ID: 27769
Updated by: [EMAIL PROTECTED]
Reported By: ymettier at libertysurf dot fr
-Status: Open
+Status: Verified
Bug Type: DOM XML related
Operating System: Solaris 8
PHP Version: 4.3.5
Previous Comments:
------------------------------------------------------------------------
[2004-04-05 08:56:10] ymettier at libertysurf dot fr
Here is some code: test.php and test.xml. It does not crash each time I
execute it, but crash at least something like 1 time out of 10. Also
notice that with shorter lines or fewer xml attributes, it will not
crash. Is that a buffer overflow or a memory leak ? Enjoy :)
test.php
========
<html>
<body>
<p>Bug below ?</p>
<?
$xmlstring = preg_replace("/''/","'",file_get_contents("test.xml"));
$tree = domxml_xmltree($xmlstring);
?>
<p>No bug :)</p>
</body>
</html>
test.xml
========
<?xml version="1.0" standalone='yes'?>
<application name='11111111111111111111111' date='2004/04/05 14:27:35'
other='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'>
<object a1='test'
name='123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678912345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890'
alias='BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
a='OK'
b='' c=''
d='' e=''
f='' g=''
h='' i=''
/>
<object a2='test'
name='123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678912345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890'
alias='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
a='OK'
b='' c=''
d='' e=''
f='' g=''
h='' i=''
/>
</application>
------------------------------------------------------------------------
[2004-04-05 08:56:06] [EMAIL PROTECTED]
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
------------------------------------------------------------------------
[2004-03-30 03:08:33] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc.
If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2004-03-30 02:47:47] ymettier at libertysurf dot fr
Description:
------------
Random Segfault in apache-2.0.48 and php-4.3.5 using domxml functions.
This was working with 4.3.0 and was not working at all with 4.3.4.
Randomly works with 4.3.5
Reproduce code:
---------------
I cannot give you the code to reproduce the crash (confidentiality),
but I can tell you that :
$ grep domxml *php
domxml_open_file
domxml_xmltree
domxml_open_mem
There was a bug with 4.3.4, so I'm falling back to 4.3.0 (not tested
versions between 4.3.4 and 4.3.0) for production use.
libxml2 is 2.5.8 here.
Actual result:
--------------
#0 0xfe1cee28 in node_list_wrapper_dtor (node=0x429ba0, destroyref=1)
at /tmp/php-4.3.5/ext/domxml/php_domxml.c:617
617 if (zend_list_find(Z_LVAL_PP(handle),
&type)) {
(gdb) p type
$1 = -1
(gdb) p &type
$2 = (int *) 0xffbee988
(gdb) p handle
$3 = (zval **) 0x30ea00
(gdb) bt
#0 0xfe1cee28 in node_list_wrapper_dtor (node=0x429ba0, destroyref=1)
at /tmp/php-4.3.5/ext/domxml/php_domxml.c:617
#1 0xfe1cedd4 in node_list_wrapper_dtor (node=0x4719e0, destroyref=1)
at /tmp/php-4.3.5/ext/domxml/php_domxml.c:659
#2 0xfe1c3898 in php_free_xml_doc (rsrc=0x3315a0) at
/tmp/php-4.3.5/ext/domxml/php_domxml.c:647
#3 0xfe2e0894 in list_entry_destructor (ptr=0x225600) at
/tmp/php-4.3.5/Zend/zend_list.c:177
#4 0xfe2df1e8 in zend_hash_apply_deleter (ht=0xfe383b4c, p=0x32ce00)
at /tmp/php-4.3.5/Zend/zend_hash.c:608
#5 0xfe2df38c in zend_hash_graceful_reverse_destroy (ht=0xfe383b4c) at
/tmp/php-4.3.5/Zend/zend_hash.c:674
#6 0xfe2e0a0c in zend_destroy_rsrc_list (ht=0xfe383b4c) at
/tmp/php-4.3.5/Zend/zend_list.c:233
#7 0xfe2cfe40 in shutdown_executor () at
/tmp/php-4.3.5/Zend/zend_execute_API.c:213
#8 0xfe2da030 in zend_deactivate () at /tmp/php-4.3.5/Zend/zend.c:670
#9 0xfe2aa440 in php_request_shutdown (dummy=0x0) at
/tmp/php-4.3.5/main/main.c:996
#10 0xfe2f5118 in php_apache_request_dtor (r=0x1abf38) at
/tmp/php-4.3.5/sapi/apache2handler/sapi_apache2.c:461
#11 0xfe2f57b0 in php_handler (r=0x1abf38) at
/tmp/php-4.3.5/sapi/apache2handler/sapi_apache2.c:577
#12 0x4add8 in ap_run_handler (r=0x1abf38) at config.c:194
#13 0x4b3d4 in ap_invoke_handler (r=0x1abf38) at config.c:401
#14 0x38abc in ap_process_request (r=0x1abf38) at http_request.c:288
#15 0x33e90 in ap_process_http_connection (c=0x1a1fe8) at
http_core.c:293
#16 0x56374 in ap_run_process_connection (c=0x1a1fe8) at
connection.c:85
#17 0x56660 in ap_process_connection (c=0x1a1fe8, csd=0x1a1f10) at
connection.c:211
#18 0x496b0 in child_main (child_num_arg=0) at prefork.c:694
#19 0x49830 in make_child (s=0x9d620, slot=0) at prefork.c:788
#20 0x49a80 in perform_idle_server_maintenance (p=0x9acb8) at
prefork.c:923
#21 0x49e84 in ap_mpm_run (_pconf=0x0, plog=0x74800, s=0x91000) at
prefork.c:1118
#22 0x500b4 in main (argc=3, argv=0xffbef7b4) at main.c:660
(gdb) quit
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=27769&edit=1
