php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34150 xml_set_element_handler segfaults using object in callback
Submitted: 2005-08-16 12:00 UTC Modified: 2005-08-18 04:14 UTC
From: pierre at dotgeek dot org Assigned:
Status: Not a bug Package: XML related
PHP Version: 4CVS-2005-08-16 (CVS) OS: linux
Private report: No CVE-ID: None
 [2005-08-16 12:00 UTC] pierre at dotgeek dot org
Description:
------------
xml_set_element_handler segfaults when using a reference to an object or "this" using 4.4 cvs or stock release.


Reproduce code:
---------------
<?php

class parser {
        var $parser = NULL;
        var $stack = '';

        function parser() {
                $this->parser = xml_parser_create();
                xml_set_element_handler($this->parser, array(&$this, '_startElement'), array(&$this, '_endElement'));
        }

        function _startElement($parser, $tag) {
                $this->stack .= $tag . '/';

        }

        function _endElement($parser, $tag) {
                $this->stack .= $tag . '/';
        }
}

$parser = new parser();



Expected result:
----------------
no segfault.



Actual result:
--------------
Non debug mode ends with:
*** glibc detected *** ./sapi/cli/php: double free or corruption (!prev): 0x0a1a76b0 ***
======= Backtrace: =========
/lib/libc.so.6[0x174424]
/lib/libc.so.6(__libc_free+0x77)[0x17495f]
./sapi/cli/php[0x80fb268]
./sapi/cli/php(php_XML_ParserFree+0x81)[0x80fd305]
./sapi/cli/php[0x80f87d6]
./sapi/cli/php(list_entry_destructor+0x75)[0x813bf4d]
./sapi/cli/php(zend_hash_del_key_or_index+0x15d)[0x813b511]
./sapi/cli/php(_zend_list_delete+0x58)[0x813bd04]
./sapi/cli/php(_zval_ptr_dtor+0x3d)[0x812e995]
./sapi/cli/php(zend_hash_destroy+0x3c)[0x813a32c]
./sapi/cli/php(_zval_dtor+0x3a)[0x8135f9e]
./sapi/cli/php(_zval_ptr_dtor+0x3d)[0x812e995]
./sapi/cli/php(zend_hash_destroy+0x3c)[0x813a32c]
./sapi/cli/php(_zval_dtor+0x80)[0x8135fe4]
./sapi/cli/php(_zval_ptr_dtor+0x3d)[0x812e995]
./sapi/cli/php[0x80f8822]
./sapi/cli/php(list_entry_destructor+0x75)[0x813bf4d]
./sapi/cli/php[0x813a48b]
./sapi/cli/php(zend_hash_graceful_reverse_destroy+0x17)[0x813a5cb]
./sapi/cli/php(shutdown_executor+0xbf)[0x812ea6f]
./sapi/cli/php(zend_deactivate+0x84)[0x8136c68]
./sapi/cli/php(php_request_shutdown+0x15f)[0x810f6a3]
./sapi/cli/php(main+0x148)[0x8151088]
/lib/libc.so.6(__libc_start_main+0xc6)[0x125de6]
./sapi/cli/php[0x8064c2d]


I can provide a backtrace later if required but the script is here :)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-16 21:32 UTC] chregu@php.net
Which libxml2 version are you using? (No idea, if it's 
related, just to be sure...)
 [2005-08-17 08:13 UTC] chregu@php.net
I can reproduce it now.. No idea, where exactly the problem is 
(and no intention to fix it, as I have not much of an idea of 
that part of the code)
 [2005-08-18 04:14 UTC] rrichards@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

duplicate of Bug #32494
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 13 07:01:30 2024 UTC