php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53569 Intermittent Seg Fault during DOMDocument clean up
Submitted: 2010-12-18 06:11 UTC Modified: 2011-02-17 20:58 UTC
From: chris dot richard at gmail dot com Assigned:
Status: Not a bug Package: DOM XML related
PHP Version: 5.3.2 OS: Linux (Ubuntu 10)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: chris dot richard at gmail dot com
New email:
PHP Version: OS:

 

 [2010-12-18 06:11 UTC] chris dot richard at gmail dot com
Description:
------------
libxml causes a seg fault *intermittently* after all PHP user code has finished 
running.

I'm using DOMFragment to parse chunks of XHTML and append them to a DOMDocument 
which gets output (via saveHTML) once it's completely assembled. The output 
completes successfully but at least half the time I get seg fault related to the 
clean up of the DOMDocument and no response is sent to the client.

Core Dump:

#0  0x00007fb2f77c6e6f in xmlDictOwns () from /usr/lib/libxml2.so.2
#1  0x00007fb2f77276a7 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#2  0x00007fb2f76ff85f in ?? () from /usr/lib/libxml2.so.2
#3  0x00007fb2f772f256 in xmlHashFree () from /usr/lib/libxml2.so.2
#4  0x00007fb2f7727335 in xmlFreeDtd () from /usr/lib/libxml2.so.2
#5  0x00007fb2f772746a in xmlFreeDoc () from /usr/lib/libxml2.so.2
#6  0x00007fb2f8409d5b in php_libxml_decrement_doc_ref ()
   from /usr/lib/apache2/modules/libphp5.so
#7  0x00007fb2f842e8cf in ?? () from /usr/lib/apache2/modules/libphp5.so
#8  0x00007fb2f8661adc in zend_objects_store_del_ref_by_handle_ex ()
   from /usr/lib/apache2/modules/libphp5.so
#9  0x00007fb2f8661b03 in zend_objects_store_del_ref ()
   from /usr/lib/apache2/modules/libphp5.so
#10 0x00007fb2f86301cd in _zval_ptr_dtor () from 
/usr/lib/apache2/modules/libphp5.so
#11 0x00007fb2f8649198 in zend_hash_destroy () from 
/usr/lib/apache2/modules/libphp5.so
#12 0x00007fb2f863c19f in _zval_dtor_func () from 
/usr/lib/apache2/modules/libphp5.so
#13 0x00007fb2f86301cd in _zval_ptr_dtor () from 
/usr/lib/apache2/modules/libphp5.so
#14 0x00007fb2f8649198 in zend_hash_destroy () from 
/usr/lib/apache2/modules/libphp5.so
#15 0x00007fb2f865e0d9 in zend_object_std_dtor () from 
/usr/lib/apache2/modules/libphp5.so
#16 0x00007fb2f865e0f9 in zend_objects_free_object_storage ()
   from /usr/lib/apache2/modules/libphp5.so
#17 0x00007fb2f8661adc in zend_objects_store_del_ref_by_handle_ex ()
   from /usr/lib/apache2/modules/libphp5.so
#18 0x00007fb2f8661b03 in zend_objects_store_del_ref ()
   from /usr/lib/apache2/modules/libphp5.so
#19 0x00007fb2f86301cd in _zval_ptr_dtor () from 
/usr/lib/apache2/modules/libphp5.so
#20 0x00007fb2f8649198 in zend_hash_destroy () from 
/usr/lib/apache2/modules/libphp5.so
#21 0x00007fb2f863c19f in _zval_dtor_func () from 
/usr/lib/apache2/modules/libphp5.so
#22 0x00007fb2f86301cd in _zval_ptr_dtor () from 
/usr/lib/apache2/modules/libphp5.so
#23 0x00007fb2f8649198 in zend_hash_destroy () from 
/usr/lib/apache2/modules/libphp5.so
#24 0x00007fb2f865e0d9 in zend_object_std_dtor () from 
/usr/lib/apache2/modules/libphp5.so
#25 0x00007fb2f865e0f9 in zend_objects_free_object_storage ()
   from /usr/lib/apache2/modules/libphp5.so
#26 0x00007fb2f86615ec in zend_objects_store_free_object_storage ()
   from /usr/lib/apache2/modules/libphp5.so
#27 0x00007fb2f86305c5 in ?? () from /usr/lib/apache2/modules/libphp5.so
#28 0x00007fb2f863cee2 in ?? () from /usr/lib/apache2/modules/libphp5.so
#29 0x00007fb2f85e8b75 in php_request_shutdown () from 
/usr/lib/apache2/modules/libphp5.so



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-18 06:16 UTC] chris dot richard at gmail dot com
-Operating System: Linux (Ubuntu) +Operating System: Linux (Ubuntu 10) -PHP Version: 5.3.4 +PHP Version: 5.3.2
 [2010-12-18 06:16 UTC] chris dot richard at gmail dot com
PHP 5.3.2
libxml 2.7.6
 [2010-12-18 16:57 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2010-12-18 16:57 UTC] cataphract@php.net
Can you provide a small script that reproduces this issue?

It's complicated to find the error from backtraces that happen in the destruction phase; by this time the harm has long been done.

Also please use the latest version of PHP.

Thank you.
 [2010-12-20 17:30 UTC] chris dot richard at gmail dot com
-Status: Feedback +Status: Open
 [2010-12-20 17:30 UTC] chris dot richard at gmail dot com
This script reproduces the issue fairly consistently on my machine:

<?
	$doc = new DOMDocument();
	$doc->loadXML(
		"<?xml version='1.0'?>".
		'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 
"http://www.w3.org/TR/html4/strict.dtd" [
			<!ENTITY nbsp  "&#160;">
			<!ENTITY copy  "&#169;">
			<!ENTITY ndash "&#8211;">
			<!ENTITY mdash "&#8212;">
		]>'.
		"<html/>");

	$fragment = $doc->createDocumentFragment();
	$fragment->appendXML("<head></head><body><insert/></body>");
	
	$doc->documentElement->appendChild($fragment);
	
	ob_start();
?>
	
<ul>
<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet lorem ipsum dolor sit 
amet</li>
<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>
<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>
<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>
</ul>
<h2>lorem ipsum dolor sit amet lorem ipsum dolor sit amet   
<hr />
</h2>
<p>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</p>
<p>When the mortgage rate is 'fixed' it means that the rate (%) is set for the 
duration of the term, whereas with a variable mortgage rate, the rate fluctuates 
with the market interest rate, known as the 'prime rate'.  So, for example, if 
the 5 year fixed mortgage rate is 4%, then you will pay 4% interest throughout 
the term of the mortgage.</p>
<p>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</p>

<h2>Popularity of the 5-year fixed rate       
<hr />
</h2>
<h3 class="table-title">Mortgages by length of term and age group</h3>
<table cellspacing="0">
<thead> 
<tr class="group-header">
<th>&nbsp;</th> <th colspan="4">Age group</th>
</tr>
<tr class="column-headers">
<th>&nbsp;</th> <th>18-34</th> <th>35-54</th> <th>55+</th> <th class="total">All 
ages</th>
</tr>
</thead> 
<tbody>
<tr class="alternate">
<th>1 year term</th>
<td>5%</td>
<td>7%</td>
<td>6%</td>
<td class="total">6%</td>
</tr>
<tr>
<th>2-4 year term</th>
<td>27%</td>
<td>18%</td>
<td>12%</td>
<td class="total">20%</td>
</tr>
<tr class="highlight">
<th>5 year term</th>
<td>66%</td>
<td>65%</td>
<td>69%</td>
<td class="total">66%</td>
</tr>
<tr>
<th>6-10 year term</th>
<td>3%</td>
<td>9%</td>
<td>10%</td>
<td class="total">7%</td>
</tr>
<tr class="alternate">
<th>&gt;10 year term</th>
<td>0</td>
<td>0</td>
<td>2%</td>
<td class="total">1%</td>
</tr>
</tbody>
</table>

<?
	$output = ob_get_clean();
	$fragment = $doc->createDocumentFragment();
	$fragment->appendXML($output);

	$xpath = new DOMXpath($doc);
	$insert = $xpath->query(".//insert")->item(0);
	$insert->parentNode->replaceChild($fragment, $insert);

	echo $doc->saveHTML();		
?>
 [2011-02-17 20:58 UTC] rrichards@php.net
-Status: Open +Status: Bogus
 [2011-02-17 20:58 UTC] rrichards@php.net
This is a bug in libxml2 which will be fixed in its 2.7.9 release. Unfortunately 
there is no simple workaround that can be done in the DOM extension for this 
without adding significant overhead just for this specific case.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Nov 24 10:01:23 2020 UTC