From: anders at kaseorg dot com Operating system: Linux (Fedora Core 4) PHP version: 5.0.4 PHP Bug Type: Reproducible crash Bug description: Crash (double free or corruption) using DOM functions
Description: ------------ Running PHP (5.0.4-10.3 on Fedora Core 4) on this code crashes with a "double free" error after producing correct output. If you comment the last appendChild line, it segfaults instead. Reproduce code: --------------- <?php $imp = new DOMImplementation(); $doc = $imp->createDocument( 'http://www.w3.org/1999/xhtml', 'html', $imp->createDocumentType('html', '-//W3C//DTD XHTML 1.0 Strict//EN', 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd') ); $html = $doc->documentElement; $head = $html->appendChild($doc->createElement('head')); $meta = $head->appendChild($doc->createElement('meta')); $meta->setAttribute('http-equiv', 'Content-Type'); $meta->setAttribute('content', 'application/xhtml+xml; charset=utf-8'); $head->appendChild($doc->createElement('title')); echo $doc->saveXML(); ?> Expected result: ---------------- <?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title></head></html> Actual result: -------------- <?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title></head></html> *** glibc detected *** php: double free or corruption (!prev): 0x0985dcf0 *** ======= Backtrace: ========= /lib/libc.so.6[0x984124] /lib/libc.so.6(__libc_free+0x77)[0x98465f] /usr/lib/libxml2.so.2(xmlFreeNode+0x1ce)[0x7535b66] php[0x80728be] php[0x80733cb] php[0x807339f] php(php_libxml_node_free_resource+0x3f)[0x8073423] php(php_libxml_node_decrement_resource+0x41)[0x807349b] /usr/lib/php/modules/dom.so(dom_objects_free_storage+0x54)[0xc14576] php(zend_objects_store_del_ref+0x72)[0x8187e48] php(_zval_ptr_dtor+0x36)[0x8168e3c] php[0x8179ffc] php(zend_hash_graceful_reverse_destroy+0x18)[0x817a116] php(shutdown_executor+0x7c)[0x8169a60] php(zend_deactivate+0x93)[0x81740de] php(php_request_shutdown+0x180)[0x813e197] php(main+0x174)[0x81a7895] /lib/libc.so.6(__libc_start_main+0xdf)[0x935d5f] php[0x80727b1] -- Edit bug report at http://bugs.php.net/?id=34232&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34232&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=34232&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=34232&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=34232&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=34232&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=34232&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=34232&r=needscript Try newer version: http://bugs.php.net/fix.php?id=34232&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=34232&r=support Expected behavior: http://bugs.php.net/fix.php?id=34232&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=34232&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=34232&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=34232&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34232&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=34232&r=dst IIS Stability: http://bugs.php.net/fix.php?id=34232&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=34232&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=34232&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=34232&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=34232&r=mysqlcfg