|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81506 malloc(): unaligned tcache chunk detected
Submitted: 2021-10-05 13:45 UTC Modified: 2023-06-04 12:12 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Assigned: nielsdos (profile)
Status: Closed Package: DOM XML related
PHP Version: 8.1.0RC3 OS: archLinux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2021-10-05 13:45 UTC]
Found this while going through bughunt, see

it seems different from these two known issues #79451 and #80602

Test script:

$dom = null;
$dt = null;
$impl = null;

function doThing() {
$my_arr = [];

global $dom,$dt,$impl;

for($x = 0; $x < 7; $x++) {
$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");

array_push($my_arr, $dt, $dom, $impl);

$dom = new \DOMDocument();
$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
$impl = new \DOMImplementation();
$dt = $impl->createDocumentType("html", "", "");

$dom->replaceChild($dt, $dom->doctype); // FREE THE FIRST TIME!

doThing(); // fill up tcache; coimment this out for tcache double free malding
gc_collect_cycles(); // FREE AGAIN

Expected result:
no segmentation fault

Actual result:
malloc(): unaligned tcache chunk detected

Process exited with code 134.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2023-06-04 12:12 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nielsdos
 [2023-06-04 12:12 UTC]
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at

This was fixed in 8.0.24, 8.1.11 and 8.2.0, but the issue wasn't yet closed.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Oct 02 12:01:25 2023 UTC