php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41562 SimpleXML memory issue
Submitted: 2007-06-01 15:48 UTC Modified: 2008-01-30 15:31 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: christian dot kaps at imaxx21 dot com Assigned: helly
Status: Closed Package: SimpleXML related
PHP Version: 5.2.3 OS: Ubuntu 7.04 (Feisty)
Private report: No CVE-ID:
 [2007-06-01 15:48 UTC] christian dot kaps at imaxx21 dot com
Description:
------------
Hi

I get a segmentation fault error in My apache logs. The problem is that I can reprocude the error in our environment but i can`t locate the error in the script.

I hope the backtrace helps.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216653632 (LWP 13009)]
zend_hash_destroy (ht=0x844562b) at /usr/src/php-5.2.3/Zend/zend_hash.c:524
524                     p = p->pListNext;
(gdb) bt
#0  zend_hash_destroy (ht=0x844562b) at /usr/src/php-5.2.3/Zend/zend_hash.c:524
#1  0xb74bf853 in zend_object_std_dtor (object=0x8445b0c, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects.c:45
#2  0xb74bf889 in zend_objects_free_object_storage (object=0x8445b0c, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects.c:122
#3  0xb74c3056 in zend_objects_store_del_ref_by_handle (handle=70, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects_API.c:206
#4  0xb74c30af in zend_objects_store_del_ref (zobject=0x8445758, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects_API.c:168
#5  0xb74a3c39 in _zval_dtor_func (zvalue=0x8445758) at /usr/src/php-5.2.3/Zend/zend_variables.c:52
#6  0xb7497058 in _zval_ptr_dtor (zval_ptr=0x8432ef0) at /usr/src/php-5.2.3/Zend/zend_variables.h:35
#7  0xb74af266 in zend_hash_destroy (ht=0xb6c66fa4) at /usr/src/php-5.2.3/Zend/zend_hash.c:526
#8  0xb74bf853 in zend_object_std_dtor (object=0x842d3d8, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects.c:45
#9  0xb74bf889 in zend_objects_free_object_storage (object=0x842d3d8, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects.c:122
#10 0xb74c3056 in zend_objects_store_del_ref_by_handle (handle=65, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects_API.c:206
#11 0xb74c30af in zend_objects_store_del_ref (zobject=0x8431da0, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects_API.c:168
#12 0xb74a3c39 in _zval_dtor_func (zvalue=0x8431da0) at /usr/src/php-5.2.3/Zend/zend_variables.c:52
#13 0xb7497058 in _zval_ptr_dtor (zval_ptr=0xb6c3cbc0) at /usr/src/php-5.2.3/Zend/zend_variables.h:35
#14 0xb74af266 in zend_hash_destroy (ht=0xb6c3c858) at /usr/src/php-5.2.3/Zend/zend_hash.c:526
#15 0xb74bf853 in zend_object_std_dtor (object=0xb6c42178, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects.c:45
#16 0xb74bf889 in zend_objects_free_object_storage (object=0xb6c42178, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects.c:122
#17 0xb74c2b44 in zend_objects_store_free_object_storage (objects=0x81e4d70, tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_objects_API.c:89
#18 0xb74976b8 in shutdown_executor (tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend_execute_API.c:299
#19 0xb74a4339 in zend_deactivate (tsrm_ls=0x818c650) at /usr/src/php-5.2.3/Zend/zend.c:860
#20 0xb745badc in php_request_shutdown (dummy=0x0) at /usr/src/php-5.2.3/main/main.c:1317
#21 0xb752607b in php_handler (r=0x83592f0) at /usr/src/php-5.2.3/sapi/apache2handler/sapi_apache2.c:463
#22 0x08079099 in ap_run_handler ()
#23 0x0807c3e1 in ap_invoke_handler ()
#24 0x0808947a in ap_internal_redirect ()
#25 0xb7782d10 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#26 0x083592e0 in ?? ()
#27 0x08350cc0 in ?? ()
#28 0x00000000 in ?? ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-05 07:47 UTC] christian dot kaps at imaxx21 dot com
Sorry for my poor englisch.

I think this script is the trigger for this problem. But it is not the only one. I can`t say what the other is!?

<?php
class Config_SimpleXML extends SimpleXMLIterator
{
	public function xpath($query, $index = null)
	{
		$result = parent::xpath($query);
		
		if (!$result) {
			return array();
		} elseif (is_numeric($index)) {
			return $result[(int) $index];
		}
		
		return $result;
	}
	
	public function parent()
	{
		$parent = $this->xpath('parent::*', 0);
		
		return $parent;
	}
	
	public function removeChild(Config_SimpleXML $child)
	{
		$cnt = 0;
		$childXml = $child->asXml();
		$this->rewind();
		while ($this->valid()) {
			if ($childXml === $this->current()->asXml()) {
				if (isset($this->{$this->key()}->{$cnt})) {
					unset($this->{$this->key()}->{$cnt});
				} else {
					unset($this->{$this->key()});
				}
				
				break;
			}
			$cnt++;
			$this->next();
		}
		$this->rewind();
	}
}

$xml = '<config><parent><child>text</child></parent></config>';
$xml = simplexml_load_string($xml, 'Config_SimpleXML');

$element = $xml->xpath('.//child', 0);
$element->parent()->removeChild($element);

?>

I use this to remove a node from an xml document. When i use the dom object to remove the node, the error doesn`t occur.

What I can say is that the error occurs not ever when i call the removeChild method. I have a script which has 2 calls of this method. The first call is ok the second throws this error. Whereat not the call himself is the segfault trigger, but in our environment where i can reproduce the error it is a exit statement that throws the segfault error.

A downgrade to version 5.2.2. fix this issue. I can remember that in version 5.1.6 the error occurs too.
 [2007-06-05 08:27 UTC] tony2001@php.net
>A downgrade to version 5.2.2. fix this issue.
I can reproduce it with 5.2.2, 5.2.1 and 5.2.0, so you seem to be wrong here.
Assigned to the extension maintainer (has nothing to do with the engine).
 [2007-06-07 12:14 UTC] christian dot kaps at imaxx21 dot com
>>A downgrade to version 5.2.2. fix this issue.
<I can reproduce it with 5.2.2, 5.2.1 and 5.2.0, so you seem to be wrong here.

You are right. The error occurs with version 5.2.2 too.
Can you tell me about the status of this bug?
 [2007-06-07 12:19 UTC] tony2001@php.net
It's assigned to the the maintainer.
 [2007-06-08 01:15 UTC] stas@php.net
FWIW, works for me on Linux Fedora 6, 5.2 CVS. Libxml is 2.6.28
 [2007-09-07 09:46 UTC] jani@php.net
Does this still happen with PHP 5.2.4?
 [2007-09-07 11:57 UTC] christian dot kaps at imaxx21 dot com
I can`t test it. Currently we use the dom extension to fix this issue in our sytem and i could only reproduce it there. With the single code snippet I couldn`t reproduce the error.

Perhaps tony2001 can test it? He could reproduce it with the snippet.
 [2007-09-07 13:03 UTC] jani@php.net
Antony, can you check this? (I can't reproduce it..)
 [2007-09-07 13:48 UTC] tony2001@php.net
Yes, I still can reproduce it:
==23397== Invalid read of size 8
==23397==    at 0x43F714: php_libxml_node_decrement_resource (libxml.c:1036)
==23397==    by 0x4FC4DD: sxe_object_free_storage (simplexml.c:1934)
==23397==    by 0x642746: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==23397==    by 0x64259E: zend_objects_store_del_ref (zend_objects_API.c:168)

etc..
 [2008-01-30 15:31 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 06:02:13 2014 UTC