ID: 49634
Updated by: fel...@php.net
Reported By: aldo at armiento dot com
Status: Open
Bug Type: Reproducible crash
Operating System: Linux Debian, Mac OSX
PHP Version: 5.3.0
New Comment:
I can't reproduce it on Debian 32bit.
libxslt 1.1.24-2 ; libxml2 2.6.32
Previous Comments:
------------------------------------------------------------------------
[2009-09-22 22:41:49] aldo at armiento dot com
Description:
------------
Segfault throwing an exception in an XSL registered function when try
to
access node from an external document.
libxml2: 2.7.4
libxslt: 1.1.25
Reproduce code:
---------------
External document doc.xml:
<root/>
Script:
<?php
$sXml = <<<XML
<?xml version="1.0" encoding="UTF-8" ?>
<root>
test
</root>
XML;
$sXsl = <<<XSL
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
xmlns:ext="http://php.net/xsl";
xsl:extension-element-prefixes="ext"
exclude-result-prefixes="ext">
<xsl:output encoding="UTF-8" indent="yes" method="xml" />
<xsl:template match="/">
<xsl:value-of select="ext:function('testFunction',
document('doc.xml')/root)"/>
</xsl:template>
</xsl:stylesheet>
XSL;
function testFunction($a)
{
throw new Exception('Test exception.');
}
$domXml = DOMDocument::loadXML($sXml);
$domXsl = DOMDocument::loadXML($sXsl);
for ($i = 0; $i < 10; $i++)
{
$xsltProcessor = new XSLTProcessor();
$xsltProcessor->registerPHPFunctions(array('testFunction'));
$xsltProcessor->importStyleSheet($domXsl);
try {
@$xsltProcessor->transformToDoc($domXml);
} catch (Exception $e) {
echo "Exception!\n";
}
}
Expected result:
----------------
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Actual result:
--------------
(gdb) r
Starting program: /home/armiento/env/spider/bin/php test_segfault.php
[Thread debugging using libthread_db enabled]
[New Thread 140442269927120 (LWP 3340)]
Exception!
Exception!
*** glibc detected *** free(): invalid pointer: 0x000000000137d0d0 ***
Program received signal SIGABRT, Aborted.
[Switching to Thread 140442269927120 (LWP 3340)]
0x00007fbb423cb07b in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007fbb423cb07b in raise () from /lib/libc.so.6
#1 0x00007fbb423cc84e in abort () from /lib/libc.so.6
#2 0x00007fbb424015f9 in __fsetlocking () from /lib/libc.so.6
#3 0x00007fbb42408163 in mallopt () from /lib/libc.so.6
#4 0x00007fbb424081ee in free () from /lib/libc.so.6
#5 0x000000000044f3ab in php_libxml_node_decrement_resource
(object=0x7fbb439a0710)
at /home/armiento/src/php-5.3.0/ext/libxml/libxml.c:1058
#6 0x00000000004caed5 in dom_objects_free_storage
(object=0x7fbb439a0710) at /home/armiento/src/php-
5.3.0/ext/dom/php_dom.c:1017
#7 0x00000000006bf026 in zend_objects_store_del_ref_by_handle_ex
(handle=3, handlers=<value optimized out>)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:220
#8 0x00000000006bf062 in zend_objects_store_del_ref
(zobject=0x7fbb4399e4f0)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:172
#9 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0e40) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#10 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0d80) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#11 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0d50) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#12 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0e98) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#13 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ca8) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#14 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0c78) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#15 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0ef0) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#16 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ba0) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#17 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0b70) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#18 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0f50) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#19 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ac8) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#20 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a00f0) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#21 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0a08) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#22 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0930) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#23 0x00000000006bb989 in zend_object_std_dtor (object=0x7fbb439a0780)
at /home/armiento/src/php-5.3.0/Zend/zend_objects.c:45
#24 0x00000000006bb9a9 in zend_objects_free_object_storage
(object=0xd0c) at /home/armiento/src/php-5.3.0/Zend/zend_objects.c:114
#25 0x00000000006bf026 in zend_objects_store_del_ref_by_handle_ex
(handle=7, handlers=<value optimized out>)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:220
#26 0x00000000006bf062 in zend_objects_store_del_ref
(zobject=0x7fbb439a1680)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:172
#27 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a01b8) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#28 0x00000000006ac7f7 in _zend_hash_quick_add_or_update (ht=0xcfa568,
arKey=0x7fbb4399e360 "e", nKeyLength=2, h=5863242,
pData=0xcfa7b0, nDataSize=8, pDest=0x7fbb417b7118, flag=1) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:299
#29 0x00000000006bfc8e in ZEND_CATCH_SPEC_CV_HANDLER
(execute_data=0x7fbb417b7050)
at /home/armiento/src/php-5.3.0/Zend/zend_vm_execute.h:1234
#30 0x00000000006c0691 in execute (op_array=0x7fbb4399b558) at
/home/armiento/src/php-5.3.0/Zend/zend_vm_execute.h:104
#31 0x000000000069eead in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/armiento/src/php-5.3.0/Zend/zend.c:1188
#32 0x000000000064fbc5 in php_execute_script
(primary_file=0x7fff4b9da0b0) at /home/armiento/src/php-
5.3.0/main/main.c:2196
#33 0x0000000000722836 in main (argc=2, argv=0x7fff4b9da318) at
/home/armiento/src/php-5.3.0/sapi/cli/php_cli.c:1188
(gdb)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49634&edit=1
