PHP :: Bug #31373 :: Memory Leak with Simplexml leads to segmentation fault

Bug #31373

Memory Leak with Simplexml leads to segmentation fault

Submitted:

2005-01-01 15:11 UTC

Modified:

2010-12-20 11:47 UTC

Votes:	10
Avg. Score:	4.2 ± 0.9
Reproduced:	8 of 9 (88.9%)
Same Version:	5 (62.5%)
Same OS:	8 (100.0%)

From:

drews at dynamicwebpages dot de

Assigned:

Status:

No Feedback

Package:

SimpleXML related

PHP Version:

5.0.3

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	drews at dynamicwebpages dot de
New email:
PHP Version:		OS:

New Comment:

[2005-01-01 15:11 UTC] drews at dynamicwebpages dot de

Description:
------------
updating php to 5.0.3 causes php to exit with a segmentation fault(11).
 
configuring with --enable-debug let it run, but throwing errors into the apache error_log (see below). 

strange: php5.0.0RC3 still works without segfaults and runs happily.

=== config.nice ===
'./configure' \
'--prefix=/srv/php/5.0.3' \
'--with-apxs=/srv/apache/current/bin/apxs' \
'--with-mysql=/srv/mysql/current' \
'--with-imap' \
'--with-imap-ssl' \
'--with-curl' \
'--with-zlib' \
'--with-ftp' \
'--with-gd=/usr/local' \
'--with-png-dir=/usr' \
'--with-zlib-dir=/usr' \
'--with-freetype-dir=/usr' \
'--with-openssl=/srv/openssl/current' \
'--with-bz2' \
'--with-ldap' \
'--with-jpeg-dir=/usr' \
'--enable-versioning' \
'--enable-sockets' \
'--with-mcrypt' \
'--with-mhash' \
'--with-pear=/srv/pear' \
'--with-config-file-path=/etc' \
'--with-tidy' \

=== /config.nice ===


gdb.backtrace does not work out, because enableing debug with php does not lead to segfault but to memleaks.



Reproduce code:
---------------
if (file_exists($_SESSION['cfgfile'])) {
    $CfgObj = simplexml_load_file($_SESSION['cfgfile']);
} else {
    die();
}

(not sure, if this causes the segfault, but it is the only
line of code, that makes use of simplexml and could lead to the memleak).



Expected result:
----------------
anything than a segfault ;)

Actual result:
--------------
/usr/local/src/lamp/php-5.0.3/ext/simplexml/simplexml.c(970) :  Freeing 0x083EBE14 (2 bytes), script=/var/www/htdocs/DOMAIN/index.php
/usr/local/src/lamp/php-5.0.3/ext/simplexml/simplexml.c(1049) :  Freeing 0x083EB33C (16 bytes), script=/var/www/htdocs/DOMAIN/index.php
=== Total 2 memory leaks detected ===

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-01 16:48 UTC] derick@php.net

We need the xml file too of course, and never use --enable-versioning in your configure statement!

[2005-01-01 17:19 UTC] drews at dynamicwebpages dot de

Hi Derick,
the xml is valid and has about 360 lines of config.data, which
i first had to clean up before posting. the max depth is four and i would really appreciate not to post it here. In case you
really need it, i will clean everything and paste it, but i doubt if it will still help you if it is cleaned ... ?

[2005-01-01 17:52 UTC] drews at dynamicwebpages dot de

this might help further: compiled without "--enable-debug" it throws the segfault(11) and i have a gdb-bt for it:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 30198)]
0x40117211 in free () from /lib/i686/libc.so.6
(gdb) bt
#0  0x40117211 in free () from /lib/i686/libc.so.6
#1  0x4068e3ba in _efree (ptr=0xbffefd20) at /usr/local/src/lamp/php-5.0.3/Zend/zend_alloc.c:287
#2  0x4069fc1e in compare_function (result=0xbfffabf0, op1=0xbffefd20, op2=0x8289964)
    at /usr/local/src/lamp/php-5.0.3/Zend/zend_operators.c:1279
#3  0x406a0483 in is_equal_function (result=0xbfffabf0, op1=0x837582c, op2=0x8289964)
    at /usr/local/src/lamp/php-5.0.3/Zend/zend_operators.c:1476
#4  0x406c77ec in zend_is_equal_handler (execute_data=0xbfffaf90, opline=0x8289934, op_array=0x821ec9c)
    at /usr/local/src/lamp/php-5.0.3/Zend/zend_execute.c:90
#5  0x406c4cec in execute (op_array=0x821ec9c) at /usr/local/src/lamp/php-5.0.3/Zend/zend_execute.c:1400
#6  0x406a3479 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/lamp/php-5.0.3/Zend/zend.c:1069
#7  0x4066b33f in php_execute_script (primary_file=0xbfffd2e0) at /usr/local/src/lamp/php-5.0.3/main/main.c:1628
#8  0x406d85a4 in apache_php_module_main (r=0x81d81cc, display_source_mode=0)
    at /usr/local/src/lamp/php-5.0.3/sapi/apache/sapi_apache.c:54
#9  0x406d907c in send_php (r=0x81d81cc, display_source_mode=0, filename=0x0)
    at /usr/local/src/lamp/php-5.0.3/sapi/apache/mod_php5.c:622
#10 0x406d9243 in send_parsed_php (r=0x81d81cc) at /usr/local/src/lamp/php-5.0.3/sapi/apache/mod_php5.c:637
#11 0x080549ff in ap_invoke_handler ()
#12 0x08069f5d in process_request_internal ()
#13 0x08069fbc in ap_process_request ()
#14 0x08060f1a in child_main ()
#15 0x080610e8 in make_child ()
#16 0x0806124e in startup_children ()
#17 0x0806190e in standalone_main ()
#18 0x08062146 in main ()

[2005-01-03 23:05 UTC] iliaa@php.net

Please provide the XML file.

[2005-01-11 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2005-11-18 14:16 UTC] christian dot lefebvre at atosorigin dot com

i have a short example code which segfaults too :
<?php
$data = simplexml_load_file('toto.xml');
$xml= $data->standings;
$live= ($xml['live']==1);
?>

toto.xml contains this :
<data>
	<standings live="1"/>
</data>

  I've 3 differents php 5.0.3 binaries, one segfaults, the
other ones don't. The only differences are modules like ssl
support.
  It works if i change the last line like this :
live= ((string)$xml['live']==1);

  Seams to be a schroedingbug since a print just before
corrects the problem too !

[2006-10-11 16:05 UTC] Craig_Harris at HargreavesLansdown dot co dot uk

I'm getting this problem with PHP 5.1.6 on Apache 2.2.3 on Solaris

[2006-11-29 21:37 UTC] greubel at nkey dot de

Hello,

I get this error too, but only in combination with an PEAR::SOAP_Server. If I load the same XML-File in a non-SOAP Script an let it parse, everything works fine.

I have a Fedora Core 5 with Apache:
$ httpd -V
Server version: Apache/2.2.2
Server built:   Jul 26 2006 11:12:08
Server's Module Magic Number: 20051115:2
Server loaded:  APR 1.2.2, APR-Util 1.2.7
Compiled using: APR 1.2.2, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)


and PHP:

$ php --version
PHP 5.1.6 (cli) (built: Nov  3 2006 07:27:53)

My XML Data is a fetched string from googlemaps xml output.

Here is a short code snippet:

==== code ====
$result = $google->get($url);
$xml_string = $google->currentResponse();
$body = $xml_string['body'];
fprintf($fp, "will load xml now\n\n%s\n\n", $body);
$xml = simplexml_load_string($body);
fprintf($fp, "loaded: %s", $xml->name);
if(!$xml) {
    fprintf($fp, "error on simplexml\n");
}
else {
    $response = $xml->Response;
    fprintf($fp, "%d", count($response->Placemark) );
=== /code ====

fprintf($fp, "loaded: %s"... will not be reached, the last line in log is "will load xml now" and the xml data.

[2010-12-20 11:47 UTC] jani@php.net

-Package: Tidy +Package: SimpleXML related

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 06:01:30 2024 UTC