PHP :: Bug #31878 :: Segmentation fault using clone keyword on nodes

Bug #31878	Segmentation fault using clone keyword on nodes
Submitted:	2005-02-07 22:27 UTC	Modified:	2005-02-09 12:48 UTC
From:	php-bug at max-imp dot com	Assigned:
Status:	Closed	Package:	DOM XML related
PHP Version:	5.0.3	OS:	Gentoo
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php-bug at max-imp dot com
New email:
PHP Version:		OS:

New Comment:

[2005-02-07 22:27 UTC] php-bug at max-imp dot com

Description:
------------
I am receiving an segmentation fault when accessing the ownerDocument property of a DOMNode object. Here is the line it's crashing on...

$xpath = new DOMXPath( $relativeTo->ownerDocument );


Reproduce code:
---------------
I can reproduce the error in the system I am working on but can not get the error to occur outside of the system. (The system is pretty large.)

Actual result:
--------------
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 13455)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 13455)]
0x082ef792 in zend_objects_store_add_ref (object=0x8d0f0f0e) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_objects_API.c:128
warning: Source file is more recent than executable.

128             EG(objects_store).object_buckets[handle].bucket.obj.refcount++;
(gdb) bt
#0  0x082ef792 in zend_objects_store_add_ref (object=0x8d0f0f0e) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_objects_API.c:128
#1  0x082d1765 in _zval_copy_ctor (zvalue=0x8c885a4,
    __zend_filename=0x831e300 "/var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/php_dom.c", __zend_lineno=1041)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_variables.c:158
#2  0x080bfbf4 in php_dom_create_object (obj=0x8ca32e8, found=0xbffe5f68, wrapper_in=0x0, return_value=0x8c885a4, domobj=0x8db4484)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/php_dom.c:1041
#3  0x080c83ad in dom_node_owner_document_read (obj=0x8db4484, retval=0xbffe5f98)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/node.c:575
#4  0x080b8c98 in dom_read_property (object=0x8cb2bf4, member=0x87805c0, type=139514432)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/php_dom.c:227
#5  0x0830810c in zend_fetch_property_address_read (result=0x8780594, op1=0x87805a8, op2=0x87805bc, Ts=0xbffe6084, type=0)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1158
#6  0x082fed68 in zend_fetch_obj_func_arg_handler (execute_data=0xbffe7000, opline=0x8780590, op_array=0x8772ce4)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2170
#7  0x082fca38 in execute (op_array=0x8772ce4) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#8  0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbffe7f80, opline=0x89e5e30, op_array=0x8981fd0)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#9  0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#10 0x082fca38 in execute (op_array=0x8981fd0) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#11 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbffef3d0, opline=0x40b1e56c, op_array=0x8abbb20)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#12 0x08300f6e in zend_do_fcall_handler (execute_data=0xbffef3d0, opline=0x40b1e56c, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2843
#13 0x082fca38 in execute (op_array=0x8abbb20) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#14 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbffef910, opline=0x8790f24, op_array=0x89c6074)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#15 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#16 0x082fca38 in execute (op_array=0x89c6074) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#17 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff03e0, opline=0x87a4708, op_array=0x89d33ac)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#18 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#19 0x082fca38 in execute (op_array=0x89d33ac) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#20 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff1430, opline=0x87abd00, op_array=0x89d345c)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#21 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#22 0x082fca38 in execute (op_array=0x89d345c) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#23 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff1730, opline=0x879e914, op_array=0x89d32fc)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#24 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#25 0x082fca38 in execute (op_array=0x89d32fc) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#26 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff1a80, opline=0x879717c, op_array=0x89d2f04)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#27 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#28 0x082fca38 in execute (op_array=0x89d2f04) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#29 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff2b00, opline=0x877dd7c, op_array=0x8772ce4)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#30 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#31 0x082fca38 in execute (op_array=0x8772ce4) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#32 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff5e30, opline=0x8a84b44, op_array=0x8a4c458)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#33 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
---Type <return> to continue, or q <return> to quit---q
 at /var/tmp/portage/php-5.0Quit
(gdb) print handle
$1 = 2366574350
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-02-07 22:45 UTC] rrichards@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

[2005-02-08 02:19 UTC] php-bug at max-imp dot com

We have installed php5-STABLE-200502072330.tar.gz but are still experiencing the same issue.

After doing more testing I believe its related to cloning the domdocument. Here is a small test case that also fails when cloning a domdocument.
======================================
$d = new DOMDocument();
$d->load( 'index.xml' );
$doc = clone $d;

var_dump($d);
var_dump($d->documentElement->ownerDocument);
var_dump($doc);
var_dump($doc->documentElement);
var_dump($doc->documentElement->ownerDocument);

new DOMXPath( $doc->documentElement->ownerDocument );
=============================================

Here is index.xml that is used by the above php script
==============================================
<?xml version="1.0" ?>
<test/>
==============================================

There are a few odd things about the results of running the php. Here are the resluts
==============================================
object(DOMDocument)#1 (0) {
}
object(DOMDocument)#1 (0) {
}
object(DOMDocument)#2 (0) {
}
object(DOMElement)#3 (0) {
}
object(DOMDocument)#4 (0) {
}

Fatal error: Uncaught exception 'DOMException' with message '__construct() expects parameter 1 to be DOMDocument, object given' in /home/dmschlot/test-ownerDocument.php:36
Stack trace:
#0 /home/dmschlot/test-ownerDocument.php(36): DOMXPath->__construct(Object(DOMXPath))
#1 {main}
  thrown in /home/dmschlot/test-ownerDocument.php on line 36
==============================================
The 3rd and 4th var_dumps should be the same instances of DOMDocument. Also for some reason its saying that I am passing in DOMXPath when it should be a DOMDocument.

Thanks a lot for the help.

[2005-02-08 22:36 UTC] php-bug at max-imp dot com

Any new news?
thanks

[2005-02-08 23:10 UTC] rrichards@php.net

reclassifying and updating summary.
testing fix. current workaround is to use cloneNode: $doc = $d->cloneNode(TRUE);

[2005-02-09 12:48 UTC] rrichards@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC