|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69373 References to deleted XPath query results
Submitted: 2015-04-04 01:42 UTC Modified: 2015-04-04 08:58 UTC
Avg. Score:3.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: Assigned:
Status: Closed Package: DOM XML related
PHP Version: 5.5, 5.6, master OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2015-04-04 01:42 UTC]
Creating a node list using the DOMXPath query() or evaluate() functions, then removing the nodes from the document by writing to nodeValue of an ancestor occasionally  results in "double free or corruption" or "Segmentation fault". It can also result in the nodeValue text content being cropped.

Test script:
$doc = new DOMDocument();
for( $i=0; $i<20; $i++ ) {
	$doc->loadXML("<parent><child /><child /></parent>");
	$xpath = new DOMXpath($doc);
	$all = $xpath->query('//*');
	$doc->firstChild->nodeValue = '';

Actual result:
#0  0x00007ffff698e107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff698f4e8 in __GI_abort () at abort.c:89
#2  0x00007ffff69cc204 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6abefe0 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff69d19de in malloc_printerr (action=1, str=0x7ffff6abb09e "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff69d26e6 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x0000000000454bc8 in php_libxml_node_decrement_resource (object=0x68f1) at /tmp/php-src/ext/libxml/libxml.c:1330
#6  0x000000000052e785 in dom_objects_free_storage (object=0x7ffff606d218) at /tmp/php-src/ext/dom/php_dom.c:1045
#7  0x0000000000702992 in zend_objects_store_del (object=0x68f1) at /tmp/php-src/Zend/zend_objects_API.c:181
#8  0x00000000006d818b in i_zval_ptr_dtor (zval_ptr=0x7ffff605e908) at /tmp/php-src/Zend/zend_variables.h:57
#9  zend_array_destroy (ht=0x7ffff6057268) at /tmp/php-src/Zend/zend_hash.c:1179
#10 0x000000000052df71 in dom_nnodemap_object_dtor (object=0x7ffff606d1d8) at /tmp/php-src/ext/dom/php_dom.c:1136
#11 0x00000000007029ac in zend_objects_store_del (object=0x68f1) at /tmp/php-src/Zend/zend_objects_API.c:163
#12 0x0000000000719b63 in zend_assign_to_variable (value_type=4 '\004', value=0x7ffff6014150, variable_ptr=0x7ffff60140c0)
    at /tmp/php-src/Zend/zend_execute.h:102
#13 ZEND_ASSIGN_SPEC_CV_VAR_HANDLER () at /tmp/php-src/Zend/zend_vm_execute.h:31935
#14 0x0000000000707a1b in execute_ex (ex=<optimized out>) at /tmp/php-src/Zend/zend_vm_execute.h:394
#15 0x00000000006c73d5 in zend_execute_scripts (type=26865, type@entry=8, retval=0x68f1, retval@entry=0x0, file_count=6, file_count@entry=3)
    at /tmp/php-src/Zend/zend.c:1364
#16 0x000000000066cf68 in php_execute_script (primary_file=0x7fffffffcf20) at /tmp/php-src/main/main.c:2481
#17 0x000000000075f2da in do_cli (argc=26865, argv=0x68f1) at /tmp/php-src/sapi/cli/php_cli.c:967
#18 0x0000000000426c47 in main (argc=26865, argv=0x68f1) at /tmp/php-src/sapi/cli/php_cli.c:1334


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-04 08:58 UTC]
-PHP Version: master-Git-2015-04-04 (Git) +PHP Version: 5.5, 5.6, master
 [2015-04-04 08:58 UTC]
Can reproduce on PHP 5.5 and 5.6 as well.
 [2017-06-02 22:42 UTC]
Automatic comment on behalf of ttoohey
Log: Fixed bug #69373
 [2017-06-02 22:42 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 19 18:01:33 2024 UTC