php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41086 Seg fault and "corrupted double-linked list" with xslt warning
Submitted: 2007-04-14 19:21 UTC Modified: 2007-04-15 14:12 UTC
From: harvey dot robin at gmail dot com Assigned:
Status: Not a bug Package: XSLT related
PHP Version: 5CVS-2007-04-14 (snap) OS: Ubuntu feisty
Private report: No CVE-ID: None
 [2007-04-14 19:21 UTC] harvey dot robin at gmail dot com
Description:
------------
Running a complex stylesheet (possibly with errors, certainly produces warnings) results in a segmentation fault or a "corrupted double-linked list"  The stylesheet uses exslt, and the dom it's parsing over is created with the flags LIBXML_NOENT|LIBXML_DTDLOAD|LIBXML_DTDATTR.  The code also uses a custom stream handler in conjunction with the xpath document function.

When you run the tests below, there are a couple of warnings produced before the crash, one is "XSLTProcessor::transformToXml(): Invalid type" and the other is "XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 4 objects left on the stack."  I've met these warnings before, but they have never resulted in a crash.

Reproduce code:
---------------
The code needed to reproduce the error is available on the subversion server of my project.  To produce the crash, do:

*> svn checkout http://taltastic.googlecode.com/svn/trunk/ -r 42 taltastic
*> cd taltastic/test
*> php test.php

This produces the double linked list fault on my system, to produce the segmentation fault error you have to edit the test.php file and change the $templ variable to load from "test.xml" instead of "test.html".

Here is my configure line:
robin@robin-desktop:~/libs/php5.2-CVS2$ cat config.nice 
#! /bin/sh
#
# Created by configure

'./configure' \
'--disable-cgi' \
'--enable-cli' \
'--with-zlib' \
'--with-bz2' \
'--with-gd' \
'--enable-gd-native-ttf' \
'--enable-mbstring' \
'--with-mcrypt' \
'--with-pdo-pgsql' \
'--disable-session' \
'--enable-sockets' \
'--with-xsl' \
'--enable-soap' \
'--enable-debug' \
"$@"

Expected result:
----------------
Expect to see an html document echoed to the screen.


Actual result:
--------------
...This one with the code as-is, using "test.html"...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47983451902976 (LWP 29653)]
0x00002ba402eb738b in xmlXPathNodeSetAddUnique () from /usr/lib/libxml2.so.2
(gdb) bt
#0  0x00002ba402eb738b in xmlXPathNodeSetAddUnique () from /usr/lib/libxml2.so.2
#1  0x00002ba402eb78f5 in ?? () from /usr/lib/libxml2.so.2
#2  0x00002ba402ec2b27 in ?? () from /usr/lib/libxml2.so.2
#3  0x00002ba402ec2f74 in ?? () from /usr/lib/libxml2.so.2
#4  0x00002ba402ec2948 in ?? () from /usr/lib/libxml2.so.2
#5  0x00002ba402ec413e in ?? () from /usr/lib/libxml2.so.2
#6  0x00002ba402ec8447 in ?? () from /usr/lib/libxml2.so.2
#7  0x00002ba402ec8619 in xmlXPathCompiledEval () from /usr/lib/libxml2.so.2
#8  0x00002ba402c1acc2 in xsltEvalXPathPredicate () from /usr/lib/libxslt.so.1
#9  0x00002ba402c16714 in ?? () from /usr/lib/libxslt.so.1
#10 0x00002ba402c17670 in xsltGetTemplate () from /usr/lib/libxslt.so.1
#11 0x00002ba402c2be52 in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#12 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#13 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#14 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#15 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#16 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#17 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#18 0x00002ba402c2bbca in xsltCallTemplate () from /usr/lib/libxslt.so.1
#19 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#20 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#21 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#22 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#23 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#24 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#25 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#26 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#27 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#28 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#29 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#30 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#31 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#32 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#33 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#34 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#35 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
---Type <return> to continue, or q <return> to quit---
#36 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#37 0x00002ba402c2bbca in xsltCallTemplate () from /usr/lib/libxslt.so.1
#38 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#39 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#40 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#41 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#42 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#43 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#44 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#45 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#46 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#47 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#48 0x00002ba402c2bbca in xsltCallTemplate () from /usr/lib/libxslt.so.1
#49 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#50 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#51 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#52 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#53 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#54 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#55 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1
#56 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#57 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#58 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#59 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#60 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#61 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#62 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1
#63 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#64 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#65 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#66 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#67 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#68 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#69 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1
#70 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#71 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
---Type <return> to continue, or q <return> to quit---
#72 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#73 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#74 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#75 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#76 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1
#77 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#78 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#79 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#80 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#81 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1
#82 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#83 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1
#84 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1
#85 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1
#86 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1
#87 0x00002ba402c2fddf in ?? () from /usr/lib/libxslt.so.1
#88 0x00000000007929b5 in ?? ()
#89 0x0000000000792d3d in zif_xsl_xsltprocessor_transform_to_xml ()
#90 0x000000000081e2fa in ?? ()
#91 0x000000000081f062 in ?? ()
#92 0x000000000081dd96 in execute ()
#93 0x00000000007f5ef8 in zend_execute_scripts ()
#94 0x0000000000799679 in php_execute_script ()
#95 0x000000000087884a in main ()
(gdb) 





...And this one using "text.xml"...

Program received signal SIGABRT, Aborted.
[Switching to Thread 47939104691200 (LWP 29670)]
0x00002b99afce1cab in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00002b99afce1cab in raise () from /lib/libc.so.6
#1  0x00002b99afce3660 in abort () from /lib/libc.so.6
#2  0x00002b99afd1966b in ?? () from /lib/libc.so.6
#3  0x00002b99afd1ee47 in ?? () from /lib/libc.so.6
#4  0x00002b99afd21122 in ?? () from /lib/libc.so.6
#5  0x00002b99afd2298d in malloc () from /lib/libc.so.6
#6  0x00002b99af9c19ce in xmlBufferCreate () from /usr/lib/libxml2.so.2
#7  0x00002b99af9ca8e6 in xmlAllocOutputBuffer () from /usr/lib/libxml2.so.2
#8  0x00002b99af748626 in xsltSaveResultToString () from /usr/lib/libxslt.so.1
#9  0x0000000000792d68 in zif_xsl_xsltprocessor_transform_to_xml ()
#10 0x000000000081e2fa in ?? ()
#11 0x000000000081f062 in ?? ()
#12 0x000000000081dd96 in execute ()
#13 0x00000000007f5ef8 in zend_execute_scripts ()
#14 0x0000000000799679 in php_execute_script ()
#15 0x000000000087884a in main ()
(gdb) 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-14 19:28 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2007-04-15 08:19 UTC] judas dot iscariote at gmail dot com
shortest possible way to reproduce I can find

http://hell.kissofjudas.net/bug41086.tar.bz2

execute the test.php file.

PHP Warning:  XSLTProcessor::transformToXml(): Invalid type in /home/cristian/talta/test/test.php on line 6

Warning: XSLTProcessor::transformToXml(): Invalid type in /home/cristian/talta/test/test.php on line 6
PHP Warning:  XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 3 object left on the stack in /home/cristian/talta/test/test.php on line 6

Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 3 object left on the stack in /home/cristian/talta/test/test.php on line 6

Program received signal SIGSEGV, Segmentation fault.
[snip`libxml stripped libxml messages]
#85 0x00002ad626e0b8ce in php_xsl_apply_stylesheet (id=0xc77238, intern=0xc79a80, style=0xd66c20, docp=0xc7adf8)
    at /home/cristian/php5/ext/xsl/xsltprocessor.c:472
        newdocp = (xmlDocPtr) 0x7fff86737a30
        doc = (xmlDocPtr) 0xeb12b0
        node = (xmlNodePtr) 0xeb12b0
        ctxt = (xsltTransformContextPtr) 0xeb8160
        object = (php_libxml_node_object *) 0xc7a5a0
        params = (char **) 0xc7a920
        clone = 0
        doXInclude = (zval *) 0xad32a8
        member = (zval *) 0xc7ace0
        std_hnd = (zend_object_handlers *) 0xacbc00
#86 0x00002ad626e0bc66 in zif_xsl_xsltprocessor_transform_to_xml (ht=1, return_value=0xc79f78, return_value_ptr=0x0,
    this_ptr=0xc77238, return_value_used=1) at /home/cristian/php5/ext/xsl/xsltprocessor.c:583
        id = (zval *) 0xc77238
        docp = (zval *) 0xc7adf8
        newdocp = (xmlDoc *) 0xc79f78
        sheetp = (xsltStylesheetPtr) 0xd66c20
        ret = 24
        doc_txt_ptr = (xmlChar *) 0x7fff86737a30 "8zs\206&#65533;\177"
        doc_txt_len = 0
        intern = (xsl_object *) 0xc79a80
---Type <return> to continue, or q <return> to quit---
#87 0x000000000072c378 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff86737a90)
    at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0xc78eb0
        original_return_value = (zval **) 0x7fff867376d0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x7fff86737a90
#88 0x000000000072d245 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff86737a90)
    at /home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#89 0x000000000072bdc0 in execute (op_array=0xc77f70) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0xc78eb0, function_state = {function_symbol_table = 0x0, function = 0xc43b30, reserved = {
      0x63006cfe49, 0x82cb80, 0xc780b0, 0x7fff86737b00}}, fbc = 0xc43b30, op_array = 0xc77f70, object = 0xc77238,
  Ts = 0x7fff86737760, CVs = 0x7fff86737730, original_in_execution = 0 '\0', symbol_table = 0xad3428,
  prev_execute_data = 0x0, old_error_reporting = 0x0}
#90 0x00000000007022f4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1134
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff86737ca0, reg_save_area = 0x7fff86737be0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff8673a090
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#91 0x000000000069fd01 in php_execute_script (primary_file=0x7fff8673a090) at /home/cristian/php5/main/main.c:1790
        realfile = "/home/cristian/talta/test/test.php\000_query_type\000\000&#65533;\006\000\000&#65533;\177\000\000&#65533;\231p\000\000\000\000\000rpl_probe\000\202\000\000\000\000\000&#65533;\006\000\000\000\000\000\000 \217s\206\017\000\000\000rpl_parse_enabled\000\000\000\000\000\000\000&#65533;&#65533;\202\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000&#65533;\231p\000\000\000\000\000rollback\000&#65533;\202\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000&#65533;\231p\000\000\000\000\000real_query\000\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000"...
        __orig_bailout = (jmp_buf *) 0x7fff86739f40
        __bailout = {{__jmpbuf = {47099221150688, -68967799470258375, 0, 140735449113296, 0, 0, -68967799470267079,
---Type <return> to continue, or q <return> to quit---
      -69095675644025930}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 47099218988917, 1, 0, 140733193389737,
        7379374, 47099240203304, 47099221150688, 140735449107936, 47099219010530, 47099243580752, 8461312, 11406816,
        7396952, 47099243579232}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff86737cc0 ""
        retval = 0
#92 0x00000000007895c0 in main (argc=2, argv=0x7fff8673a2d8) at /home/cristian/php5/sapi/cli/php_cli.c:1127
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47099221150688, -68967799470245783, 0, 140735449113296, 0, 0, -68967799470258391,
      -69095675645029879}, __mask_was_saved = 0, __saved_mask = {__val = {47099218973247, 0, 47099245814024, 1, 0, 1, 0, 0,
        0, 47099245817088, 47099221153344, 140735449112680, 4294967296, 47099243602800, 140735449112784, 47099243601920}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff8673bfdf "test.php", opened_path = 0x0, handle = {fd = 13219680,
    fp = 0xc9b760, stream = {handle = 0xc9b760, reader = 0x71c3a4 <zend_stream_stdio_reader>,
      closer = 0x71c3d0 <zend_stream_stdio_closer>, fteller = 0x71c3fa <zend_stream_stdio_fteller>, interactive = 0}},
  free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff8673bfdf "test.php"
        arg_excp = (char **) 0x7fff8673a2e0
        script_file = 0x7fff8673bfdf "test.php"
        interactive = 0
        module_started = 1
        request_started = 1
---Type <return> to continue, or q <return> to quit---
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110
 [2007-04-15 10:02 UTC] harvey dot robin at gmail dot com
The method given by Christian also works fine to reproduce the crash.
 [2007-04-15 14:12 UTC] rrichards@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

This is a libxslt issue that is already fixed in that repository
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 15 10:01:25 2019 UTC