Bug #53569 [Fbk->Opn]: Intermittent Seg Fault during DOMDocument clean up

chris dot richard at gmail dot com Mon, 20 Dec 2010 08:31:19 -0800

Edit report at http://bugs.php.net/bug.php?id=53569&edit=1


 ID:                 53569
 User updated by:    chris dot richard at gmail dot com
 Reported by:        chris dot richard at gmail dot com
 Summary:            Intermittent Seg Fault during DOMDocument clean up
-Status:             Feedback
+Status:             Open
 Type:               Bug
 Package:            DOM XML related
 Operating System:   Linux (Ubuntu 10)
 PHP Version:        5.3.2
 Block user comment: N
 Private report:     N

 New Comment:

This script reproduces the issue fairly consistently on my machine:



<?

        $doc = new DOMDocument();

        $doc->loadXML(

                "<?xml version='1.0'?>".

                '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 

"http://www.w3.org/TR/html4/strict.dtd"; [

                        <!ENTITY nbsp  "&#160;">

                        <!ENTITY copy  "&#169;">

                        <!ENTITY ndash "&#8211;">

                        <!ENTITY mdash "&#8212;">

                ]>'.

                "<html/>");



        $fragment = $doc->createDocumentFragment();

        $fragment->appendXML("<head></head><body><insert/></body>");

        

        $doc->documentElement->appendChild($fragment);

        

        ob_start();

?>

        

<ul>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet lorem ipsum
dolor sit 

amet</li>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>

</ul>

<h2>lorem ipsum dolor sit amet lorem ipsum dolor sit amet   

<hr />

</h2>

<p>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</p>

<p>When the mortgage rate is 'fixed' it means that the rate (%) is set
for the 

duration of the term, whereas with a variable mortgage rate, the rate
fluctuates 

with the market interest rate, known as the 'prime rate'.  So, for
example, if 

the 5 year fixed mortgage rate is 4%, then you will pay 4% interest
throughout 

the term of the mortgage.</p>

<p>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</p>



<h2>Popularity of the 5-year fixed rate       

<hr />

</h2>

<h3 class="table-title">Mortgages by length of term and age group</h3>

<table cellspacing="0">

<thead> 

<tr class="group-header">

<th>&nbsp;</th> <th colspan="4">Age group</th>

</tr>

<tr class="column-headers">

<th>&nbsp;</th> <th>18-34</th> <th>35-54</th> <th>55+</th> <th
class="total">All 

ages</th>

</tr>

</thead> 

<tbody>

<tr class="alternate">

<th>1 year term</th>

<td>5%</td>

<td>7%</td>

<td>6%</td>

<td class="total">6%</td>

</tr>

<tr>

<th>2-4 year term</th>

<td>27%</td>

<td>18%</td>

<td>12%</td>

<td class="total">20%</td>

</tr>

<tr class="highlight">

<th>5 year term</th>

<td>66%</td>

<td>65%</td>

<td>69%</td>

<td class="total">66%</td>

</tr>

<tr>

<th>6-10 year term</th>

<td>3%</td>

<td>9%</td>

<td>10%</td>

<td class="total">7%</td>

</tr>

<tr class="alternate">

<th>&gt;10 year term</th>

<td>0</td>

<td>0</td>

<td>2%</td>

<td class="total">1%</td>

</tr>

</tbody>

</table>



<?

        $output = ob_get_clean();

        $fragment = $doc->createDocumentFragment();

        $fragment->appendXML($output);



        $xpath = new DOMXpath($doc);

        $insert = $xpath->query(".//insert")->item(0);

        $insert->parentNode->replaceChild($fragment, $insert);



        echo $doc->saveHTML();          

?>


Previous Comments:
------------------------------------------------------------------------
[2010-12-18 16:57:51] cataphr...@php.net

Can you provide a small script that reproduces this issue?



It's complicated to find the error from backtraces that happen in the
destruction phase; by this time the harm has long been done.



Also please use the latest version of PHP.



Thank you.

------------------------------------------------------------------------
[2010-12-18 06:16:59] chris dot richard at gmail dot com

PHP 5.3.2

libxml 2.7.6

------------------------------------------------------------------------
[2010-12-18 06:11:31] chris dot richard at gmail dot com

Description:
------------
libxml causes a seg fault *intermittently* after all PHP user code has
finished 

running.



I'm using DOMFragment to parse chunks of XHTML and append them to a
DOMDocument 

which gets output (via saveHTML) once it's completely assembled. The
output 

completes successfully but at least half the time I get seg fault
related to the 

clean up of the DOMDocument and no response is sent to the client.



Core Dump:



#0  0x00007fb2f77c6e6f in xmlDictOwns () from /usr/lib/libxml2.so.2

#1  0x00007fb2f77276a7 in xmlFreeNodeList () from /usr/lib/libxml2.so.2

#2  0x00007fb2f76ff85f in ?? () from /usr/lib/libxml2.so.2

#3  0x00007fb2f772f256 in xmlHashFree () from /usr/lib/libxml2.so.2

#4  0x00007fb2f7727335 in xmlFreeDtd () from /usr/lib/libxml2.so.2

#5  0x00007fb2f772746a in xmlFreeDoc () from /usr/lib/libxml2.so.2

#6  0x00007fb2f8409d5b in php_libxml_decrement_doc_ref ()

   from /usr/lib/apache2/modules/libphp5.so

#7  0x00007fb2f842e8cf in ?? () from
/usr/lib/apache2/modules/libphp5.so

#8  0x00007fb2f8661adc in zend_objects_store_del_ref_by_handle_ex ()

   from /usr/lib/apache2/modules/libphp5.so

#9  0x00007fb2f8661b03 in zend_objects_store_del_ref ()

   from /usr/lib/apache2/modules/libphp5.so

#10 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#11 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#12 0x00007fb2f863c19f in _zval_dtor_func () from 

/usr/lib/apache2/modules/libphp5.so

#13 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#14 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#15 0x00007fb2f865e0d9 in zend_object_std_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#16 0x00007fb2f865e0f9 in zend_objects_free_object_storage ()

   from /usr/lib/apache2/modules/libphp5.so

#17 0x00007fb2f8661adc in zend_objects_store_del_ref_by_handle_ex ()

   from /usr/lib/apache2/modules/libphp5.so

#18 0x00007fb2f8661b03 in zend_objects_store_del_ref ()

   from /usr/lib/apache2/modules/libphp5.so

#19 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#20 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#21 0x00007fb2f863c19f in _zval_dtor_func () from 

/usr/lib/apache2/modules/libphp5.so

#22 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#23 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#24 0x00007fb2f865e0d9 in zend_object_std_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#25 0x00007fb2f865e0f9 in zend_objects_free_object_storage ()

   from /usr/lib/apache2/modules/libphp5.so

#26 0x00007fb2f86615ec in zend_objects_store_free_object_storage ()

   from /usr/lib/apache2/modules/libphp5.so

#27 0x00007fb2f86305c5 in ?? () from
/usr/lib/apache2/modules/libphp5.so

#28 0x00007fb2f863cee2 in ?? () from
/usr/lib/apache2/modules/libphp5.so

#29 0x00007fb2f85e8b75 in php_request_shutdown () from 

/usr/lib/apache2/modules/libphp5.so





------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=53569&edit=1

Bug #53569 [Fbk->Opn]: Intermittent Seg Fault during DOMDocument clean up

Reply via email to