php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22774 PHP crashes when exiting (long XML doc)
Submitted: 2003-03-18 16:19 UTC Modified: 2003-04-07 02:17 UTC
From: fgarcia at uef dot es Assigned:
Status: Closed Package: DOM XML related
PHP Version: 4.3.2RC1 OS: Windows 2000
Private report: No CVE-ID: None
 [2003-03-18 16:19 UTC] fgarcia at uef dot es
Runnig the following script (php -q domtest.php), you will get a Windows System Error when the script ends.
The Error depends on the internal size of the xml document.
If the 'for' is of 100 iterations, the error no happen.

(I'm using the Windows compilation downloaded from php.net. Same problem in version 4.3.0)


domtest.php:
<?
if (!extension_loaded("php_domxml")) @dl("php_domxml.dll");
$domR=domxml_new_doc('1.0');

$nItinerario = $domR->create_element("itinerario");
for ($i=0; $i<400; $i++) {
	$n=$domR->create_element("HH");
	$n->append_child($domR->create_text_node('long long long long long long long long long long long long'));
	$nItinerario->append_child($n);
}
$domR->append_child($nItinerario);
//$xml=$domR->dump_mem();
//echo $xml;
?>



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-18 16:21 UTC] fgarcia at uef dot es
Sorry, on Windows 2000
 [2003-03-18 20:18 UTC] sniper@php.net
I can not reproduce this on Linux using latest stable CVS snapshot with the example script. Maybe it's win32 only bug?

 [2003-03-18 20:19 UTC] sniper@php.net
Are you sure you really are using the 4.3.2RC1 ???

 [2003-03-20 09:29 UTC] fgarcia at uef dot es
I have tested only in 4.3.0 and 4.3.2RC1 win32 versions.
Both have the same problem.
 [2003-03-20 11:32 UTC] fgarcia at uef dot es
DrWatson output:
(in spanish, sorry)


Excepci?n de aplicaci?n ocurrida:
        Aplicaci?n:  (pid=2100)
        Fecha y hora: 20/03/2003 a las 18:32:17.205
        N?mero de excepci?n: c0000005 (infracci?n de acceso)

*----> Informaci?n del sistema <----*
        Nombre de equipo: UP086817
        Nombre de usuario: UF265250
        N?mero de procesadores: 1
        Tipo de procesador: x86 Family 6 Model 8 Stepping 6
        Versi?n de Windows 2000 : 5.0
        Versi?n actual: 2195
        Service Pack: 1
        Tipo actual: Uniprocessor Free
        Organizaci?n registrada: Uni?n Fenosa
        Propietario registrado: Uni?n Fenosa

*----> Lista de tareas <----*
   0 Idle.exe
   8 System.exe
 140 SMSS.exe
 164 csrss.exe
 184 WINLOGON.exe
 212 services.exe
 224 LSASS.exe
 388 svchost.exe
 416 SPOOLSV.exe
 504 svchost.exe
 588 regsvc.exe
 604 mstask.exe
 616 trcboot.exe
 668 WinMgmt.exe
 764 pcs_agnt.exe
 752 naimas32.exe
1828 wpctrl.exe
1776 naimag32.exe
1804 editplus.exe
 680 CMD.exe
1796 taskmgr.exe
1232 CMD.exe
 532 NLNOTES.exe
1876 msaccess.exe
 488 Avsynmgr.exe
 696 VSStat.exe
 804 vshwin32.exe
 892 Mcshield.exe
 880 Avconsol.exe
1696 notepad.exe
 684 ExamDiff.exe
2072 msaccess.exe
1020 explorer.exe
1012 netadmin.exe
1268 netadmin.exe
1560 hh.exe
2192 winhlp32.exe
2124 DRWTSN32.exe
2016 DRWTSN32.exe
2100 php.exe
 196 DRWTSN32.exe
   0 _Total.exe

(00400000 - 00405000) 
(77F80000 - 78000000) 
(10000000 - 10127000) 
(77E80000 - 77F3F000) 
(77E10000 - 77E74000) 
(77F40000 - 77F7C000) 
(75000000 - 75009000) 
(74FE0000 - 74FF4000) 
(78000000 - 78046000) 
(77DB0000 - 77E0A000) 
(77D40000 - 77DB0000) 
(74FD0000 - 74FD8000) 
(77A50000 - 77B45000) 
(779B0000 - 77A45000) 
(1F7D0000 - 1F804000) 
(76B10000 - 76B4D000) 
(77C70000 - 77CBA000) 
(77B50000 - 77BD9000) 
(77590000 - 777D8000) 
(1F8C0000 - 1F8D8000) 
(00FD0000 - 0102C000) 
(01030000 - 01043000) 

Muestra de estado para identificador de subproceso 0x808

eax=0118ee78 ebx=00862518 ecx=00000001 edx=0012fb54 esi=00e18ec8 edi=00862518
eip=00fd1bc7 esp=0012fb3c ebp=00df5778 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000206


funci?n: <nosymbols>
        00fd1bb9 5e               pop     esi
        00fd1bba c3               ret
        00fd1bbb 90               nop
        00fd1bbc 90               nop
        00fd1bbd 90               nop
        00fd1bbe 90               nop
        00fd1bbf 90               nop
        00fd1bc0 8b442404         mov     eax,[esp+0x4]          ss:00bfd113=????????
        00fd1bc4 56               push    esi
        00fd1bc5 8b30             mov     esi,[eax]              ds:0118ee78=00e18ec8
ERROR -> 00fd1bc7 8b4614           mov     eax,[esi+0x14]         ds:018e649e=????????
        00fd1bca 85c0             test    eax,eax
        00fd1bcc 751a             jnz     00fda6e8
        00fd1bce 8b4e0c           mov     ecx,[esi+0xc]          ds:018e649e=????????
        00fd1bd1 51               push    ecx
        00fd1bd2 e879ffffff       call    00fd1b50
        00fd1bd7 56               push    esi
        00fd1bd8 e803ffffff       call    00fd1ae0
        00fd1bdd 56               push    esi
        00fd1bde e88d930000       call    00fdaf70
        00fd1be3 83c40c           add     esp,0xc
        00fd1be6 5e               pop     esi

*----> Seguimiento regresivo de pila <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Nombre funci?n
00DF5778 00000002 00050006 000D0101 00000018 00000000 !<nosymbols> 

*----> Muestra de pilas sin procesar <----*
0012fb3c  78 ee 18 01 43 73 0a 10 - 78 ee 18 01 18 25 86 00  x...Cs..x....%..
0012fb4c  2c 73 86 00 c0 e0 18 01 - 60 57 df 00 34 cd 09 10  ,s......`W..4...
0012fb5c  78 ee 18 01 2c 73 86 00 - c0 e0 18 01 78 57 df 00  x...,s......xW..
0012fb6c  18 25 86 00 13 cf 09 10 - 2c 73 86 00 c0 e0 18 01  .%......,s......
0012fb7c  e0 fb 12 00 18 25 86 00 - 78 57 df 00 18 25 86 00  .....%..xW...%..
0012fb8c  e9 74 0a 10 2c 73 86 00 - 20 75 0a 10 78 57 df 00  .t..,s.. u..xW..
0012fb9c  18 25 86 00 78 21 10 10 - 30 57 df 00 05 cf 09 10  .%..x!..0W......
0012fbac  60 57 df 00 e0 fb 12 00 - 18 25 86 00 90 4c 09 10  `W.......%...L..
0012fbbc  18 25 86 00 18 25 86 00 - 70 e4 e0 00 a9 74 0a 10  .%...%..p....t..
0012fbcc  78 21 10 10 b0 74 0a 10 - e0 fb 12 00 18 25 86 00  x!...t.......%..
0012fbdc  d4 4b 09 10 0c 00 00 00 - 18 25 86 00 00 bc 11 10  .K.......%......
0012fbec  38 e4 e0 00 34 cd 09 10 - 70 e4 e0 00 00 bc 11 10  8...4...p.......
0012fbfc  38 e4 e0 00 90 4c 09 10 - 18 25 86 00 90 ce 09 10  8....L...%......
0012fc0c  00 bc 11 10 38 e4 e0 00 - 84 fc 12 00 18 25 86 00  ....8........%..
0012fc1c  80 fc 12 00 00 73 86 00 - 4d b6 09 10 00 bc 11 10  .....s..M.......
0012fc2c  90 4c 09 10 18 25 86 00 - 00 73 86 00 9c fd 12 00  .L...%...s......
0012fc3c  18 25 86 00 4c ff 12 00 - d0 24 86 00 c0 fe 12 00  .%..L....$......
0012fc4c  00 73 86 00 68 fe 12 00 - cc 14 40 00 b0 ff 12 00  .s..h.....@.....
0012fc5c  00 00 00 00 30 32 43 56 - 00 00 00 00 00 00 00 00  ....02CV........
0012fc6c  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................

Muestra de estado para identificador de subproceso 0x62c

eax=00fcfed4 ebx=00000000 ecx=00fcfec0 edx=00000000 esi=00fcff68 edi=77e1844a
eip=77e148fc esp=00fcff24 ebp=00fcff44 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246


funci?n: PtInRect
        77e148d6 ff750c           push    dword ptr [ebp+0xc]    ss:01a9d51a=????????
        77e148d9 ff5508           call    dword ptr [ebp+0x8]    ss:01a9d51a=????????
        77e148dc 817c2404cdabbadc                                ss:01a9d4fb=????????
                                  cmp     dword ptr [esp+0x4],0xdcbaabcd
        77e148e4 0f85c8690300     jne     SetClassLongW+0x556 (77e4b2b2)
        77e148ea 83c408           add     esp,0x8
        77e148ed 5d               pop     ebp
        77e148ee c21400           ret     0x14
        77e148f1 b89a110000       mov     eax,0x119a
        77e148f6 8d542404         lea     edx,[esp+0x4]          ss:01a9d4fb=????????
        77e148fa cd2e             int     2e
        77e148fc c21000           ret     0x10
        77e148ff b8cb110000       mov     eax,0x11cb
        77e14904 8d542404         lea     edx,[esp+0x4]          ss:01a9d4fb=????????
        77e14908 cd2e             int     2e
        77e1490a c21000           ret     0x10

*----> Seguimiento regresivo de pila <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Nombre funci?n
00FCFF44 100A0375 00FCFF68 00000000 00000000 00000000 user32!PtInRect 
00FCFFB4 77E837CD 008694A8 008601E0 008601E0 008694A8 !zend_timeout 
00FCFFEC 00000000 78002432 008694A8 00000000 00905A4D kernel32!TlsSetValue 

*----> Muestra de pilas sin procesar <----*
00fcff24  3c 67 e2 77 68 ff fc 00 - 00 00 00 00 00 00 00 00  <g.wh...........
00fcff34  00 00 00 00 00 00 00 00 - 00 67 e2 77 4a 84 e1 77  .........g.wJ..w
00fcff44  b4 ff fc 00 75 03 0a 10 - 68 ff fc 00 00 00 00 00  ....u...h.......
00fcff54  00 00 00 00 00 00 00 00 - e0 01 86 00 a8 94 86 00  ................
00fcff64  a8 94 86 00 00 00 00 00 - 01 04 00 00 08 08 00 00  ................
00fcff74  5a 00 00 00 1a 0c fe 23 - 7a 00 00 00 99 02 00 00  Z......#z.......
00fcff84  8d 24 00 78 00 00 00 00 - e0 01 86 00 e0 01 86 00  .$.x............
00fcff94  a8 94 86 00 c0 35 26 ff - 8c ff fc 00 77 0c 43 80  .....5&.....w.C.
00fcffa4  dc ff fc 00 6a f5 00 78 - d0 33 03 78 00 00 00 00  ....j..x.3.x....
00fcffb4  ec ff fc 00 cd 37 e8 77 - a8 94 86 00 e0 01 86 00  .....7.w........
00fcffc4  e0 01 86 00 a8 94 86 00 - 00 d0 fd 7f ac fa 12 00  ................
00fcffd4  c0 ff fc 00 ac fa 12 00 - ff ff ff ff be dc e9 77  ...............w
00fcffe4  80 81 e8 77 00 00 00 00 - 00 00 00 00 00 00 00 00  ...w............
00fcfff4  32 24 00 78 a8 94 86 00 - 00 00 00 00 4d 5a 90 00  2$.x........MZ..
00fd0004  03 00 00 00 04 00 00 00 - ff ff 00 00 b8 00 00 00  ................
00fd0014  00 00 00 00 40 00 00 00 - 00 00 00 00 00 00 00 00  ....@...........
00fd0024  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00fd0034  00 00 00 00 00 00 00 00 - e8 00 00 00 0e 1f ba 0e  ................
00fd0044  00 b4 09 cd 21 b8 01 4c - cd 21 54 68 69 73 20 70  ....!..L.!This p
00fd0054  72 6f 67 72 61 6d 20 63 - 61 6e 6e 6f 74 20 62 65  rogram cannot be
 [2003-03-20 17:47 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

And make sure you really update it. Especially the php4ts.dll file.

 [2003-03-21 04:28 UTC] fgarcia at uef dot es
I've updated to 4.3.2-RC1 version, and updated php4ts.dll on winnt/system
Same bug.


php -v:
PHP 4.3.2-RC (cgi-fcgi), Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
 [2003-03-21 04:31 UTC] fgarcia at uef dot es
If you see DrWatson output there is the function zend_timeout 

I don't know if that matchs something.
 [2003-03-21 05:43 UTC] chregu@php.net
looks like a mem-leak

linux normally doesn't segfault on memleaks. Windows does... that's the difference ;)

I try to look at it
 [2003-03-24 05:02 UTC] rrichards at digarc dot com
Am not able to reproduce in Win 2K. Ran it for 10,000 and 20,000 iterations without a problem. Finally ran it for 1,000,000 iterations until the machine ran out of memory (was over a Gig of used memory at that point).
Once getting a fatal emalloc error memory returned back to normal (exact amount used prior to running).

Tested against latest cvs code as well as a php4-3.0-dev build from jun 2002.

using libxml2-2.4.22
 [2003-03-27 11:24 UTC] rrichards at digarc dot com
Finally able to reproduce this using a simplified script:
<?php
if (!extension_loaded("domxml")) @dl("php_domxml.dll");
$domR=domxml_new_doc('1.0');
$nItinerario = $domR->create_element("itinerario");
$domR->append_child($nItinerario);
?>

If the extension is NOT loaded via the php.ini file, upon shutdown, php_free_xml_doc is called first and then php_free_xml_node for the created element is called which causes the blow up. If read from the ini file, php_free_xml_node is called first and then php_free_xml_doc.

Seems to be some issue with the external loading of the extension.
 [2003-04-03 04:38 UTC] chregu@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Should be fixed in the stable release, as well.
 [2003-04-07 02:17 UTC] fgarcia at uef dot es
I've tried
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
and works fine.

Thanks.
Fernando
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 05:01:26 2024 UTC