#49634 [Opn]: Segfault throwing an exception in a XSL registered function

Tue, 22 Sep 2009 17:54:53 -0700 

 ID:               49634
 Updated by:       [email protected]
 Reported By:      aldo at armiento dot com
 Status:           Open
 Bug Type:         Reproducible crash
 Operating System: Linux Debian, Mac OSX
 PHP Version:      5.3.0
 New Comment:

I can't reproduce it on Debian 32bit.
libxslt 1.1.24-2 ; libxml2  2.6.32


Previous Comments:
------------------------------------------------------------------------

[2009-09-22 22:41:49] aldo at armiento dot com

Description:
------------
Segfault throwing an exception in an XSL registered function when try
to 
access node from an external document.

libxml2: 2.7.4
libxslt: 1.1.25

Reproduce code:
---------------
External document doc.xml:

<root/>

Script:

<?php

$sXml = <<<XML
<?xml version="1.0" encoding="UTF-8" ?>
<root>
        test
</root>
XML;

$sXsl = <<<XSL
<xsl:stylesheet version="1.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
                xmlns:ext="http://php.net/xsl";
                xsl:extension-element-prefixes="ext"
                exclude-result-prefixes="ext">
        <xsl:output encoding="UTF-8" indent="yes" method="xml" />
        <xsl:template match="/">
                <xsl:value-of select="ext:function('testFunction',
document('doc.xml')/root)"/>
        </xsl:template>
</xsl:stylesheet>
XSL;

function testFunction($a)
{
        throw new Exception('Test exception.');
}

$domXml = DOMDocument::loadXML($sXml);
$domXsl = DOMDocument::loadXML($sXsl);

for ($i = 0; $i < 10; $i++)
{
        $xsltProcessor = new XSLTProcessor();
        $xsltProcessor->registerPHPFunctions(array('testFunction'));
        $xsltProcessor->importStyleSheet($domXsl);
        try {
                @$xsltProcessor->transformToDoc($domXml);
        } catch (Exception $e) {
                echo "Exception!\n";
        }
}

Expected result:
----------------
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!

Actual result:
--------------
(gdb) r
Starting program: /home/armiento/env/spider/bin/php test_segfault.php
[Thread debugging using libthread_db enabled]
[New Thread 140442269927120 (LWP 3340)]
Exception!
Exception!
*** glibc detected *** free(): invalid pointer: 0x000000000137d0d0 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread 140442269927120 (LWP 3340)]
0x00007fbb423cb07b in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00007fbb423cb07b in raise () from /lib/libc.so.6
#1  0x00007fbb423cc84e in abort () from /lib/libc.so.6
#2  0x00007fbb424015f9 in __fsetlocking () from /lib/libc.so.6
#3  0x00007fbb42408163 in mallopt () from /lib/libc.so.6
#4  0x00007fbb424081ee in free () from /lib/libc.so.6
#5  0x000000000044f3ab in php_libxml_node_decrement_resource 
(object=0x7fbb439a0710)
    at /home/armiento/src/php-5.3.0/ext/libxml/libxml.c:1058
#6  0x00000000004caed5 in dom_objects_free_storage 
(object=0x7fbb439a0710) at /home/armiento/src/php-
5.3.0/ext/dom/php_dom.c:1017
#7  0x00000000006bf026 in zend_objects_store_del_ref_by_handle_ex 
(handle=3, handlers=<value optimized out>)
    at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:220
#8  0x00000000006bf062 in zend_objects_store_del_ref 
(zobject=0x7fbb4399e4f0)
    at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:172
#9  0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0e40) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#10 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0d80) at 
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#11 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0d50) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#12 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0e98) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#13 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ca8) at 
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#14 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0c78) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#15 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0ef0) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#16 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ba0) at 
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#17 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0b70) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#18 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0f50) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#19 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ac8) at 
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#20 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a00f0) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#21 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0a08) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#22 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0930) at 
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#23 0x00000000006bb989 in zend_object_std_dtor (object=0x7fbb439a0780)

at /home/armiento/src/php-5.3.0/Zend/zend_objects.c:45
#24 0x00000000006bb9a9 in zend_objects_free_object_storage 
(object=0xd0c) at /home/armiento/src/php-5.3.0/Zend/zend_objects.c:114
#25 0x00000000006bf026 in zend_objects_store_del_ref_by_handle_ex 
(handle=7, handlers=<value optimized out>)
    at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:220
#26 0x00000000006bf062 in zend_objects_store_del_ref 
(zobject=0x7fbb439a1680)
    at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:172
#27 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a01b8) at 
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#28 0x00000000006ac7f7 in _zend_hash_quick_add_or_update (ht=0xcfa568,

arKey=0x7fbb4399e360 "e", nKeyLength=2, h=5863242, 
    pData=0xcfa7b0, nDataSize=8, pDest=0x7fbb417b7118, flag=1) at 
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:299
#29 0x00000000006bfc8e in ZEND_CATCH_SPEC_CV_HANDLER 
(execute_data=0x7fbb417b7050)
    at /home/armiento/src/php-5.3.0/Zend/zend_vm_execute.h:1234
#30 0x00000000006c0691 in execute (op_array=0x7fbb4399b558) at 
/home/armiento/src/php-5.3.0/Zend/zend_vm_execute.h:104
#31 0x000000000069eead in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/armiento/src/php-5.3.0/Zend/zend.c:1188
#32 0x000000000064fbc5 in php_execute_script 
(primary_file=0x7fff4b9da0b0) at /home/armiento/src/php-
5.3.0/main/main.c:2196
#33 0x0000000000722836 in main (argc=2, argv=0x7fff4b9da318) at 
/home/armiento/src/php-5.3.0/sapi/cli/php_cli.c:1188
(gdb) 


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49634&edit=1

Reply via email to