[PHP-DEV] Bug #13322: Still SIGSEGV with DOMXML / double free()

[ih]

From:             [EMAIL PROTECTED]
Operating system: Debian Linux 2.2
PHP version:      4.0CVS-2001-09-15
PHP Bug Type:     Reproducible crash
Bug description:  Still SIGSEGV with DOMXML / double free()

DOMXML still has problem with SIGSEGV. Now, after shutdown,
php_free_xml_dom got NULL pointer and xmlFreeDoc double free or what. I
hope, that problem is in mine, but joey please look at this.

My script:
--- test.php ---
<?php
$doc = xmldocfile('./test.xml');
?>

--- text.xml ---
<?xml version="1.0" encoding="iso-8859-2"?><root>
  <nothing/>
</root>

And result is:

Program received signal SIGSEGV, Segmentation fault.
0x40208860 in free () from /lib/libc.so.6
(gdb) bt
#0  0x40208860 in free () from /lib/libc.so.6
#1  0x400b0ca9 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#2  0x400b0c67 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#3  0x400af18c in xmlFreeDoc () from /usr/lib/libxml2.so.2
#4  0x808522d in php_free_xml_doc (rsrc=0x8290e24) at 
#5  0x813385a in list_entry_destructor (ptr=0x8290e24) at zend_list.c:177
#6  0x8133a45 in zend_destroy_rsrc_list (ht=0x8202a64) at zend_list.c:248
#7  0x8122a10 in shutdown_executor () at zend_execute_API.c:190
#8  0x812c2d6 in zend_deactivate () at zend.c:595
#9  0x8078def in php_request_shutdown (dummy=0x0) at main.c:736
#10 0x8138294 in apache_php_module_main (r=0x8283de4,
display_source_mode=0)
    at sapi_apache.c:96
#11 0x8076446 in send_php ()
#12 0x80764a2 in send_parsed_php ()
#13 0x815fdd9 in ap_invoke_handler ()
#14 0x817475f in process_request_internal ()
#15 0x8174bb6 in ap_internal_redirect ()
#16 0x815236d in mod_gzip_redir1_handler ()
#17 0x8150c02 in mod_gzip_handler ()
#18 0x815fdd9 in ap_invoke_handler ()
#19 0x817475f in process_request_internal ()
#20 0x81747c6 in ap_process_request ()
#21 0x816b6d6 in child_main ()
#22 0x816b891 in make_child ()
#23 0x816ba0c in startup_children ()
#24 0x816c07c in standalone_main ()
#25 0x816c8ac in main ()
#26 0x401b364f in __libc_start_main () from /lib/libc.so.6


I try to debug and:
=php_domxml.c(v1.74):2269 in xmldocfile()
..
docp = xmlParseFile(Z_STRVAL_P(arg));
...
=print *docp
{_private = 0x0, type = XML_DOCUMENT_NODE, name = 0x0,
  children = 0x82b0658, last = 0x82b0658, parent = 0x0, next
= 0x0,
  prev = 0x0, doc = 0x82b05c0, compression = -1, standalone = -1,
  intSubset = 0x0, extSubset = 0x0, oldNs = 0x0, version = 0x82b0618
"1.0",
  encoding = 0x82b06e8 "iso-8859-2", ids = 0x0, refs = 0x0,
  URL = 0x82b0628 "./test.xml", charset = 1}.
=

look's like file was parsed without problem, *return_value look's good. But
zend_list_addref(ret) return ret, not return_value. Is it right?

-- 
Edit bug report at: http://bugs.php.net/?id=13322&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]