Bug #54601 [Asn]: Removing the doctype node segfaults

bjori Mon, 25 Apr 2011 14:14:48 -0700

Edit report at http://bugs.php.net/bug.php?id=54601&edit=1


 ID:                 54601
 Updated by:         bj...@php.net
 Reported by:        hannes dot magnusson at gmail dot com
 Summary:            Removing the doctype node segfaults
 Status:             Assigned
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Linux
 PHP Version:        5.3SVN-2011-04-25 (SVN)
 Assigned To:        rrichards
 Block user comment: N
 Private report:     N

 New Comment:

The attached patch does seem to fix the issue and makes valgrind stop
bleeding..



If it is however proper, I don't know :)


Previous Comments:
------------------------------------------------------------------------
[2011-04-25 13:07:40] bj...@php.net

Another one from phpdoc :)

------------------------------------------------------------------------
[2011-04-25 13:06:08] hannes dot magnusson at gmail dot com

Description:
------------
ext/dom segfaults during shutdown when removing the doctype node :]



The resulting document appears fine.



Test script:
---------------
--TEST--

Segfault when removing the Doctype node

--SKIPIF--

<?php require_once('skipif.inc'); ?>

--FILE--

<?php

$xml = <<< XML

<?xml version='1.0' encoding='utf-8' ?>

<!DOCTYPE set PUBLIC "-//OASIS//DTD DocBook XML V5.0//EN"
"http://www.docbook.org/xml/5.0/dtd/docbook.dtd"; [

<!ENTITY foo '<foo>footext</foo>'>

<!ENTITY bar '<bar>bartext</bar>'>

]>

<set>&foo;&bar;</set>

XML;



$doc = new DOMDocument();

$doc->loadXML($xml, LIBXML_NOENT);

$n = $doc->doctype;

$doc->removeChild($n);

var_dump($n);

?>

===DONE===

<?php exit(0); ?>

--EXPECTF--

object(DOMDocumentType)#%d (0) {

}

===DONE===



Actual result:
--------------
0x0000000000481cbf in php_libxml_decrement_node_ptr (object=0x14a1750)
at 

/home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:956

956                     ret_refcount = --obj_node->refcount;

(gdb) bt

#0  0x0000000000481cbf in php_libxml_decrement_node_ptr
(object=0x14a1750)

    at /home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:956

#1  0x000000000047fae5 in php_libxml_clear_object (object=0x14a1750) at


/home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:150

#2  0x000000000047fb30 in php_libxml_unregister_node (nodep=0x14a1b90)
at 

/home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:163

#3  0x000000000047fda0 in php_libxml_node_free_list (node=0x14a1b90) at


/home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:248

#4  0x000000000047fd57 in php_libxml_node_free_list (node=0x149e190) at


/home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:239

#5  0x0000000000481f7c in php_libxml_node_free_resource (node=0x149df90)
at 

/home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:1024

#6  0x0000000000482060 in php_libxml_node_decrement_resource
(object=0x147fb90)

    at /home/bjori/Work/OSS/svn-php/php/php-

src/branches/PHP_5_3/ext/libxml/libxml.c:1059

#7  0x0000000000599b02 in dom_objects_free_storage (object=0x147fb90) at


/home/bjori/Work/OSS/php/php5.3/ext/dom/php_dom.c:1017

#8  0x00000000009c5c92 in zend_objects_store_del_ref_by_handle_ex
(handle=2, 

handlers=0x1233100)

    at /home/bjori/Work/OSS/php/php5.3/Zend/zend_objects_API.c:220

#9  0x00000000009c598b in zend_objects_store_del_ref (zobject=0x147d5a0)
at 

/home/bjori/Work/OSS/php/php5.3/Zend/zend_objects_API.c:172

#10 0x00000000009931ef in _zval_dtor_func (zvalue=0x147d5a0, 

__zend_filename=0xf09128 

"/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c", 

    __zend_lineno=445) at 

/home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.c:52

#11 0x0000000000981fe9 in _zval_dtor (zvalue=0x147d5a0,
__zend_filename=0xf09128 

"/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c",
__zend_lineno=445)

    at /home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.h:35

#12 0x000000000098341a in _zval_ptr_dtor (zval_ptr=0x147fde0, 

__zend_filename=0xf0a230 

"/home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.c", 

    __zend_lineno=189) at 

/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c:445

#13 0x0000000000993668 in _zval_ptr_dtor_wrapper (zval_ptr=0x147fde0) at


/home/bjori/Work/OSS/php/php5.3/Zend/zend_variables.c:189

#14 0x00000000009a6ad7 in zend_hash_apply_deleter (ht=0x12395c8,
p=0x147fdc8) at 

/home/bjori/Work/OSS/php/php5.3/Zend/zend_hash.c:612

#15 0x00000000009a717e in zend_hash_reverse_apply (ht=0x12395c8, 

apply_func=0x9829e0 <zval_call_destructor>)

    at /home/bjori/Work/OSS/php/php5.3/Zend/zend_hash.c:761

#16 0x0000000000982a94 in shutdown_destructors () at 

/home/bjori/Work/OSS/php/php5.3/Zend/zend_execute_API.c:226

#17 0x000000000099521b in zend_call_destructors () at 

/home/bjori/Work/OSS/php/php5.3/Zend/zend.c:874

#18 0x000000000091414a in php_request_shutdown (dummy=0x0) at 

/home/bjori/Work/OSS/php/php5.3/main/main.c:1591

#19 0x0000000000a84304 in main (argc=2, argv=0x7fffffffe198) at 

/home/bjori/Work/OSS/php/php5.3/sapi/cli/php_cli.c:1374

(gdb) 




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=54601&edit=1

Bug #54601 [Asn]: Removing the doctype node segfaults

Reply via email to