From: kyle at ifixit dot com Operating system: CentOS PHP version: 5.2.7 PHP Bug Type: cURL related Bug description: curl_copy_handle crashes with curl_multi
Description: ------------ Multicurl crashes when using curl_copy_handle. Setup a multi request (A), copy the handlers, perform the first multi request (A) and clean it up, then perform a second request (B) with the copied handlers. PHP segfaults (a double free) on one of the handler close calls. If I don't manually free the multihandle, then the segfault is delayed until PHP cleans up the objects. Reproduce code: --------------- <? $count = 3; $mh = curl_multi_init(); $mh2 = curl_multi_init(); $conn = array(); $conn2 = array(); // Setup requests for ($i = 0; $i < $count; $i++) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'http://www.google.com/'); curl_setopt($ch, CURLOPT_TIMEOUT, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $conn[$i] = $ch; curl_multi_add_handle($mh, $ch); } // Perform first set of requests do { do { } while (curl_multi_exec($mh, $stillRunning) === CURLM_CALL_MULTI_PERFORM); } while ($stillRunning); for ($i = 0; $i < $count; $i++) { // Copy the completed handlers $conn2[$i] = curl_copy_handle($conn[$i]); curl_multi_add_handle($mh2, $conn2[$i]); // Remove the handlers from the first multihandler curl_multi_remove_handle($mh, $conn[$i]); curl_close($conn[$i]); } curl_multi_close($mh); echo "Initial requests Finished.\n"; // Perform the second set of requests do { do { } while (curl_multi_exec($mh2, $stillRunning) === CURLM_CALL_MULTI_PERFORM); } while ($stillRunning); // Remove the second set of completed handlers for ($i = 0; $i < $count; $i++) { curl_multi_remove_handle($mh2, $conn2[$i]); curl_close($conn2[$i]); } curl_multi_close($mh2); echo "Copied requests finished.\n"; ?> Expected result: ---------------- Initial requests Finished. Copied requests finished. Actual result: -------------- *** glibc detected *** php: double free or corruption (out): 0x0000000011e59630 *** ======= Backtrace: ========= /lib64/libc.so.6[0x35a906f4f4] /lib64/libc.so.6(cfree+0x8c)[0x35a9072b1c] /usr/local/lib/libcurl.so.4(curl_slist_free_all+0x23)[0x2aaaabeff893] php[0x4bd7ee] php(zend_llist_destroy+0x43)[0x83eb3c] php(zend_llist_clean+0x15)[0x83eba5] php[0x4c2094] php(list_entry_destructor+0x87)[0x85cd84] php(zend_hash_del_key_or_index+0x218)[0x859e8e] php(_zend_list_delete+0x69)[0x85c851] php(_zval_dtor_func+0x142)[0x84934a] php[0x839385] php(_zval_ptr_dtor+0x49)[0x8395f2] php(_zval_ptr_dtor_wrapper+0x21)[0x8496f2] php(zend_hash_destroy+0x70)[0x859fe1] php(_zval_dtor_func+0xfb)[0x849303] php[0x839385] php(_zval_ptr_dtor+0x49)[0x8395f2] php(_zval_ptr_dtor_wrapper+0x21)[0x8496f2] php(zend_hash_clean+0x70)[0x85a133] php[0x876e58] php[0x87796d] php(execute+0x2f4)[0x8764e8] php[0x876c7c] php[0x87796d] php(execute+0x2f4)[0x8764e8] php[0x876c7c] php[0x87796d] php(execute+0x2f4)[0x8764e8] php[0x876c7c] php[0x87796d] php(execute+0x2f4)[0x8764e8] php[0x876c7c] php[0x87796d] php(execute+0x2f4)[0x8764e8] php[0x876c7c] php[0x87796d] php(execute+0x2f4)[0x8764e8] php(zend_execute_scripts+0x290)[0x84be45] php(php_execute_script+0x38e)[0x7eb4f4] php(main+0x143e)[0x8e43d5] /lib64/libc.so.6(__libc_start_main+0xf4)[0x35a901d8a4] php[0x474859] -- Edit bug report at http://bugs.php.net/?id=46756&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46756&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46756&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46756&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46756&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=46756&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=46756&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46756&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46756&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46756&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46756&r=support Expected behavior: http://bugs.php.net/fix.php?id=46756&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46756&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46756&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46756&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46756&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46756&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46756&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46756&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46756&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46756&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46756&r=mysqlcfg