php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69846 Segmenation fault (access violation) when iterating over DOMNodeList
Submitted: 2015-06-16 07:04 UTC Modified: 2015-06-19 10:49 UTC
From: jan dot slabon at setasign dot com Assigned: ab
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0alpha1 OS: Windows 7 Pro (x64)
Private report: No CVE-ID:
 [2015-06-16 07:04 UTC] jan dot slabon at setasign dot com
Description:
------------
I'm using the "VC14 x64 Thread Safe" version with following extensions enabled:
extension=php_mbstring.dll
extension=php_openssl.dll
extension=php_pdo_mysql.dll
extension=php_pdo_sqlite.dll
extension=php_soap.dll
extension=php_sqlite3.dll

I encounter a problem when iterating over a DOMNodeList object while overwriting the $value:

foreach ($dataNodes AS $node) {
    $node = $datasetDom->importNode($node, true);
    // ...
}

Actually I'm not able to reproduce this separated from our unit tests but at least I have a backtrace (that's what I get, if I follow this guide: https://bugs.php.net/bugs-generating-backtrace-win32.php) - see actual result.

I can provide the full dump if necessary.

The behaviour is very strange because it can be manipulated/suppressed by simply removing an entry from another array in another scope which will never be used. Or by simply running the test wihout another which are absolutely independed from each other.

Actual result:
--------------
Thread report

Thread 0 - System ID 8580

Entry point
  php!mainCRTStartup
Create time
  15.06.2015 23:06:26

Time spent in user mode
  0 Days 00:00:00.093

Time spent in kernel mode
  0 Days 00:00:00.312


Function
php7ts!php_dom_create_object+36
php7ts!php_dom_iterator_move_forward+154
php7ts!ZEND_FE_FETCH_R_SPEC_VAR_HANDLER+206
php7ts!execute_ex+38
php7ts!zend_call_function+367bd3
php7ts!zim_reflection_method_invokeArgs+363
php7ts!ZEND_DO_FCALL_SPEC_HANDLER+10a
php7ts!execute_ex+38
php7ts!zend_execute+1db
php7ts!zend_execute_scripts+13e
php7ts!php_execute_script+521
php!do_cli+73c
php!main+400
php!__scrt_common_main_seh+124
kernel32!BaseThreadInitThunk+d
ntdll!RtlUserThreadStart+1d

Exception Information

PHP7TS!PHP_DOM_CREATE_OBJECT+36In php__PID__8788__Date__06_15_2015__Time_11_06_29PM__945__Second_Chance_Exception_C0000005.dmp the assembly instruction at php7ts!php_dom_create_object+36 in C:\php 7.0.0alpha1\php7ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000000 on thread 0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-16 07:38 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-06-16 07:38 UTC] ab@php.net
Thanks for the report. Yep, a dump were useful.

Also an idea - if it is only reproduceable with phpunit, maybe it could make sense to create a suite with just that one unit test as a reproduce case (of course if it does repro then)?

Thanks.
 [2015-06-16 07:53 UTC] jan dot slabon at setasign dot com
-Status: Feedback +Status: Open
 [2015-06-16 07:53 UTC] jan dot slabon at setasign dot com
Here's the log and dump:
https://www.setasign.com/files/php.net/69846/php__PID__8788__Date__06_15_2015__Time_11_06_27PM__48__Log.txt
https://www.setasign.com/files/php.net/69846/php__PID__8788__Date__06_15_2015__Time_11_06_29PM__945__Second_Chance_Exception_C0000005.dmp

I am going to investigate further to see if we have a chance to extract a reproduce case. As it seems to be a memory problem it simply relies on other (absolutely independent) code. Running the test alone works. Running two tests in a folder will crash...
 [2015-06-16 10:03 UTC] ab@php.net
Thanks for the dump. Maybe it'll help if i say that the crash happens in SetaPDF_FormFiller_XfaTest, maybe it needs some more stress for a reproduce. But i'll dig further in the meanwhile.

Thanks.
 [2015-06-16 10:47 UTC] jan dot slabon at setasign dot com
While I am trying to reproduce it, its behaviour becomes much more strange: Yesterday evening the crash was reproducible with a test item no 13. Today it's 10...

I am going to clean-up the whole package so I only left the files which are needed to reproduce this issue. Anyhow I would please you to confirm that these files are not being used further or made public, because they are part of proprietary products. I can send it to ab@php.net?
 [2015-06-16 12:34 UTC] jan dot slabon at setasign dot com
I just send a reproduce case to ab@php.net.
 [2015-06-16 21:35 UTC] jan dot slabon at setasign dot com
While doing further tests I encountered a simliar problem (no segmentation fault) but for me it looks related as it only happens if I edit the $value ($node) in the foreach-loop. A reproduce case is available here: http://3v4l.org/MNakn If this is not releated, feel free to tell me and I am going to open another bug report.
 [2015-06-18 17:44 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2015-06-19 04:59 UTC] ab@php.net
-Status: Assigned +Status: Feedback
 [2015-06-19 04:59 UTC] ab@php.net
Jan,

I was able to issue a partial fix, the crash should be gone now. Please check any snapshot starting with http://windows.php.net/downloads/snaps/master/rbb4454b/ . I think the case with reassigning in the loop should become a separate ticket. But please check first.

Thanks
 [2015-06-19 06:24 UTC] jan dot slabon at setasign dot com
-Status: Feedback +Status: Assigned
 [2015-06-19 06:24 UTC] jan dot slabon at setasign dot com
Hi Anatol,

Thanks! But the test case I send you still ends in a segmentation fault.

Cheers,
Jan
 [2015-06-19 09:24 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d079a1c9ea16ff2c5f40f82bd558355f78f103cf
Log: better approach to fix bug #69846
 [2015-06-19 09:24 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2015-06-19 09:57 UTC] ab@php.net
-Status: Closed +Status: Feedback
 [2015-06-19 09:57 UTC] ab@php.net
Ups, it wasn't supposed to close the ticket.

Jan, could you please check yet again? http://windows.php.net/downloads/snaps/master/rd079a1c/ . It's still building and we miss x64 yet, but x86 should be sufficient, too. I can also produce a handmade snapshot if you wish.

Thanks.
 [2015-06-19 10:36 UTC] jan dot slabon at setasign dot com
-Status: Feedback +Status: Assigned
 [2015-06-19 10:36 UTC] jan dot slabon at setasign dot com
Looks good with http://windows.php.net/downloads/snaps/master/rd079a1c/php-master-nts-windows-vc14-x86-rd079a1c.zip now!

Also this one seems to be fixed: http://3v4l.org/MNakn

Anyhow I encounter several other failed unit tests now (nearly all related to DOM). I am going to investigate further to see what's the problem now. The one I send you went through now...

Thanks Anatol!
 [2015-06-19 10:49 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2015-06-19 10:49 UTC] ab@php.net
Thanks for the quick feedback.

Yep, the correct out in that snippet is "1112", so three iterations. That means this ticket is through with both the crash and the reassignment in foreach, the behavior should be the same as in PHP5.

Cheers.
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d079a1c9ea16ff2c5f40f82bd558355f78f103cf
Log: better approach to fix bug #69846
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d079a1c9ea16ff2c5f40f82bd558355f78f103cf
Log: better approach to fix bug #69846
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC