PHP :: Bug #31373 :: Memory Leak with Simplexml leads to segmentation fault

Bug #31373

Memory Leak with Simplexml leads to segmentation fault

Submitted:

2005-01-01 15:11 UTC

Modified:

2010-12-20 11:47 UTC

Votes:	10
Avg. Score:	4.2 ± 0.9
Reproduced:	8 of 9 (88.9%)
Same Version:	5 (62.5%)
Same OS:	8 (100.0%)

From:

drews at dynamicwebpages dot de

Assigned:

Status:

No Feedback

Package:

SimpleXML related

PHP Version:

5.0.3

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2005-01-01 15:11 UTC] drews at dynamicwebpages dot de

Description:
------------
updating php to 5.0.3 causes php to exit with a segmentation fault(11).
 
configuring with --enable-debug let it run, but throwing errors into the apache error_log (see below). 

strange: php5.0.0RC3 still works without segfaults and runs happily.

=== config.nice ===
'./configure' \
'--prefix=/srv/php/5.0.3' \
'--with-apxs=/srv/apache/current/bin/apxs' \
'--with-mysql=/srv/mysql/current' \
'--with-imap' \
'--with-imap-ssl' \
'--with-curl' \
'--with-zlib' \
'--with-ftp' \
'--with-gd=/usr/local' \
'--with-png-dir=/usr' \
'--with-zlib-dir=/usr' \
'--with-freetype-dir=/usr' \
'--with-openssl=/srv/openssl/current' \
'--with-bz2' \
'--with-ldap' \
'--with-jpeg-dir=/usr' \
'--enable-versioning' \
'--enable-sockets' \
'--with-mcrypt' \
'--with-mhash' \
'--with-pear=/srv/pear' \
'--with-config-file-path=/etc' \
'--with-tidy' \

=== /config.nice ===


gdb.backtrace does not work out, because enableing debug with php does not lead to segfault but to memleaks.



Reproduce code:
---------------
if (file_exists($_SESSION['cfgfile'])) {
    $CfgObj = simplexml_load_file($_SESSION['cfgfile']);
} else {
    die();
}

(not sure, if this causes the segfault, but it is the only
line of code, that makes use of simplexml and could lead to the memleak).



Expected result:
----------------
anything than a segfault ;)

Actual result:
--------------
/usr/local/src/lamp/php-5.0.3/ext/simplexml/simplexml.c(970) :  Freeing 0x083EBE14 (2 bytes), script=/var/www/htdocs/DOMAIN/index.php
/usr/local/src/lamp/php-5.0.3/ext/simplexml/simplexml.c(1049) :  Freeing 0x083EB33C (16 bytes), script=/var/www/htdocs/DOMAIN/index.php
=== Total 2 memory leaks detected ===

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-01 16:48 UTC] derick@php.net

We need the xml file too of course, and never use --enable-versioning in your configure statement!

[2005-01-01 17:19 UTC] drews at dynamicwebpages dot de

Hi Derick,
the xml is valid and has about 360 lines of config.data, which
i first had to clean up before posting. the max depth is four and i would really appreciate not to post it here. In case you
really need it, i will clean everything and paste it, but i doubt if it will still help you if it is cleaned ... ?

[2005-01-01 17:52 UTC] drews at dynamicwebpages dot de

this might help further: compiled without "--enable-debug" it throws the segfault(11) and i have a gdb-bt for it:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 30198)]
0x40117211 in free () from /lib/i686/libc.so.6
(gdb) bt
#0  0x40117211 in free () from /lib/i686/libc.so.6
#1  0x4068e3ba in _efree (ptr=0xbffefd20) at /usr/local/src/lamp/php-5.0.3/Zend/zend_alloc.c:287
#2  0x4069fc1e in compare_function (result=0xbfffabf0, op1=0xbffefd20, op2=0x8289964)
    at /usr/local/src/lamp/php-5.0.3/Zend/zend_operators.c:1279
#3  0x406a0483 in is_equal_function (result=0xbfffabf0, op1=0x837582c, op2=0x8289964)
    at /usr/local/src/lamp/php-5.0.3/Zend/zend_operators.c:1476
#4  0x406c77ec in zend_is_equal_handler (execute_data=0xbfffaf90, opline=0x8289934, op_array=0x821ec9c)
    at /usr/local/src/lamp/php-5.0.3/Zend/zend_execute.c:90
#5  0x406c4cec in execute (op_array=0x821ec9c) at /usr/local/src/lamp/php-5.0.3/Zend/zend_execute.c:1400
#6  0x406a3479 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/lamp/php-5.0.3/Zend/zend.c:1069
#7  0x4066b33f in php_execute_script (primary_file=0xbfffd2e0) at /usr/local/src/lamp/php-5.0.3/main/main.c:1628
#8  0x406d85a4 in apache_php_module_main (r=0x81d81cc, display_source_mode=0)
    at /usr/local/src/lamp/php-5.0.3/sapi/apache/sapi_apache.c:54
#9  0x406d907c in send_php (r=0x81d81cc, display_source_mode=0, filename=0x0)
    at /usr/local/src/lamp/php-5.0.3/sapi/apache/mod_php5.c:622
#10 0x406d9243 in send_parsed_php (r=0x81d81cc) at /usr/local/src/lamp/php-5.0.3/sapi/apache/mod_php5.c:637
#11 0x080549ff in ap_invoke_handler ()
#12 0x08069f5d in process_request_internal ()
#13 0x08069fbc in ap_process_request ()
#14 0x08060f1a in child_main ()
#15 0x080610e8 in make_child ()
#16 0x0806124e in startup_children ()
#17 0x0806190e in standalone_main ()
#18 0x08062146 in main ()

[2005-01-03 23:05 UTC] iliaa@php.net

Please provide the XML file.

[2005-01-11 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2005-11-18 14:16 UTC] christian dot lefebvre at atosorigin dot com

i have a short example code which segfaults too :
<?php
$data = simplexml_load_file('toto.xml');
$xml= $data->standings;
$live= ($xml['live']==1);
?>

toto.xml contains this :
<data>
	<standings live="1"/>
</data>

  I've 3 differents php 5.0.3 binaries, one segfaults, the
other ones don't. The only differences are modules like ssl
support.
  It works if i change the last line like this :
live= ((string)$xml['live']==1);

  Seams to be a schroedingbug since a print just before
corrects the problem too !

[2006-10-11 16:05 UTC] Craig_Harris at HargreavesLansdown dot co dot uk

I'm getting this problem with PHP 5.1.6 on Apache 2.2.3 on Solaris

[2006-11-29 21:37 UTC] greubel at nkey dot de

Hello,

I get this error too, but only in combination with an PEAR::SOAP_Server. If I load the same XML-File in a non-SOAP Script an let it parse, everything works fine.

I have a Fedora Core 5 with Apache:
$ httpd -V
Server version: Apache/2.2.2
Server built:   Jul 26 2006 11:12:08
Server's Module Magic Number: 20051115:2
Server loaded:  APR 1.2.2, APR-Util 1.2.7
Compiled using: APR 1.2.2, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)


and PHP:

$ php --version
PHP 5.1.6 (cli) (built: Nov  3 2006 07:27:53)

My XML Data is a fetched string from googlemaps xml output.

Here is a short code snippet:

==== code ====
$result = $google->get($url);
$xml_string = $google->currentResponse();
$body = $xml_string['body'];
fprintf($fp, "will load xml now\n\n%s\n\n", $body);
$xml = simplexml_load_string($body);
fprintf($fp, "loaded: %s", $xml->name);
if(!$xml) {
    fprintf($fp, "error on simplexml\n");
}
else {
    $response = $xml->Response;
    fprintf($fp, "%d", count($response->Placemark) );
=== /code ====

fprintf($fp, "loaded: %s"... will not be reached, the last line in log is "will load xml now" and the xml data.

[2010-12-20 11:47 UTC] jani@php.net

-Package: Tidy +Package: SimpleXML related

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 31 04:01:29 2024 UTC