From: cataphract
Operating system: Ubuntu 10.4 x64; Windows 7 x64
PHP version: 5.3.3
Package: cURL related
Bug Type: Bug
Bug description:cURL leaks handle and causes assertion error (CURLOPT_STDERR)
Description:
------------
curl_setopt, when given a stream with CURLOPT_STDERR, stores the zval* and
increments both the refcount of the zval* and of the resource.
Only the refcount of the zval should be incremented.
Additionally, due to a flaw in the streams API, this leak results in an
assertion error. The reason is that on shutdown the unexposed/leaked
resources are destroyed in reverse order, so the encapsulated STDIO stream
is destroyed first and when the TEMP stream is destroyed, it then tries to
close the encapsulated STDIO steam again. I will submit this as a separate
bug report.
Test script:
---------------
<?php
$s = fopen('php://temp/maxmemory=1024','wb+');
/* force conversion of inner stream to STDIO.
* This is not necessary in Windows because the
* cast to a FILE* handle in curl_setopt already
* forces the conversion in that platform. The
* reason for this conversion is that the memory
* stream has an ugly but working mechanism to
* prevent being double freed when it's encapsulated,
* while STDIO streams don't. */
$i = 0;
while ($i++ < 5000) {
fwrite($s, str_repeat('a',1024));
}
$handle=curl_init('http://www.example.com');
curl_setopt($handle, CURLOPT_STDERR, $s);
Expected result:
----------------
No output.
Actual result:
--------------
(with stream debug)
stream_alloc: TEMP:0x12a61b0 persistent=(null)
stream_alloc: MEMORY:0x12a6488 persistent=(null)
stream_alloc: STDIO:0x12a6f90 persistent=(null)
stream_free: MEMORY:0x12a6488[(null)] in_free=0 opts=00000003
stream_free: MEMORY:0x12a6488[(null)] preserve_handle=0 release_cast=1
remove_rs rc=1
stream_free: MEMORY:0x12a6488[(null)] in_free=1 opts=0000000b
stream_free: STDIO:0x12a6f90[/tmp/phpghmjqQ] in_free=0 opts=0000000b
stream_free: STDIO:0x12a6f90[/tmp/phpghmjqQ] preserve_handle=0
release_cast=1 re move_rsrc=1
/tmp/php-5.3.3/main/streams/streams.c(400) : Stream of type 'STDIO'
0x12a6f90 (p ath:/tmp/phpghmjqQ) was not closed
stream_free: TEMP:0x12a61b0[php://temp/maxmemory=1024] in_free=0
opts=0000000b
stream_free: TEMP:0x12a61b0[php://temp/maxmemory=1024] preserve_handle=0
release _cast=1 remove_rsrc=1
php: /tmp/php-5.3.3/main/streams/plain_wrapper.c:434: php_stdiop_flush:
Assertio n `data != ((void *)0)' failed.
Aborted
#0 0x00007f74b5a22ed5 in raise () from /lib/libc.so.6
#1 0x00007f74b5a243f3 in abort () from /lib/libc.so.6
#2 0x00007f74b5a1bdc9 in __assert_fail () from /lib/libc.so.6
#3 0x000000000076129e in php_stdiop_flush (stream=0x1049dc8)
at /tmp/php-5.3.3/main/streams/plain_wrapper.c:434
#4 0x00000000007596dd in _php_stream_flush (stream=0x1049dc8, closing=0)
at /tmp/php-5.3.3/main/streams/streams.c:1050
#5 0x000000000075df57 in php_stream_temp_flush (stream=0x1049050)
at /tmp/php-5.3.3/main/streams/memory.c:440
#6 0x00000000007596dd in _php_stream_flush (stream=0x1049050, closing=1)
at /tmp/php-5.3.3/main/streams/streams.c:1050
#7 0x0000000000757b4d in _php_stream_free (stream=0x1049050,
close_options=11)
at /tmp/php-5.3.3/main/streams/streams.c:331
#8 0x000000000075a831 in stream_resource_regular_dtor (rsrc=0x104ab48)
at /tmp/php-5.3.3/main/streams/streams.c:1426
#9 0x00000000007c4f9e in list_entry_destructor (ptr=0x104ab48)
at /tmp/php-5.3.3/Zend/zend_list.c:184
#10 0x00000000007c249d in zend_hash_apply_deleter (ht=0xe0c650,
p=0x1049198)
at /tmp/php-5.3.3/Zend/zend_hash.c:611
#11 0x00000000007c25ff in zend_hash_graceful_reverse_destroy (ht=0xe0c650)
at /tmp/php-5.3.3/Zend/zend_hash.c:646
#12 0x00000000007c510f in zend_destroy_rsrc_list (ht=0xe0c650)
at /tmp/php-5.3.3/Zend/zend_list.c:240
#13 0x00000000007b1549 in zend_deactivate () at
/tmp/php-5.3.3/Zend/zend.c:896
#14 0x000000000073e71b in php_request_shutdown (dummy=0x0)
at /tmp/php-5.3.3/main/main.c:1633
#15 0x0000000000899a12 in main (argc=2, argv=0x7fffea5acfa8)
at /tmp/php-5.3.3/sapi/cli/php_cli.c:1373
--
Edit bug report at http://bugs.php.net/bug.php?id=52827&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=52827&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=52827&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=52827&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=52827&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=52827&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=52827&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=52827&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=52827&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=52827&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=52827&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=52827&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=52827&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=52827&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=52827&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=52827&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=52827&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=52827&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=52827&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=52827&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=52827&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=52827&r=mysqlcfg
