Bug #53569 [Opn->Bgs]: Intermittent Seg Fault during DOMDocument clean up

rrichards Thu, 17 Feb 2011 11:58:43 -0800

Edit report at http://bugs.php.net/bug.php?id=53569&edit=1


 ID:                 53569
 Updated by:         rricha...@php.net
 Reported by:        chris dot richard at gmail dot com
 Summary:            Intermittent Seg Fault during DOMDocument clean up
-Status:             Open
+Status:             Bogus
 Type:               Bug
 Package:            DOM XML related
 Operating System:   Linux (Ubuntu 10)
 PHP Version:        5.3.2
 Block user comment: N
 Private report:     N

 New Comment:

This is a bug in libxml2 which will be fixed in its 2.7.9 release.
Unfortunately 

there is no simple workaround that can be done in the DOM extension for
this 

without adding significant overhead just for this specific case.


Previous Comments:
------------------------------------------------------------------------
[2010-12-20 17:30:24] chris dot richard at gmail dot com

This script reproduces the issue fairly consistently on my machine:



<?

        $doc = new DOMDocument();

        $doc->loadXML(

                "<?xml version='1.0'?>".

                '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 

"http://www.w3.org/TR/html4/strict.dtd"; [

                        <!ENTITY nbsp  "&#160;">

                        <!ENTITY copy  "&#169;">

                        <!ENTITY ndash "&#8211;">

                        <!ENTITY mdash "&#8212;">

                ]>'.

                "<html/>");



        $fragment = $doc->createDocumentFragment();

        $fragment->appendXML("<head></head><body><insert/></body>");

        

        $doc->documentElement->appendChild($fragment);

        

        ob_start();

?>

        

<ul>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet lorem ipsum
dolor sit 

amet</li>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>

<li>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</li>

</ul>

<h2>lorem ipsum dolor sit amet lorem ipsum dolor sit amet   

<hr />

</h2>

<p>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</p>

<p>When the mortgage rate is 'fixed' it means that the rate (%) is set
for the 

duration of the term, whereas with a variable mortgage rate, the rate
fluctuates 

with the market interest rate, known as the 'prime rate'.  So, for
example, if 

the 5 year fixed mortgage rate is 4%, then you will pay 4% interest
throughout 

the term of the mortgage.</p>

<p>lorem ipsum dolor sit amet lorem ipsum dolor sit amet</p>



<h2>Popularity of the 5-year fixed rate       

<hr />

</h2>

<h3 class="table-title">Mortgages by length of term and age group</h3>

<table cellspacing="0">

<thead> 

<tr class="group-header">

<th>&nbsp;</th> <th colspan="4">Age group</th>

</tr>

<tr class="column-headers">

<th>&nbsp;</th> <th>18-34</th> <th>35-54</th> <th>55+</th> <th
class="total">All 

ages</th>

</tr>

</thead> 

<tbody>

<tr class="alternate">

<th>1 year term</th>

<td>5%</td>

<td>7%</td>

<td>6%</td>

<td class="total">6%</td>

</tr>

<tr>

<th>2-4 year term</th>

<td>27%</td>

<td>18%</td>

<td>12%</td>

<td class="total">20%</td>

</tr>

<tr class="highlight">

<th>5 year term</th>

<td>66%</td>

<td>65%</td>

<td>69%</td>

<td class="total">66%</td>

</tr>

<tr>

<th>6-10 year term</th>

<td>3%</td>

<td>9%</td>

<td>10%</td>

<td class="total">7%</td>

</tr>

<tr class="alternate">

<th>&gt;10 year term</th>

<td>0</td>

<td>0</td>

<td>2%</td>

<td class="total">1%</td>

</tr>

</tbody>

</table>



<?

        $output = ob_get_clean();

        $fragment = $doc->createDocumentFragment();

        $fragment->appendXML($output);



        $xpath = new DOMXpath($doc);

        $insert = $xpath->query(".//insert")->item(0);

        $insert->parentNode->replaceChild($fragment, $insert);



        echo $doc->saveHTML();          

?>

------------------------------------------------------------------------
[2010-12-18 16:57:51] cataphr...@php.net

Can you provide a small script that reproduces this issue?



It's complicated to find the error from backtraces that happen in the
destruction phase; by this time the harm has long been done.



Also please use the latest version of PHP.



Thank you.

------------------------------------------------------------------------
[2010-12-18 06:16:59] chris dot richard at gmail dot com

PHP 5.3.2

libxml 2.7.6

------------------------------------------------------------------------
[2010-12-18 06:11:31] chris dot richard at gmail dot com

Description:
------------
libxml causes a seg fault *intermittently* after all PHP user code has
finished 

running.



I'm using DOMFragment to parse chunks of XHTML and append them to a
DOMDocument 

which gets output (via saveHTML) once it's completely assembled. The
output 

completes successfully but at least half the time I get seg fault
related to the 

clean up of the DOMDocument and no response is sent to the client.



Core Dump:



#0  0x00007fb2f77c6e6f in xmlDictOwns () from /usr/lib/libxml2.so.2

#1  0x00007fb2f77276a7 in xmlFreeNodeList () from /usr/lib/libxml2.so.2

#2  0x00007fb2f76ff85f in ?? () from /usr/lib/libxml2.so.2

#3  0x00007fb2f772f256 in xmlHashFree () from /usr/lib/libxml2.so.2

#4  0x00007fb2f7727335 in xmlFreeDtd () from /usr/lib/libxml2.so.2

#5  0x00007fb2f772746a in xmlFreeDoc () from /usr/lib/libxml2.so.2

#6  0x00007fb2f8409d5b in php_libxml_decrement_doc_ref ()

   from /usr/lib/apache2/modules/libphp5.so

#7  0x00007fb2f842e8cf in ?? () from
/usr/lib/apache2/modules/libphp5.so

#8  0x00007fb2f8661adc in zend_objects_store_del_ref_by_handle_ex ()

   from /usr/lib/apache2/modules/libphp5.so

#9  0x00007fb2f8661b03 in zend_objects_store_del_ref ()

   from /usr/lib/apache2/modules/libphp5.so

#10 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#11 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#12 0x00007fb2f863c19f in _zval_dtor_func () from 

/usr/lib/apache2/modules/libphp5.so

#13 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#14 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#15 0x00007fb2f865e0d9 in zend_object_std_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#16 0x00007fb2f865e0f9 in zend_objects_free_object_storage ()

   from /usr/lib/apache2/modules/libphp5.so

#17 0x00007fb2f8661adc in zend_objects_store_del_ref_by_handle_ex ()

   from /usr/lib/apache2/modules/libphp5.so

#18 0x00007fb2f8661b03 in zend_objects_store_del_ref ()

   from /usr/lib/apache2/modules/libphp5.so

#19 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#20 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#21 0x00007fb2f863c19f in _zval_dtor_func () from 

/usr/lib/apache2/modules/libphp5.so

#22 0x00007fb2f86301cd in _zval_ptr_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#23 0x00007fb2f8649198 in zend_hash_destroy () from 

/usr/lib/apache2/modules/libphp5.so

#24 0x00007fb2f865e0d9 in zend_object_std_dtor () from 

/usr/lib/apache2/modules/libphp5.so

#25 0x00007fb2f865e0f9 in zend_objects_free_object_storage ()

   from /usr/lib/apache2/modules/libphp5.so

#26 0x00007fb2f86615ec in zend_objects_store_free_object_storage ()

   from /usr/lib/apache2/modules/libphp5.so

#27 0x00007fb2f86305c5 in ?? () from
/usr/lib/apache2/modules/libphp5.so

#28 0x00007fb2f863cee2 in ?? () from
/usr/lib/apache2/modules/libphp5.so

#29 0x00007fb2f85e8b75 in php_request_shutdown () from 

/usr/lib/apache2/modules/libphp5.so





------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=53569&edit=1

Bug #53569 [Opn->Bgs]: Intermittent Seg Fault during DOMDocument clean up

Reply via email to