#40836 [NEW]: Segfault in ext/dom

Fri, 16 Mar 2007 07:29:05 -0800 

From:             hannes dot magnusson at gmail dot com
Operating system: FreeBSD
PHP version:      5CVS-2007-03-16 (CVS)
PHP Bug Type:     Reproducible crash
Bug description:  Segfault in ext/dom

Description:
------------
See reproduce code

Reproduce code:
---------------
<?php

$dom = new DOMDocument("1.0", "UTF-8");
$dom->preserveWhiteSpace = false;
$xml = '<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom";>
  <entry xmlns="http://www.w3.org/2005/Atom";>
    <updated>2007-02-14T00:00:00+01:00</updated>
    <content>
      <div xmlns="http://www.w3.org/1999/xhtml";>
        <p>paragraph</p>
      </div>
    </content>
  </entry>
</feed>';
$dom->loadXML($xml);
$entry = $dom->getElementsByTagNameNS("http://www.w3.org/2005/Atom";,
"entry")->item(0);
$contentNode =
$entry->getElementsByTagName("content")->item(0)->firstChild;
$dateNode    =
$entry->getElementsByTagName("updated")->item(0)->firstChild;
$contentNode->firstChild->insertBefore($dateNode);



Actual result:
--------------
#0  xmlFreeNodeList (cur=0x5a5a5a5a) at tree.c:3364
3364        if (cur->type == XML_NAMESPACE_DECL) {
[New LWP 100095]
(gdb) bt
#0  xmlFreeNodeList (cur=0x5a5a5a5a) at tree.c:3364
#1  0x28562ce5 in xmlFreeNodeList (cur=0x28997b80) at tree.c:3386
#2  0x28562ce5 in xmlFreeNodeList (cur=0x28997c40) at tree.c:3386
#3  0x28562ce5 in xmlFreeNodeList (cur=0x28997c00) at tree.c:3386
#4  0x28562ce5 in xmlFreeNodeList (cur=0x28997bc0) at tree.c:3386
#5  0x28562ce5 in xmlFreeNodeList (cur=0x28997b00) at tree.c:3386
#6  0x28562ce5 in xmlFreeNodeList (cur=0x28997ac0) at tree.c:3386
#7  0x28563485 in xmlFreeDoc (cur=0x28840ac0) at tree.c:1216
#8  0x08082a84 in php_libxml_decrement_doc_ref (object=0x288ce8b0) at
/usr/src/php/5.2/ext/libxml/libxml.c:966
#9  0x080c9f5f in dom_objects_free_storage (object=0x288ce8b0) at
/usr/src/php/5.2/ext/dom/php_dom.c:977
#10 0x082c3308 in zend_objects_store_del_ref_by_handle (handle=1) at
/usr/src/php/5.2/Zend/zend_objects_API.c:206
#11 0x082c31c3 in zend_objects_store_del_ref (zobject=0x288ccbac) at
/usr/src/php/5.2/Zend/zend_objects_API.c:168
#12 0x082a3680 in _zval_dtor_func (zvalue=0x288ccbac,
__zend_filename=0x83b9778 "/usr/src/php/5.2/Zend/zend_variables.h", 
    __zend_lineno=35) at /usr/src/php/5.2/Zend/zend_variables.c:52
#13 0x08297767 in _zval_dtor (zvalue=0x288ccbac, __zend_filename=0x83b971c
"/usr/src/php/5.2/Zend/zend_execute_API.c", 
    __zend_lineno=414) at zend_variables.h:35
#14 0x08297920 in _zval_ptr_dtor (zval_ptr=0x288ce488,
__zend_filename=0x83ba784 "/usr/src/php/5.2/Zend/zend_variables.c", 
    __zend_lineno=175) at /usr/src/php/5.2/Zend/zend_execute_API.c:414
#15 0x082a394f in _zval_ptr_dtor_wrapper (zval_ptr=0x288ce488) at
/usr/src/php/5.2/Zend/zend_variables.c:175
#16 0x082af2ee in zend_hash_apply_deleter (ht=0x83ec710, p=0x288ce47c) at
/usr/src/php/5.2/Zend/zend_hash.c:611
#17 0x082af769 in zend_hash_reverse_apply (ht=0x83ec710,
apply_func=0x82972a4 <zval_call_destructor>)
    at /usr/src/php/5.2/Zend/zend_hash.c:760
#18 0x08297326 in shutdown_destructors () at
/usr/src/php/5.2/Zend/zend_execute_API.c:211
#19 0x082a4ce2 in zend_call_destructors () at
/usr/src/php/5.2/Zend/zend.c:845
#20 0x0825cce6 in php_request_shutdown (dummy=0x0) at
/usr/src/php/5.2/main/main.c:1280
#21 0x0830c15b in main (argc=2, argv=0xbfbfebec) at
/usr/src/php/5.2/sapi/cli/php_cli.c:1294

gdb) frame 1
#1  0x28562ce5 in xmlFreeNodeList (cur=0x2899a300) at tree.c:3386
3386                    xmlFreeNodeList(cur->children);
(gdb) p *cur
$1 = {_private = 0x5a5a5a5a, type = 1515870810, name = 0x5a5a5a5a <Address
0x5a5a5a5a out of bounds>, children = 0x5a5a5a5a, 
  last = 0x5a5a5a5a, parent = 0x5a5a5a5a, next = 0x5a5a5a5a, prev =
0x5a5a5a5a, doc = 0x5a5a5a5a, ns = 0x5a5a5a5a, 
  content = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, properties =
0x5a5a5a5a, nsDef = 0x5a5a5a5a, psvi = 0x5a5a5a5a, 
  line = 23130, extra = 23130}
(gdb)

-- 
Edit bug report at http://bugs.php.net/?id=40836&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=40836&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=40836&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=40836&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=40836&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=40836&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=40836&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=40836&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=40836&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=40836&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=40836&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=40836&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=40836&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=40836&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=40836&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=40836&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=40836&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=40836&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=40836&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=40836&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=40836&r=mysqlcfg

Reply via email to