We've had the following bug reported at PHP:
After some more tests, it was found that removing the handle from curl_mutli *before* duplicating it solves the problem.
A simple test to reproduce the crach written in C has been created, and is available at: http://ookoo.org/svn/snip/curl_bug/
This bug has been tested and confirmed against curl 7.19.2.
0x00002b46220b7646 in ConnectionExists (data=0x6430a8, needle=0x6402b8, usethis=0x7fff88c37588) at url.c:2443
2443 pipeLen = check->send_pipe->size + check->recv_pipe->size;
#0 0x00002b46220b7646 in ConnectionExists (data=0x6430a8, needle=0x6402b8, usethis=0x7fff88c37588) at url.c:2443
#1 0x00002b46220bab2b in create_conn (data=0x6430a8, in_connect=0x640260, addr=0x7fff88c375f0, async=0x7fff88c3765e) at url.c:4289
#2 0x00002b46220baef0 in Curl_connect (data=0x6430a8, in_connect=0x640260, asyncp=0x7fff88c3765e, protocol_done=0x7fff88c3765d) at url.c:4475
#3 0x00002b46220d1fc3 in multi_runsingle (multi=0x626298, easy=0x640248) at multi.c:940
#4 0x00002b46220d2ee8 in curl_multi_perform (multi_handle=0x626298, running_handles=0x7fff88c37724) at multi.c:1502
#5 0x0000000000400b3c in main (argc=1, argv=0x7fff88c37828) at test.c:36
(gdb) print data->state.connc->connects
$6 = (struct connectdata *) 0x30
On line 628 of lib/easy.c, the following code seems suspect:
if(data->state.used_interface == Curl_if_multi)
outcurl->state.connc = data->state.connc;
outcurl->state.connc = Curl_mk_connc(CONNCACHE_PRIVATE, -1);
Commenting the if() (leaving only the Curl_mk_connc) fixes the crash, however I believe there must be some other reason than crashing libcurl for this if to exist.