From: ymettier at libertysurf dot fr
Operating system: Solaris 8
PHP version: 4.3.5
PHP Bug Type: DOM XML related
Bug description: crash (segfault) in php_domxml.c:617
Description:
------------
Random Segfault in apache-2.0.48 and php-4.3.5 using domxml functions.
This was working with 4.3.0 and was not working at all with 4.3.4.
Randomly works with 4.3.5
Reproduce code:
---------------
I cannot give you the code to reproduce the crash (confidentiality), but I
can tell you that :
$ grep domxml *php
domxml_open_file
domxml_xmltree
domxml_open_mem
There was a bug with 4.3.4, so I'm falling back to 4.3.0 (not tested
versions between 4.3.4 and 4.3.0) for production use.
libxml2 is 2.5.8 here.
Actual result:
--------------
#0 0xfe1cee28 in node_list_wrapper_dtor (node=0x429ba0, destroyref=1) at
/tmp/php-4.3.5/ext/domxml/php_domxml.c:617
617 if (zend_list_find(Z_LVAL_PP(handle),
&type)) {
(gdb) p type
$1 = -1
(gdb) p &type
$2 = (int *) 0xffbee988
(gdb) p handle
$3 = (zval **) 0x30ea00
(gdb) bt
#0 0xfe1cee28 in node_list_wrapper_dtor (node=0x429ba0, destroyref=1) at
/tmp/php-4.3.5/ext/domxml/php_domxml.c:617
#1 0xfe1cedd4 in node_list_wrapper_dtor (node=0x4719e0, destroyref=1) at
/tmp/php-4.3.5/ext/domxml/php_domxml.c:659
#2 0xfe1c3898 in php_free_xml_doc (rsrc=0x3315a0) at
/tmp/php-4.3.5/ext/domxml/php_domxml.c:647
#3 0xfe2e0894 in list_entry_destructor (ptr=0x225600) at
/tmp/php-4.3.5/Zend/zend_list.c:177
#4 0xfe2df1e8 in zend_hash_apply_deleter (ht=0xfe383b4c, p=0x32ce00) at
/tmp/php-4.3.5/Zend/zend_hash.c:608
#5 0xfe2df38c in zend_hash_graceful_reverse_destroy (ht=0xfe383b4c) at
/tmp/php-4.3.5/Zend/zend_hash.c:674
#6 0xfe2e0a0c in zend_destroy_rsrc_list (ht=0xfe383b4c) at
/tmp/php-4.3.5/Zend/zend_list.c:233
#7 0xfe2cfe40 in shutdown_executor () at
/tmp/php-4.3.5/Zend/zend_execute_API.c:213
#8 0xfe2da030 in zend_deactivate () at /tmp/php-4.3.5/Zend/zend.c:670
#9 0xfe2aa440 in php_request_shutdown (dummy=0x0) at
/tmp/php-4.3.5/main/main.c:996
#10 0xfe2f5118 in php_apache_request_dtor (r=0x1abf38) at
/tmp/php-4.3.5/sapi/apache2handler/sapi_apache2.c:461
#11 0xfe2f57b0 in php_handler (r=0x1abf38) at
/tmp/php-4.3.5/sapi/apache2handler/sapi_apache2.c:577
#12 0x4add8 in ap_run_handler (r=0x1abf38) at config.c:194
#13 0x4b3d4 in ap_invoke_handler (r=0x1abf38) at config.c:401
#14 0x38abc in ap_process_request (r=0x1abf38) at http_request.c:288
#15 0x33e90 in ap_process_http_connection (c=0x1a1fe8) at http_core.c:293
#16 0x56374 in ap_run_process_connection (c=0x1a1fe8) at connection.c:85
#17 0x56660 in ap_process_connection (c=0x1a1fe8, csd=0x1a1f10) at
connection.c:211
#18 0x496b0 in child_main (child_num_arg=0) at prefork.c:694
#19 0x49830 in make_child (s=0x9d620, slot=0) at prefork.c:788
#20 0x49a80 in perform_idle_server_maintenance (p=0x9acb8) at
prefork.c:923
#21 0x49e84 in ap_mpm_run (_pconf=0x0, plog=0x74800, s=0x91000) at
prefork.c:1118
#22 0x500b4 in main (argc=3, argv=0xffbef7b4) at main.c:660
(gdb) quit
--
Edit bug report at http://bugs.php.net/?id=27769&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27769&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27769&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27769&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27769&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27769&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27769&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27769&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27769&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27769&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27769&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27769&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27769&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27769&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27769&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27769&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27769&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27769&r=float
