by 0x84BA53: zend_deactivate (zend.c:1259) ==21019== Address 0x8eb2d61 is 5,089 bytes inside a block of size 6,304 free'd ==21019== at 0x48369AB: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==21019== by 0x5242B8B: Curl_close (url.c:397) ==21019== by 0x524F88C: curl_easy_cleanup (easy.c:826) ==21019== by 0x431D1A: curl_free_obj (interface.c:3446) ==21019== by 0x90BB71: zend_gc_collect_cycles (zend_gc.c:1588) ==21019== by 0x8346BA: zend_shutdown_executor_values (zend_execute_API.c:367) ==21019== by 0x834741: shutdown_executor (zend_execute_API.c:391) ==21019== by 0x84BA53: zend_deactivate (zend.c:1259) ==21019== by 0x7B5A5E: php_request_shutdown (main.c:1831) ==21019== by 0x9AC2B7: do_cli (php_cli.c:1135) ==21019== by 0x9ACA17: main (php_cli.c:1367)