php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42462 Segmentation when trying to set an attribute in a DOMElement
Submitted: 2007-08-28 16:33 UTC Modified: 2007-08-30 16:34 UTC
From: romain dot lalaut at laposte dot net Assigned: rrichards
Status: Closed Package: DOM XML related
PHP Version: 5.2CVS-2007-08-28 OS: Linux Ubuntu 2.6.20-16-server
Private report: No CVE-ID:
 [2007-08-28 16:33 UTC] romain dot lalaut at laposte dot net
Description:
------------
When i try to set an attribute in a DOMElement instance, a segmentation fault may occurs (not for every element but always the same) .

PHP 5.2.1 (cli) (built: Jul 17 2007 18:14:23)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

My phpinfo() : http://paste-it.net/3324


Reproduce code:
---------------
/* XML code

       <div id="one">
		<div id="one_a" />
		<div id="one_b" />
	</div>
	<div id="two"></div>
*/


          $els = $view->getElementsByXPath( "/xhtml:html[1]/xhtml:body[1]//xhtml:*[@id]" ); // It works and $els is an iterator of DOMElement encapsulated in home-made objects
          
          foreach($els as $el)
          {
          	echo('ID : '.$el->getAttribute('id')."\n"); flush();
                $el->setAttribute('id', 'foo');
          	echo("OK\n"); flush();
          }

Expected result:
----------------
ID : one
OK
ID : one_a
OK
ID : one_b 
OK
ID : two
OK


Actual result:
--------------
ID : one
[Segmentation fault]


GDB backtrace

#0  0x080db409 in php_dom_object_get_data (obj=0x656e6f) at /tmp/php5.2-200708281430/ext/dom/php_dom.c:242
#1  0x080e0140 in node_list_unlink (node=0x656e6f) at /tmp/php5.2-200708281430/ext/dom/php_dom.c:931
#2  0x080e01a0 in node_list_unlink (node=0x8676f20) at /tmp/php5.2-200708281430/ext/dom/php_dom.c:948
#3  0x080e8509 in zif_dom_element_set_attribute (ht=2, return_value=0x8711f08, return_value_ptr=0x0, this_ptr=0x87101c0, return_value_used=0) at /tmp/php5.2-200708281430/ext/dom/element.c:308
#4  0x0833fb70 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc12100) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:200
#5  0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc12100) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#6  0x0833f6c0 in execute (op_array=0x866bfa4) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#7  0x0833fcea in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc126b0) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:234
#8  0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc126b0) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#9  0x0833f6c0 in execute (op_array=0x870169c) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#10 0x0833fcea in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc12ba0) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:234
#11 0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc12ba0) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#12 0x0833f6c0 in execute (op_array=0x86ee670) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#13 0x0833fcea in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc12d10) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:234
#14 0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc12d10) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#15 0x0833f6c0 in execute (op_array=0x86dcff8) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#16 0x0833fcea in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc13740) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:234
#17 0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc13740) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#18 0x0833f6c0 in execute (op_array=0x86dbb84) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#19 0x0833fcea in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc13c00) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:234
#20 0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc13c00) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#21 0x0833f6c0 in execute (op_array=0x85928b4) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#22 0x0833fcea in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc140f0) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:234
#23 0x083407bd in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfc140f0) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:322
#24 0x0833f6c0 in execute (op_array=0x8538d2c) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:92
#25 0x0831aaf5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php5.2-200708281430/Zend/zend.c:1134
#26 0x082c6d91 in php_execute_script (primary_file=0xbfc16468) at /tmp/php5.2-200708281430/main/main.c:1982
#27 0x083944c1 in main (argc=3, argv=0xbfc165d4) at /tmp/php5.2-200708281430/sapi/cli/php_cli.c:1140
(gdb) frame 4
#4  0x0833fb70 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc12100) at /tmp/php5.2-200708281430/Zend/zend_vm_execute.h:200
200                             ((zend_internal_function *) EX(function_state).function)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX(function_state).function->common.return_reference?&EX_T(opline->result.u.var).var.ptr:NULL, EX(object), return_value_used TSRMLS_CC);
(gdb) frame 3
#3  0x080e8509 in zif_dom_element_set_attribute (ht=2, return_value=0x8711f08, return_value_ptr=0x0, this_ptr=0x87101c0, return_value_used=0) at /tmp/php5.2-200708281430/ext/dom/element.c:308
308                     node_list_unlink(attr->children TSRMLS_CC);
(gdb) frame 2
#2  0x080e01a0 in node_list_unlink (node=0x8676f20) at /tmp/php5.2-200708281430/ext/dom/php_dom.c:948
948                                             node_list_unlink((xmlNodePtr) node->properties TSRMLS_CC);
(gdb) frame 1
#1  0x080e0140 in node_list_unlink (node=0x656e6f) at /tmp/php5.2-200708281430/ext/dom/php_dom.c:931
931                     wrapper = php_dom_object_get_data(node);
(gdb) frame 0
#0  0x080db409 in php_dom_object_get_data (obj=0x656e6f) at /tmp/php5.2-200708281430/ext/dom/php_dom.c:242
242             if (obj && obj->_private != NULL) {

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-08-28 16:36 UTC] scottmac@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

5.2.1 is relatively old, if you\'re going to report a bug at least try the latest version.
 [2007-08-28 20:28 UTC] romain dot lalaut at laposte dot net
Sorry, i'm tired... The version i used for the test is 
PHP 5.2.4RC4-dev (cli) (built: Aug 28 2007 17:24:11) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

And make test report some bugs (4) but not for DOM...
 [2007-08-29 06:09 UTC] romain dot lalaut at laposte dot net
<?php

$xml = <<<foo
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head></head>
<body>
	
	<div id="container">
		<div id="header"></div>
		<div id="content"></div>
	</div>
	<div id="footer">
	</div>
</body>
</html>

foo;

$doc = new DOMDocument( '1.0.', 'utf-8' );
$doc->loadXML( $xml, LIBXML_COMPACT );
$xpath = new DOMXPath( $doc );
$xpath->registerNamespace( 'xhtml', 'http://www.w3.org/1999/xhtml' );
$res = $xpath->query( "/xhtml:html[1]/xhtml:body[1]//xhtml:*[@id]", $doc->documentElement );

foreach($res as $el)
{
	echo('ID : '.$el->getAttribute('id')."\n"); flush();
	$el->setAttribute('id', 'foo');
	echo("OK\n"); flush();
}
?>

But if i remove LIBXML_COMPAT, it works perfectly...
 [2007-08-29 06:15 UTC] romain dot lalaut at laposte dot net
For your information, if I import the nodes and copy them into an another document, there is no problem even with LIBXML_COMPACT
 [2007-08-29 09:55 UTC] jani@php.net
Same backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x080e8785 in php_dom_object_get_data (obj=0x64616568) at /home/jani/src/php-5.2/ext/dom/php_dom.c:242
242             if (obj && obj->_private != NULL) {
(gdb) bt
#0  0x080e8785 in php_dom_object_get_data (obj=0x64616568) at /home/jani/src/php-5.2/ext/dom/php_dom.c:242
#1  0x080ed4bc in node_list_unlink (node=0x64616568) at /home/jani/src/php-5.2/ext/dom/php_dom.c:931
#2  0x080ed51c in node_list_unlink (node=0x8c59438) at /home/jani/src/php-5.2/ext/dom/php_dom.c:948
#3  0x080f55b1 in zif_dom_element_set_attribute (ht=2, return_value=0x8c29930, return_value_ptr=0x0, this_ptr=0x8c2903c, return_value_used=0)
    at /home/jani/src/php-5.2/ext/dom/element.c:308
#4  0x08303d68 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb0a4c4) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:200

 [2007-08-30 16:34 UTC] rrichards@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC