__construct crashes when called explicitly

rrichards Thu, 14 Sep 2006 06:38:43 -0700

 ID:               38813
 Updated by:       [EMAIL PROTECTED]
 Reported By:      ladislav dot prosek at matfyz dot cz
-Status:           Assigned
+Status:           Closed
 Bug Type:         DOM XML related
 Operating System: Windows XP SP2 Pro
 PHP Version:      5.1.6
 Assigned To:      rrichards
 New Comment:


This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2006-09-13 22:11:24] judas dot iscariote at gmail dot com

gdb) bt full
#0  0x00000000004430e5 in php_libxml_decrement_node_ptr
(object=0xa75310) at /home/cristian/php-src/ext/libxml/libxml.c:922
        ret_refcount = -1
        obj_node = (php_libxml_node_ptr *) 0x81
#1  0x0000000000441103 in php_libxml_clear_object (object=0xa75310) at
/home/cristian/php-src/ext/libxml/libxml.c:161
No locals.
#2  0x0000000000441148 in php_libxml_unregister_node
(nodep=0x2af82f48abe0)
    at /home/cristian/php-src/ext/libxml/libxml.c:174
        wrapper = (php_libxml_node_object *) 0xa75310
        nodeptr = (php_libxml_node_ptr *) 0xa75290
#3  0x00000000004433f3 in php_libxml_node_free_resource
(node=0x2af82f48abe0)
    at /home/cristian/php-src/ext/libxml/libxml.c:1006
No locals.
#4  0x00000000004a73fe in zim_domentityreference___construct (ht=1,
return_value=0x2af82f48ab80, return_value_ptr=0x0,
    this_ptr=0x2af82f4892c0, return_value_used=0) at
/home/cristian/php-src/ext/dom/entityreference.c:78
        id = (zval *) 0x2af82f4892c0
        node = (xmlNode *) 0xa75330
        oldnode = (xmlNodePtr) 0x2af82f48abe0
        intern = (dom_object *) 0x2af82f48c110
        name = 0x2af82f48ab30 "b"
        name_len = 1
        name_valid = 0
#5  0x00000000006b479a in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff7b683890)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2af82f48a5c0
        original_return_value = (zval **) 0x66ab0d
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x6fa2f53dc00
#6  0x00000000006b5616 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fff7b683890)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:322
No locals.
#7  0x00000000006b41e7 in execute (op_array=0x2af82f489f38) at
/home/cristian/php-src/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2af82f48a5c0, function_state =
{function_symbol_table = 0x0, function = 0x9d0e10,
    reserved = {0x2af82f48a068, 0x7fff7b6838f0, 0x67f53c, 0x0}}, fbc =
0x9d0e10, op_array = 0x2af82f489f38,
  object = 0x2af82f4892c0, Ts = 0x7fff7b683770, CVs = 0x7fff7b683750,
original_in_execution = 0 '\0',
  symbol_table = 0x944368, prev_execute_data = 0x0, old_error_reporting
= 0x0}
#8  0x000000000068c639 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff7b683b20, reg_save_area = 0x7fff7b683a60}}
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff7b683b20, reg_save_area = 0x7fff7b683a60}}
---Type <return> to continue, or q <return> to quit---
        i = 1
        file_handle = (zend_file_handle *) 0x7fff7b685f20
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0


#9  0x000000000062e1fe in php_execute_script
(primary_file=0x7fff7b685f20) at
/home/cristian/php-src/main/main.c:1759
        realfile =
"/home/cristian/php-src/dom.php\000\000\006\000\000\177\000\000Y;i\000\000\000\000\000&#563;&#65533;*\000\000\004&#65533;*\000\000\006\000\000\177\000\000&#65533;232\220",
'\0' <repeats 13 times>, "0ah{\177", '\0' <repeats 26 times>,
"&#65533;B/*\000\000\001\000\000\000\177\000\000\000\000\000\000\000\000\000\000str_pad\000\000z\000\000\000\000\000&#563;&#65533;*\000\000\000&#65533;/*\000\000\200Lh{\177\000\000B5C/*\000\000p\a0*\000\000\000&#65533;\000\000\000\000\000&#65533;027\225\000\000\000\000\000,\200i"...
        orig_bailout = (jmp_buf *) 0x7fff7b685da0
        bailout = {{__jmpbuf = {47245434280960, -69214136192287935, 0,
140735263826224, 0, 0, -69214136192279183,
      -69130816930170570}, __mask_was_saved = 0, __saved_mask = {__val
= {6788758, 140735263824896, 6728568,
        47244640256323, 2070436912, 0, 2263447764992, 8057064,
47245433541408, 140735263825168, 7408586, 8057064, 492, 0,
        0, 3}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff7b683b40 ""
        retval = 0
#10 0x0000000000711a7d in main (argc=2, argv=0x7fff7b686138) at
/home/cristian/php-src/sapi/cli/php_cli.c:1102
        orig_bailout = (jmp_buf *) 0x0
        bailout = {{__jmpbuf = {47245434280960, -69214136192301567, 0,
140735263826224, 0, 0, -69214136192287887,
      -69130816930977452}, __mask_was_saved = 0, __saved_mask = {__val
= {0, 0, 0, 140735263825552, 0, 0, 0, 0, 1706748291,
        47245434283584, 47245434285408, 281474976710656, 0, 0, 0,
0}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff7b686eff
"dom.php",
  opened_path = 0x2af82f489ed0 'Z' <repeats 31 times>,
"\204&#65533;217*", handle = {fd = 10965648, fp = 0xa75290, stream = {
      handle = 0xa75290, reader = 0x6a6208 <zend_stream_stdio_reader>,
closer = 0x6a6234 <zend_stream_stdio_closer>,
      fteller = 0x6a625e <zend_stream_stdio_fteller>, interactive =
0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff7b686eff "dom.php"
        arg_excp = (char **) 0x7fff7b686140
        script_file = 0x7fff7b686eff "dom.php"
        interactive = 0
  module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0

------------------------------------------------------------------------

[2006-09-13 16:38:05] ladislav dot prosek at matfyz dot cz

Correcting the summary (crashed -> crashes).

------------------------------------------------------------------------

[2006-09-13 16:35:17] ladislav dot prosek at matfyz dot cz

Description:
------------
DOM XML classes contain __construct methods that behave in a quite
unexpected way. You can call the constructor explicitly ending up with
a broken object (e.g. "Couldn't fetch DOMAttr. Node no longer exists"
whenever you access a method/property of the object).

Nevertheless, the constructor of DOMEntityReference, which is the
subject of this report, is broken completely.

Reproduce code:
---------------
<?
  $ent = new DOMEntityReference("a");
  $ent->__construct("b");
?>

Expected result:
----------------
You decide :)

Actual result:
--------------
* CRASH *


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=38813&edit=1

#38813 [Asn->Csd]: DOMEntityReference->__construct crashes when called explicitly

Reply via email to