ID: 49634
Comment by: aldo at armiento dot com
Reported By: aldo at armiento dot com
Status: Feedback
Bug Type: XSLT related
Operating System: Linux Debian, Mac OSX
PHP Version: 5.3.0
New Comment:
Reproducible in Debian 5.0.
Linux deb32bit 2.6.26-2-686 #1 SMP Wed Aug 19 06:06:52 UTC 2009 i686
GNU/Linux
libxml2: 2.6.32.dfsg-5+lenny1
libxslt1.1: 1.1.24-2
PHP: php5.3-200909230630
--
deb32bit:~# php test_segfault.php
Exception!
Exception!
Exception!
*** glibc detected *** php: free(): invalid pointer: 0x0a270088 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7c89624]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7c8b826]
/usr/lib/libxml2.so.2(xmlFreeNode+0x127)[0xb7dbf657]
php[0x8095b57]
php(php_libxml_node_decrement_resource+0x68)[0x8095eb8]
php[0x81180c4]
php(zend_objects_store_del_ref_by_handle_ex+0x234)[0x82f8284]
php(zend_objects_store_del_ref+0x1f)[0x82f82af]
php(_zval_ptr_dtor+0x3d)[0x82cc07d]
php(zend_hash_destroy+0x3e)[0x82e2b9e]
php(_zval_dtor_func+0x75)[0x82d6f75]
php(_zval_ptr_dtor+0x3d)[0x82cc07d]
php(zend_hash_destroy+0x3e)[0x82e2b9e]
php(_zval_dtor_func+0x75)[0x82d6f75]
php(_zval_ptr_dtor+0x3d)[0x82cc07d]
php(zend_hash_destroy+0x3e)[0x82e2b9e]
php(_zval_dtor_func+0x75)[0x82d6f75]
php(_zval_ptr_dtor+0x3d)[0x82cc07d]
php(zend_hash_destroy+0x3e)[0x82e2b9e]
php(_zval_dtor_func+0x75)[0x82d6f75]
php(_zval_ptr_dtor+0x3d)[0x82cc07d]
php(zend_hash_destroy+0x3e)[0x82e2b9e]
php(zend_object_std_dtor+0x33)[0x82f4b13]
php(zend_objects_free_object_storage+0x12)[0x82f4b42]
php(zend_objects_store_del_ref_by_handle_ex+0x234)[0x82f8284]
php(zend_objects_store_del_ref+0x1f)[0x82f82af]
php(_zval_ptr_dtor+0x3d)[0x82cc07d]
php(_zend_hash_quick_add_or_update+0xbc)[0x82e35bc]
php[0x82fb5b1]
php(execute+0x18e)[0x82ffd4e]
php(zend_execute_scripts+0x46)[0x82d7146]
php(php_execute_script+0x137)[0x8286fb7]
php[0x83583dc]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7c31455]
php(xmlTextReaderConstName+0x181)[0x8062b81]
======= Memory map: ========
08048000-085ee000 r-xp 00000000 08:01 247695 /usr/local/bin/php
085ee000-085f3000 rw-p 005a6000 08:01 247695 /usr/local/bin/php
085f3000-0860a000 rw-p 085f3000 00:00 0
0a109000-0a28d000 rw-p 0a109000 00:00 0 [heap]
b7800000-b7821000 rw-p b7800000 00:00 0
b7821000-b7900000 ---p b7821000 00:00 0
b79dc000-b7a04000 rw-p b79dc000 00:00 0
b7a04000-b7b3e000 r--p 00000000 08:01 247036
/usr/lib/locale/locale-archive
b7b6f000-b7b7b000 r-xp 00000000 08:01 392512 /lib/libgcc_s.so.1
b7b7b000-b7b7c000 rw-p 0000b000 08:01 392512 /lib/libgcc_s.so.1
b7b7c000-b7b7e000 rw-p b7b7c000 00:00 0
b7b7f000-b7b80000 rw-p b7b7f000 00:00 0
b7b80000-b7b83000 r-xp 00000000 08:01 223551 /usr/lib/libgpg-
error.so.0.3.0
b7b83000-b7b84000 rw-p 00002000 08:01 223551 /usr/lib/libgpg-
error.so.0.3.0
b7b84000-b7b85000 rw-p b7b84000 00:00 0
b7b85000-b7b99000 r-xp 00000000 08:01 222846
/usr/lib/libz.so.1.2.3.3
b7b99000-b7b9a000 rw-p 00013000 08:01 222846
/usr/lib/libz.so.1.2.3.3
b7b9a000-b7baf000 r-xp 00000000 08:01 401230
/lib/i686/cmov/libpthread-2.7.so
b7baf000-b7bb1000 rw-p 00014000 08:01 401230
/lib/i686/cmov/libpthread-2.7.so
b7bb1000-b7bb3000 rw-p b7bb1000 00:00 0
b7bb3000-b7c19000 r-xp 00000000 08:01 223531
/usr/lib/libgcrypt.so.11.4.4
b7c19000-b7c1b000 rw-p 00066000 08:01 223531
/usr/lib/libgcrypt.so.11.4.4
b7c1b000-b7d70000 r-xp 00000000 08:01 401216 /lib/i686/cmov/libc-
2.7.so
b7d70000-b7d71000 r--p 00155000 08:01 401216 /lib/i686/cmov/libc-
2.7.so
b7d71000-b7d73000 rw-p 00156000 08:01 401216 /lib/i686/cmov/libc-
2.7.so
b7d73000-b7d76000 rw-p b7d73000 00:00 0
b7d76000-b7ea9000 r-xp 00000000 08:01 224909
/usr/lib/libxml2.so.2.6.32
b7ea9000-b7eae000 rw-p 00132000 08:01 224909
/usr/lib/libxml2.so.2.6.32
b7eae000-b7eb0000 rw-p b7eae000 00:00 0
b7eb0000-b7ed4000 r-xp 00000000 08:01 401220 /lib/i686/cmov/libm-
2.7.so
b7ed4000-b7ed6000 rw-p 00023000 08:01 401220 /lib/i686/cmov/libm-
2.7.so
b7ed6000-b7f0b000 r-xp 00000000 08:01 225002
/usr/lib/libxslt.so.1.1.24
b7f0b000-b7f0c000 rw-p 00035000 08:01 225002
/usr/lib/libxslt.so.1.1.24
b7f0c000-b7f21000 r-xp 00000000 08:01 401222
/lib/i686/cmov/libnsl-2.7.so
b7f21000-b7f23000 rw-p 00014000 08:01 401222
/lib/i686/cmov/libnsl-2.7.so
b7f23000-b7f25000 rw-p b7f23000 00:00 0
b7f25000-b7f27000 r-xp 00000000 08:01 401219 /lib/i686/cmov/libdl-
2.7.so
b7f27000-b7f29000 rw-p 00001000 08:01 401219 /lib/i686/cmov/libdl-
2.7.so
b7f29000-b7f30000 r-xp 00000000 08:01 401232 /lib/i686/cmov/librt-
2.7.so
b7f30000-b7f32000 rw-p 00006000 08:01 401232 /lib/i686/cmov/librt-
2.7.so
b7f32000-b7f42000 r-xp 00000000 08:01 401231
/lib/i686/cmov/libresolv-2.7.so
b7f42000-b7f44000 rw-p 0000f000 08:01 401231
/lib/i686/cmov/libresolv-2.7.so
b7f44000-b7f47000 rw-p b7f44000 00:00 0
b7f47000-b7f58000 r-xp 00000000 08:01 225001
/usr/lib/libexslt.so.0.8.13
b7f58000-b7f59000 rw-p 00010000 08:01 225001
/usr/lib/libexslt.so.0.8.13
b7f59000-b7f62000 r-xp 00000000 08:01 401218
/lib/i686/cmov/libcrypt-2.7.so
b7f62000-b7f64000 rw-p 00008000 08:01 401218
/lib/i686/cmov/libcrypt-2.7.so
b7f64000-b7f8b000 rw-p b7f64000 00:00 0
b7f8e000-b7f90000 rw-p b7f8e000 00:00 0
b7f90000-b7f91000 r-xp b7f90000 00:00 0 [vdso]
b7f91000-b7fab000 r-xp 00000000 08:01 392462 /lib/ld-2.7.so
b7fab000-b7fad000 rw-p 0001a000 08:01 392462 /lib/ld-2.7.so
bf998000-bf9ad000 rw-p bffeb000 00:00 0 [stack]
Aborted
deb32bit:~#
Previous Comments:
------------------------------------------------------------------------
[2009-09-23 07:56:25] aldo at armiento dot com
Latest snapshot (php5.3-200909230630):
(gdb) r
Starting program: /home/armiento/env/spider/bin/php test_segfault.php
[Thread debugging using libthread_db enabled]
[New Thread 139866082309840 (LWP 1958)]
Exception!
Exception!
*** glibc detected *** free(): invalid pointer: 0x00000000019a65e0 ***
Program received signal SIGABRT, Aborted.
[Switching to Thread 139866082309840 (LWP 1958)]
0x00007f351ac7607b in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007f351ac7607b in raise () from /lib/libc.so.6
#1 0x00007f351ac7784e in abort () from /lib/libc.so.6
#2 0x00007f351acac5f9 in __fsetlocking () from /lib/libc.so.6
#3 0x00007f351acb3163 in mallopt () from /lib/libc.so.6
#4 0x00007f351acb31ee in free () from /lib/libc.so.6
#5 0x000000000044f3bb in php_libxml_node_decrement_resource
(object=0x7f351c24b730)
at /home/armiento/src/php5.3-200909230630/ext/libxml/libxml.c:1058
#6 0x00000000004cc3a5 in dom_objects_free_storage
(object=0x7f351c24b730)
at /home/armiento/src/php5.3-200909230630/ext/dom/php_dom.c:1017
#7 0x00000000006c0d56 in zend_objects_store_del_ref_by_handle_ex
(handle=3, handlers=<value optimized out>)
at
/home/armiento/src/php5.3-200909230630/Zend/zend_objects_API.c:220
#8 0x00000000006c0d92 in zend_objects_store_del_ref
(zobject=0x7f351c249510)
at
/home/armiento/src/php5.3-200909230630/Zend/zend_objects_API.c:172
#9 0x0000000000694795 in _zval_ptr_dtor (zval_ptr=0x7f351c24be60)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.h:35
#10 0x00000000006ac7e8 in zend_hash_destroy (ht=0x7f351c24bda0) at
/home/armiento/src/php5.3-200909230630/Zend/zend_hash.c:526
#11 0x00000000006a08a6 in _zval_dtor_func (zvalue=0x7f351c24bd70)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.c:43
#12 0x0000000000694795 in _zval_ptr_dtor (zval_ptr=0x7f351c24beb8)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.h:35
#13 0x00000000006ac7e8 in zend_hash_destroy (ht=0x7f351c24bcc8) at
/home/armiento/src/php5.3-200909230630/Zend/zend_hash.c:526
#14 0x00000000006a08a6 in _zval_dtor_func (zvalue=0x7f351c24bc98)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.c:43
#15 0x0000000000694795 in _zval_ptr_dtor (zval_ptr=0x7f351c24bf10)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.h:35
#16 0x00000000006ac7e8 in zend_hash_destroy (ht=0x7f351c24bbc0) at
/home/armiento/src/php5.3-200909230630/Zend/zend_hash.c:526
#17 0x00000000006a08a6 in _zval_dtor_func (zvalue=0x7f351c24bb90)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.c:43
#18 0x0000000000694795 in _zval_ptr_dtor (zval_ptr=0x7f351c24bf70)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.h:35
#19 0x00000000006ac7e8 in zend_hash_destroy (ht=0x7f351c24bae8) at
/home/armiento/src/php5.3-200909230630/Zend/zend_hash.c:526
#20 0x00000000006a08a6 in _zval_dtor_func (zvalue=0x7f351c24b110)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.c:43
#21 0x0000000000694795 in _zval_ptr_dtor (zval_ptr=0x7f351c24ba28)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.h:35
#22 0x00000000006ac7e8 in zend_hash_destroy (ht=0x7f351c24b950) at
/home/armiento/src/php5.3-200909230630/Zend/zend_hash.c:526
#23 0x00000000006bd6b9 in zend_object_std_dtor (object=0x7f351c24b7a0)
at /home/armiento/src/php5.3-200909230630/Zend/zend_objects.c:45
#24 0x00000000006bd6d9 in zend_objects_free_object_storage
(object=0x7a6)
at /home/armiento/src/php5.3-200909230630/Zend/zend_objects.c:114
#25 0x00000000006c0d56 in zend_objects_store_del_ref_by_handle_ex
(handle=7, handlers=<value optimized out>)
at
/home/armiento/src/php5.3-200909230630/Zend/zend_objects_API.c:220
#26 0x00000000006c0d92 in zend_objects_store_del_ref
(zobject=0x7f351c24c6a0)
at
/home/armiento/src/php5.3-200909230630/Zend/zend_objects_API.c:172
#27 0x0000000000694795 in _zval_ptr_dtor (zval_ptr=0x7f351c24b1d8)
at /home/armiento/src/php5.3-200909230630/Zend/zend_variables.h:35
#28 0x00000000006ae457 in _zend_hash_quick_add_or_update (ht=0xcfc5e8,
arKey=0x7f351c249380 "e", nKeyLength=2, h=5863242,
pData=0xcfc830, nDataSize=8, pDest=0x7f351a062118, flag=1) at
/home/armiento/src/php5.3-200909230630/Zend/zend_hash.c:299
#29 0x00000000006c1f2e in ZEND_CATCH_SPEC_CV_HANDLER
(execute_data=0x7f351a062050)
at
/home/armiento/src/php5.3-200909230630/Zend/zend_vm_execute.h:1234
#30 0x00000000006c2bd1 in execute (op_array=0x7f351c246578) at
/home/armiento/src/php5.3-200909230630/Zend/zend_vm_execute.h:104
#31 0x00000000006a0b1d in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/armiento/src/php5.3-200909230630/Zend/zend.c:1188
#32 0x00000000006515f5 in php_execute_script
(primary_file=0x7fff24282950)
at /home/armiento/src/php5.3-200909230630/main/main.c:2214
#33 0x00000000007248f6 in main (argc=2, argv=0x7fff24282bb8) at
/home/armiento/src/php5.3-200909230630/sapi/cli/php_cli.c:1190
(gdb)
------------------------------------------------------------------------
[2009-09-23 06:25:39] j...@php.net
Please try using this snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
------------------------------------------------------------------------
[2009-09-23 00:54:42] fel...@php.net
I can't reproduce it on Debian 32bit.
libxslt 1.1.24-2 ; libxml2 2.6.32
------------------------------------------------------------------------
[2009-09-22 22:41:49] aldo at armiento dot com
Description:
------------
Segfault throwing an exception in an XSL registered function when try
to
access node from an external document.
libxml2: 2.7.4
libxslt: 1.1.25
Reproduce code:
---------------
External document doc.xml:
<root/>
Script:
<?php
$sXml = <<<XML
<?xml version="1.0" encoding="UTF-8" ?>
<root>
test
</root>
XML;
$sXsl = <<<XSL
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
xmlns:ext="http://php.net/xsl";
xsl:extension-element-prefixes="ext"
exclude-result-prefixes="ext">
<xsl:output encoding="UTF-8" indent="yes" method="xml" />
<xsl:template match="/">
<xsl:value-of select="ext:function('testFunction',
document('doc.xml')/root)"/>
</xsl:template>
</xsl:stylesheet>
XSL;
function testFunction($a)
{
throw new Exception('Test exception.');
}
$domXml = DOMDocument::loadXML($sXml);
$domXsl = DOMDocument::loadXML($sXsl);
for ($i = 0; $i < 10; $i++)
{
$xsltProcessor = new XSLTProcessor();
$xsltProcessor->registerPHPFunctions(array('testFunction'));
$xsltProcessor->importStyleSheet($domXsl);
try {
@$xsltProcessor->transformToDoc($domXml);
} catch (Exception $e) {
echo "Exception!\n";
}
}
Expected result:
----------------
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Exception!
Actual result:
--------------
(gdb) r
Starting program: /home/armiento/env/spider/bin/php test_segfault.php
[Thread debugging using libthread_db enabled]
[New Thread 140442269927120 (LWP 3340)]
Exception!
Exception!
*** glibc detected *** free(): invalid pointer: 0x000000000137d0d0 ***
Program received signal SIGABRT, Aborted.
[Switching to Thread 140442269927120 (LWP 3340)]
0x00007fbb423cb07b in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007fbb423cb07b in raise () from /lib/libc.so.6
#1 0x00007fbb423cc84e in abort () from /lib/libc.so.6
#2 0x00007fbb424015f9 in __fsetlocking () from /lib/libc.so.6
#3 0x00007fbb42408163 in mallopt () from /lib/libc.so.6
#4 0x00007fbb424081ee in free () from /lib/libc.so.6
#5 0x000000000044f3ab in php_libxml_node_decrement_resource
(object=0x7fbb439a0710)
at /home/armiento/src/php-5.3.0/ext/libxml/libxml.c:1058
#6 0x00000000004caed5 in dom_objects_free_storage
(object=0x7fbb439a0710) at /home/armiento/src/php-
5.3.0/ext/dom/php_dom.c:1017
#7 0x00000000006bf026 in zend_objects_store_del_ref_by_handle_ex
(handle=3, handlers=<value optimized out>)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:220
#8 0x00000000006bf062 in zend_objects_store_del_ref
(zobject=0x7fbb4399e4f0)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:172
#9 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0e40) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#10 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0d80) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#11 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0d50) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#12 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0e98) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#13 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ca8) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#14 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0c78) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#15 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0ef0) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#16 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ba0) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#17 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a0b70) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#18 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0f50) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#19 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0ac8) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#20 0x000000000069ec36 in _zval_dtor_func (zvalue=0x7fbb439a00f0) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.c:43
#21 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a0a08) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#22 0x00000000006aab88 in zend_hash_destroy (ht=0x7fbb439a0930) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:526
#23 0x00000000006bb989 in zend_object_std_dtor (object=0x7fbb439a0780)
at /home/armiento/src/php-5.3.0/Zend/zend_objects.c:45
#24 0x00000000006bb9a9 in zend_objects_free_object_storage
(object=0xd0c) at /home/armiento/src/php-5.3.0/Zend/zend_objects.c:114
#25 0x00000000006bf026 in zend_objects_store_del_ref_by_handle_ex
(handle=7, handlers=<value optimized out>)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:220
#26 0x00000000006bf062 in zend_objects_store_del_ref
(zobject=0x7fbb439a1680)
at /home/armiento/src/php-5.3.0/Zend/zend_objects_API.c:172
#27 0x0000000000692cc5 in _zval_ptr_dtor (zval_ptr=0x7fbb439a01b8) at
/home/armiento/src/php-5.3.0/Zend/zend_variables.h:35
#28 0x00000000006ac7f7 in _zend_hash_quick_add_or_update (ht=0xcfa568,
arKey=0x7fbb4399e360 "e", nKeyLength=2, h=5863242,
pData=0xcfa7b0, nDataSize=8, pDest=0x7fbb417b7118, flag=1) at
/home/armiento/src/php-5.3.0/Zend/zend_hash.c:299
#29 0x00000000006bfc8e in ZEND_CATCH_SPEC_CV_HANDLER
(execute_data=0x7fbb417b7050)
at /home/armiento/src/php-5.3.0/Zend/zend_vm_execute.h:1234
#30 0x00000000006c0691 in execute (op_array=0x7fbb4399b558) at
/home/armiento/src/php-5.3.0/Zend/zend_vm_execute.h:104
#31 0x000000000069eead in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/armiento/src/php-5.3.0/Zend/zend.c:1188
#32 0x000000000064fbc5 in php_execute_script
(primary_file=0x7fff4b9da0b0) at /home/armiento/src/php-
5.3.0/main/main.c:2196
#33 0x0000000000722836 in main (argc=2, argv=0x7fff4b9da318) at
/home/armiento/src/php-5.3.0/sapi/cli/php_cli.c:1188
(gdb)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49634&edit=1
