From: hannes dot magnusson at gmail dot com Operating system: FreeBSD PHP version: 5CVS-2007-03-16 (CVS) PHP Bug Type: Reproducible crash Bug description: Segfault in ext/dom
Description: ------------ See reproduce code Reproduce code: --------------- <?php $dom = new DOMDocument("1.0", "UTF-8"); $dom->preserveWhiteSpace = false; $xml = '<?xml version="1.0" encoding="utf-8"?> <feed xmlns="http://www.w3.org/2005/Atom"> <entry xmlns="http://www.w3.org/2005/Atom"> <updated>2007-02-14T00:00:00+01:00</updated> <content> <div xmlns="http://www.w3.org/1999/xhtml"> <p>paragraph</p> </div> </content> </entry> </feed>'; $dom->loadXML($xml); $entry = $dom->getElementsByTagNameNS("http://www.w3.org/2005/Atom", "entry")->item(0); $contentNode = $entry->getElementsByTagName("content")->item(0)->firstChild; $dateNode = $entry->getElementsByTagName("updated")->item(0)->firstChild; $contentNode->firstChild->insertBefore($dateNode); Actual result: -------------- #0 xmlFreeNodeList (cur=0x5a5a5a5a) at tree.c:3364 3364 if (cur->type == XML_NAMESPACE_DECL) { [New LWP 100095] (gdb) bt #0 xmlFreeNodeList (cur=0x5a5a5a5a) at tree.c:3364 #1 0x28562ce5 in xmlFreeNodeList (cur=0x28997b80) at tree.c:3386 #2 0x28562ce5 in xmlFreeNodeList (cur=0x28997c40) at tree.c:3386 #3 0x28562ce5 in xmlFreeNodeList (cur=0x28997c00) at tree.c:3386 #4 0x28562ce5 in xmlFreeNodeList (cur=0x28997bc0) at tree.c:3386 #5 0x28562ce5 in xmlFreeNodeList (cur=0x28997b00) at tree.c:3386 #6 0x28562ce5 in xmlFreeNodeList (cur=0x28997ac0) at tree.c:3386 #7 0x28563485 in xmlFreeDoc (cur=0x28840ac0) at tree.c:1216 #8 0x08082a84 in php_libxml_decrement_doc_ref (object=0x288ce8b0) at /usr/src/php/5.2/ext/libxml/libxml.c:966 #9 0x080c9f5f in dom_objects_free_storage (object=0x288ce8b0) at /usr/src/php/5.2/ext/dom/php_dom.c:977 #10 0x082c3308 in zend_objects_store_del_ref_by_handle (handle=1) at /usr/src/php/5.2/Zend/zend_objects_API.c:206 #11 0x082c31c3 in zend_objects_store_del_ref (zobject=0x288ccbac) at /usr/src/php/5.2/Zend/zend_objects_API.c:168 #12 0x082a3680 in _zval_dtor_func (zvalue=0x288ccbac, __zend_filename=0x83b9778 "/usr/src/php/5.2/Zend/zend_variables.h", __zend_lineno=35) at /usr/src/php/5.2/Zend/zend_variables.c:52 #13 0x08297767 in _zval_dtor (zvalue=0x288ccbac, __zend_filename=0x83b971c "/usr/src/php/5.2/Zend/zend_execute_API.c", __zend_lineno=414) at zend_variables.h:35 #14 0x08297920 in _zval_ptr_dtor (zval_ptr=0x288ce488, __zend_filename=0x83ba784 "/usr/src/php/5.2/Zend/zend_variables.c", __zend_lineno=175) at /usr/src/php/5.2/Zend/zend_execute_API.c:414 #15 0x082a394f in _zval_ptr_dtor_wrapper (zval_ptr=0x288ce488) at /usr/src/php/5.2/Zend/zend_variables.c:175 #16 0x082af2ee in zend_hash_apply_deleter (ht=0x83ec710, p=0x288ce47c) at /usr/src/php/5.2/Zend/zend_hash.c:611 #17 0x082af769 in zend_hash_reverse_apply (ht=0x83ec710, apply_func=0x82972a4 <zval_call_destructor>) at /usr/src/php/5.2/Zend/zend_hash.c:760 #18 0x08297326 in shutdown_destructors () at /usr/src/php/5.2/Zend/zend_execute_API.c:211 #19 0x082a4ce2 in zend_call_destructors () at /usr/src/php/5.2/Zend/zend.c:845 #20 0x0825cce6 in php_request_shutdown (dummy=0x0) at /usr/src/php/5.2/main/main.c:1280 #21 0x0830c15b in main (argc=2, argv=0xbfbfebec) at /usr/src/php/5.2/sapi/cli/php_cli.c:1294 gdb) frame 1 #1 0x28562ce5 in xmlFreeNodeList (cur=0x2899a300) at tree.c:3386 3386 xmlFreeNodeList(cur->children); (gdb) p *cur $1 = {_private = 0x5a5a5a5a, type = 1515870810, name = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, children = 0x5a5a5a5a, last = 0x5a5a5a5a, parent = 0x5a5a5a5a, next = 0x5a5a5a5a, prev = 0x5a5a5a5a, doc = 0x5a5a5a5a, ns = 0x5a5a5a5a, content = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, properties = 0x5a5a5a5a, nsDef = 0x5a5a5a5a, psvi = 0x5a5a5a5a, line = 23130, extra = 23130} (gdb) -- Edit bug report at http://bugs.php.net/?id=40836&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40836&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40836&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40836&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40836&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40836&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40836&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40836&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40836&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40836&r=support Expected behavior: http://bugs.php.net/fix.php?id=40836&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40836&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40836&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40836&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40836&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40836&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40836&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40836&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40836&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40836&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40836&r=mysqlcfg