ID: 42112 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Assigned +Status: Closed Bug Type: DOM XML related Operating System: Linux PHP Version: 5CVS-2007-07-26 (CVS) Assigned To: rrichards New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2007-07-26 15:03:58] [EMAIL PROTECTED] Hello Rob, could you please have a look at this one? ------------------------------------------------------------------------ [2007-07-26 15:03:36] [EMAIL PROTECTED] Description: ------------ When running getElementById() on a node that just has been removed I get memory corruptions, and often a segfault. I am using libxml 2.6.29 Reproduce code: --------------- See http://files.derickrethans.nl/xml-crash.tar.bz2 run the script with "valgrind php xml-crash.php" Expected result: ---------------- No valgrind errors :) Actual result: -------------- ==27233== Invalid read of size 8 ==27233== at 0x4D6548: zif_dom_document_get_element_by_id (document.c:1267) ==27233== by 0x873B94: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==27233== by 0x874902: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==27233== by 0x873635: execute (zend_vm_execute.h:92) ==27233== by 0x873D23: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==27233== by 0x874902: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==27233== by 0x873635: execute (zend_vm_execute.h:92) ==27233== by 0x873D23: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==27233== by 0x874902: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==27233== by 0x873635: execute (zend_vm_execute.h:92) ==27233== by 0x84B283: zend_execute_scripts (zend.c:1134) ==27233== by 0x7F1629: php_execute_script (main.c:1967) ==27233== Address 0x9FEA200 is 40 bytes inside a block of size 96 free'd ==27233== at 0x4A2066A: free (vg_replace_malloc.c:233) ==27233== by 0x46BF04: php_libxml_node_free (libxml.c:197) ==27233== by 0x46C0A5: php_libxml_node_free_list (libxml.c:262) ==27233== by 0x46DF5F: php_libxml_node_free_resource (libxml.c:1013) ==27233== by 0x46DFEB: php_libxml_node_decrement_resource (libxml.c:1036) ==27233== by 0x4D2193: dom_objects_free_storage (php_dom.c:974) ==27233== by 0x87160D: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206) ==27233== by 0x871465: zend_objects_store_del_ref (zend_objects_API.c:168) ==27233== by 0x848B5C: _zval_dtor_func (zend_variables.c:52) ==27233== by 0x839C98: _zval_dtor (zend_variables.h:35) ==27233== by 0x839EB1: _zval_ptr_dtor (zend_execute_API.c:414) ==27233== by 0x848ED1: _zval_ptr_dtor_wrapper (zend_variables.c:175) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42112&edit=1