php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31878 Segmentation fault using clone keyword on nodes
Submitted: 2005-02-07 22:27 UTC Modified: 2005-02-09 12:48 UTC
From: php-bug at max-imp dot com Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5.0.3 OS: Gentoo
Private report: No CVE-ID: None
View Developer Edit
 [2005-02-07 22:27 UTC] php-bug at max-imp dot com 
Description:
------------
I am receiving an segmentation fault when accessing the ownerDocument property of a DOMNode object. Here is the line it's crashing on...

$xpath = new DOMXPath( $relativeTo->ownerDocument );


Reproduce code:
---------------
I can reproduce the error in the system I am working on but can not get the error to occur outside of the system. (The system is pretty large.)

Actual result:
--------------
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 13455)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 13455)]
0x082ef792 in zend_objects_store_add_ref (object=0x8d0f0f0e) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_objects_API.c:128
warning: Source file is more recent than executable.

128             EG(objects_store).object_buckets[handle].bucket.obj.refcount++;
(gdb) bt
#0  0x082ef792 in zend_objects_store_add_ref (object=0x8d0f0f0e) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_objects_API.c:128
#1  0x082d1765 in _zval_copy_ctor (zvalue=0x8c885a4,
    __zend_filename=0x831e300 "/var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/php_dom.c", __zend_lineno=1041)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_variables.c:158
#2  0x080bfbf4 in php_dom_create_object (obj=0x8ca32e8, found=0xbffe5f68, wrapper_in=0x0, return_value=0x8c885a4, domobj=0x8db4484)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/php_dom.c:1041
#3  0x080c83ad in dom_node_owner_document_read (obj=0x8db4484, retval=0xbffe5f98)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/node.c:575
#4  0x080b8c98 in dom_read_property (object=0x8cb2bf4, member=0x87805c0, type=139514432)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/ext/dom/php_dom.c:227
#5  0x0830810c in zend_fetch_property_address_read (result=0x8780594, op1=0x87805a8, op2=0x87805bc, Ts=0xbffe6084, type=0)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1158
#6  0x082fed68 in zend_fetch_obj_func_arg_handler (execute_data=0xbffe7000, opline=0x8780590, op_array=0x8772ce4)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2170
#7  0x082fca38 in execute (op_array=0x8772ce4) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#8  0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbffe7f80, opline=0x89e5e30, op_array=0x8981fd0)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#9  0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#10 0x082fca38 in execute (op_array=0x8981fd0) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#11 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbffef3d0, opline=0x40b1e56c, op_array=0x8abbb20)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#12 0x08300f6e in zend_do_fcall_handler (execute_data=0xbffef3d0, opline=0x40b1e56c, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2843
#13 0x082fca38 in execute (op_array=0x8abbb20) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#14 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbffef910, opline=0x8790f24, op_array=0x89c6074)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#15 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#16 0x082fca38 in execute (op_array=0x89c6074) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#17 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff03e0, opline=0x87a4708, op_array=0x89d33ac)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#18 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#19 0x082fca38 in execute (op_array=0x89d33ac) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#20 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff1430, opline=0x87abd00, op_array=0x89d345c)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#21 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#22 0x082fca38 in execute (op_array=0x89d345c) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#23 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff1730, opline=0x879e914, op_array=0x89d32fc)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#24 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#25 0x082fca38 in execute (op_array=0x89d32fc) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#26 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff1a80, opline=0x879717c, op_array=0x89d2f04)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#27 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#28 0x082fca38 in execute (op_array=0x89d2f04) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#29 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff2b00, opline=0x877dd7c, op_array=0x8772ce4)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#30 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2825
#31 0x082fca38 in execute (op_array=0x8772ce4) at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:1400
#32 0x08300ac6 in zend_do_fcall_common_helper (execute_data=0xbfff5e30, opline=0x8a84b44, op_array=0x8a4c458)
    at /var/tmp/portage/php-5.0.3/work/php-5.0.3/Zend/zend_execute.c:2740
#33 0x08300e93 in zend_do_fcall_by_name_handler (execute_data=0x850d240, opline=0x8d0f0f0e, op_array=0x8d0f0f0e)
---Type <return> to continue, or q <return> to quit---q
 at /var/tmp/portage/php-5.0Quit
(gdb) print handle
$1 = 2366574350
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-07 22:45 UTC] rrichards@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip
 [2005-02-08 02:19 UTC] php-bug at max-imp dot com 
We have installed php5-STABLE-200502072330.tar.gz but are still experiencing the same issue.

After doing more testing I believe its related to cloning the domdocument. Here is a small test case that also fails when cloning a domdocument.
======================================
$d = new DOMDocument();
$d->load( 'index.xml' );
$doc = clone $d;

var_dump($d);
var_dump($d->documentElement->ownerDocument);
var_dump($doc);
var_dump($doc->documentElement);
var_dump($doc->documentElement->ownerDocument);

new DOMXPath( $doc->documentElement->ownerDocument );
=============================================

Here is index.xml that is used by the above php script
==============================================
<?xml version="1.0" ?>
<test/>
==============================================

There are a few odd things about the results of running the php. Here are the resluts
==============================================
object(DOMDocument)#1 (0) {
}
object(DOMDocument)#1 (0) {
}
object(DOMDocument)#2 (0) {
}
object(DOMElement)#3 (0) {
}
object(DOMDocument)#4 (0) {
}

Fatal error: Uncaught exception 'DOMException' with message '__construct() expects parameter 1 to be DOMDocument, object given' in /home/dmschlot/test-ownerDocument.php:36
Stack trace:
#0 /home/dmschlot/test-ownerDocument.php(36): DOMXPath->__construct(Object(DOMXPath))
#1 {main}
  thrown in /home/dmschlot/test-ownerDocument.php on line 36
==============================================
The 3rd and 4th var_dumps should be the same instances of DOMDocument. Also for some reason its saying that I am passing in DOMXPath when it should be a DOMDocument.

Thanks a lot for the help.
 [2005-02-08 22:36 UTC] php-bug at max-imp dot com 
Any new news?
thanks
 [2005-02-08 23:10 UTC] rrichards@php.net 
reclassifying and updating summary.
testing fix. current workaround is to use cloneNode: $doc = $d->cloneNode(TRUE);
 [2005-02-09 12:48 UTC] rrichards@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC