ID: 41086 User updated by: harvey dot robin at gmail dot com Reported By: harvey dot robin at gmail dot com -Status: Feedback +Status: Open Bug Type: XSLT related Operating System: Ubuntu feisty PHP Version: 5CVS-2007-04-14 (snap) New Comment:
The method given by Christian also works fine to reproduce the crash. Previous Comments: ------------------------------------------------------------------------ [2007-04-15 08:19:01] judas dot iscariote at gmail dot com shortest possible way to reproduce I can find http://hell.kissofjudas.net/bug41086.tar.bz2 execute the test.php file. PHP Warning: XSLTProcessor::transformToXml(): Invalid type in /home/cristian/talta/test/test.php on line 6 Warning: XSLTProcessor::transformToXml(): Invalid type in /home/cristian/talta/test/test.php on line 6 PHP Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 3 object left on the stack in /home/cristian/talta/test/test.php on line 6 Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 3 object left on the stack in /home/cristian/talta/test/test.php on line 6 Program received signal SIGSEGV, Segmentation fault. [snip`libxml stripped libxml messages] #85 0x00002ad626e0b8ce in php_xsl_apply_stylesheet (id=0xc77238, intern=0xc79a80, style=0xd66c20, docp=0xc7adf8) at /home/cristian/php5/ext/xsl/xsltprocessor.c:472 newdocp = (xmlDocPtr) 0x7fff86737a30 doc = (xmlDocPtr) 0xeb12b0 node = (xmlNodePtr) 0xeb12b0 ctxt = (xsltTransformContextPtr) 0xeb8160 object = (php_libxml_node_object *) 0xc7a5a0 params = (char **) 0xc7a920 clone = 0 doXInclude = (zval *) 0xad32a8 member = (zval *) 0xc7ace0 std_hnd = (zend_object_handlers *) 0xacbc00 #86 0x00002ad626e0bc66 in zif_xsl_xsltprocessor_transform_to_xml (ht=1, return_value=0xc79f78, return_value_ptr=0x0, this_ptr=0xc77238, return_value_used=1) at /home/cristian/php5/ext/xsl/xsltprocessor.c:583 id = (zval *) 0xc77238 docp = (zval *) 0xc7adf8 newdocp = (xmlDoc *) 0xc79f78 sheetp = (xsltStylesheetPtr) 0xd66c20 ret = 24 doc_txt_ptr = (xmlChar *) 0x7fff86737a30 "8zs\206�\177" doc_txt_len = 0 intern = (xsl_object *) 0xc79a80 ---Type <return> to continue, or q <return> to quit--- #87 0x000000000072c378 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff86737a90) at /home/cristian/php5/Zend/zend_vm_execute.h:200 return_reference = 0 '\0' opline = (zend_op *) 0xc78eb0 original_return_value = (zval **) 0x7fff867376d0 current_scope = (zend_class_entry *) 0x0 current_this = (zval *) 0x0 return_value_used = 1 should_change_scope = 1 '\001' ctor_opline = (zend_op *) 0x7fff86737a90 #88 0x000000000072d245 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff86737a90) at /home/cristian/php5/Zend/zend_vm_execute.h:322 No locals. #89 0x000000000072bdc0 in execute (op_array=0xc77f70) at /home/cristian/php5/Zend/zend_vm_execute.h:92 execute_data = {opline = 0xc78eb0, function_state = {function_symbol_table = 0x0, function = 0xc43b30, reserved = { 0x63006cfe49, 0x82cb80, 0xc780b0, 0x7fff86737b00}}, fbc = 0xc43b30, op_array = 0xc77f70, object = 0xc77238, Ts = 0x7fff86737760, CVs = 0x7fff86737730, original_in_execution = 0 '\0', symbol_table = 0xad3428, prev_execute_data = 0x0, old_error_reporting = 0x0} #90 0x00000000007022f4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1134 files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff86737ca0, reg_save_area = 0x7fff86737be0}} i = 1 file_handle = (zend_file_handle *) 0x7fff8673a090 orig_op_array = (zend_op_array *) 0x0 orig_retval_ptr_ptr = (zval **) 0x0 local_retval = (zval *) 0x0 #91 0x000000000069fd01 in php_execute_script (primary_file=0x7fff8673a090) at /home/cristian/php5/main/main.c:1790 realfile = "/home/cristian/talta/test/test.php\000_query_type\000\000�\006\000\000�\177\000\000�\231p\000\000\000\000\000rpl_probe\000\202\000\000\000\000\000�\006\000\000\000\000\000\000 \217s\206\017\000\000\000rpl_parse_enabled\000\000\000\000\000\000\000��\202\000\000\000\000\000�\006\000\000�\177\000\000�\231p\000\000\000\000\000rollback\000�\202\000\000\000\000\000�\006\000\000�\177\000\000�\231p\000\000\000\000\000real_query\000\000\000\000\000\000�\006\000\000�\177\000\000"... __orig_bailout = (jmp_buf *) 0x7fff86739f40 __bailout = {{__jmpbuf = {47099221150688, -68967799470258375, 0, 140735449113296, 0, 0, -68967799470267079, ---Type <return> to continue, or q <return> to quit--- -69095675644025930}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 47099218988917, 1, 0, 140733193389737, 7379374, 47099240203304, 47099221150688, 140735449107936, 47099219010530, 47099243580752, 8461312, 11406816, 7396952, 47099243579232}}}} prepend_file_p = (zend_file_handle *) 0x0 append_file_p = (zend_file_handle *) 0x0 prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = { handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'} append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = { handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'} old_cwd = 0x7fff86737cc0 "" retval = 0 #92 0x00000000007895c0 in main (argc=2, argv=0x7fff8673a2d8) at /home/cristian/php5/sapi/cli/php_cli.c:1127 __orig_bailout = (jmp_buf *) 0x0 __bailout = {{__jmpbuf = {47099221150688, -68967799470245783, 0, 140735449113296, 0, 0, -68967799470258391, -69095675645029879}, __mask_was_saved = 0, __saved_mask = {__val = {47099218973247, 0, 47099245814024, 1, 0, 1, 0, 0, 0, 47099245817088, 47099221153344, 140735449112680, 4294967296, 47099243602800, 140735449112784, 47099243601920}}}} exit_status = 0 c = -1 file_handle = {type = 2 '\002', filename = 0x7fff8673bfdf "test.php", opened_path = 0x0, handle = {fd = 13219680, fp = 0xc9b760, stream = {handle = 0xc9b760, reader = 0x71c3a4 <zend_stream_stdio_reader>, closer = 0x71c3d0 <zend_stream_stdio_closer>, fteller = 0x71c3fa <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = 0x7fff8673bfdf "test.php" arg_excp = (char **) 0x7fff8673a2e0 script_file = 0x7fff8673bfdf "test.php" interactive = 0 module_started = 1 request_started = 1 ---Type <return> to continue, or q <return> to quit--- lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = 0x0 hide_argv = 0 ini_entries_len = 110 ------------------------------------------------------------------------ [2007-04-14 19:28:27] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2007-04-14 19:21:41] harvey dot robin at gmail dot com Description: ------------ Running a complex stylesheet (possibly with errors, certainly produces warnings) results in a segmentation fault or a "corrupted double-linked list" The stylesheet uses exslt, and the dom it's parsing over is created with the flags LIBXML_NOENT|LIBXML_DTDLOAD|LIBXML_DTDATTR. The code also uses a custom stream handler in conjunction with the xpath document function. When you run the tests below, there are a couple of warnings produced before the crash, one is "XSLTProcessor::transformToXml(): Invalid type" and the other is "XSLTProcessor::transformToXml(): xmlXPathCompiledEval: 4 objects left on the stack." I've met these warnings before, but they have never resulted in a crash. Reproduce code: --------------- The code needed to reproduce the error is available on the subversion server of my project. To produce the crash, do: *> svn checkout http://taltastic.googlecode.com/svn/trunk/ -r 42 taltastic *> cd taltastic/test *> php test.php This produces the double linked list fault on my system, to produce the segmentation fault error you have to edit the test.php file and change the $templ variable to load from "test.xml" instead of "test.html". Here is my configure line: [EMAIL PROTECTED]:~/libs/php5.2-CVS2$ cat config.nice #! /bin/sh # # Created by configure './configure' \ '--disable-cgi' \ '--enable-cli' \ '--with-zlib' \ '--with-bz2' \ '--with-gd' \ '--enable-gd-native-ttf' \ '--enable-mbstring' \ '--with-mcrypt' \ '--with-pdo-pgsql' \ '--disable-session' \ '--enable-sockets' \ '--with-xsl' \ '--enable-soap' \ '--enable-debug' \ "$@" Expected result: ---------------- Expect to see an html document echoed to the screen. Actual result: -------------- ...This one with the code as-is, using "test.html"... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 47983451902976 (LWP 29653)] 0x00002ba402eb738b in xmlXPathNodeSetAddUnique () from /usr/lib/libxml2.so.2 (gdb) bt #0 0x00002ba402eb738b in xmlXPathNodeSetAddUnique () from /usr/lib/libxml2.so.2 #1 0x00002ba402eb78f5 in ?? () from /usr/lib/libxml2.so.2 #2 0x00002ba402ec2b27 in ?? () from /usr/lib/libxml2.so.2 #3 0x00002ba402ec2f74 in ?? () from /usr/lib/libxml2.so.2 #4 0x00002ba402ec2948 in ?? () from /usr/lib/libxml2.so.2 #5 0x00002ba402ec413e in ?? () from /usr/lib/libxml2.so.2 #6 0x00002ba402ec8447 in ?? () from /usr/lib/libxml2.so.2 #7 0x00002ba402ec8619 in xmlXPathCompiledEval () from /usr/lib/libxml2.so.2 #8 0x00002ba402c1acc2 in xsltEvalXPathPredicate () from /usr/lib/libxslt.so.1 #9 0x00002ba402c16714 in ?? () from /usr/lib/libxslt.so.1 #10 0x00002ba402c17670 in xsltGetTemplate () from /usr/lib/libxslt.so.1 #11 0x00002ba402c2be52 in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #12 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #13 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #14 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #15 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #16 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #17 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #18 0x00002ba402c2bbca in xsltCallTemplate () from /usr/lib/libxslt.so.1 #19 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #20 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #21 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #22 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #23 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #24 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #25 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #26 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #27 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #28 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #29 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #30 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #31 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #32 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #33 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #34 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #35 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 ---Type <return> to continue, or q <return> to quit--- #36 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #37 0x00002ba402c2bbca in xsltCallTemplate () from /usr/lib/libxslt.so.1 #38 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #39 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #40 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #41 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #42 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #43 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #44 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #45 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #46 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #47 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #48 0x00002ba402c2bbca in xsltCallTemplate () from /usr/lib/libxslt.so.1 #49 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #50 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #51 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #52 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #53 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #54 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #55 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1 #56 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #57 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #58 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #59 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #60 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #61 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #62 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1 #63 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #64 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #65 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #66 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #67 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #68 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #69 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1 #70 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #71 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 ---Type <return> to continue, or q <return> to quit--- #72 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #73 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #74 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #75 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #76 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1 #77 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #78 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #79 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #80 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #81 0x00002ba402c2caea in xsltApplyTemplates () from /usr/lib/libxslt.so.1 #82 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #83 0x00002ba402c2e3bb in xsltCopy () from /usr/lib/libxslt.so.1 #84 0x00002ba402c2a176 in ?? () from /usr/lib/libxslt.so.1 #85 0x00002ba402c2b6be in ?? () from /usr/lib/libxslt.so.1 #86 0x00002ba402c2beaa in xsltProcessOneNode () from /usr/lib/libxslt.so.1 #87 0x00002ba402c2fddf in ?? () from /usr/lib/libxslt.so.1 #88 0x00000000007929b5 in ?? () #89 0x0000000000792d3d in zif_xsl_xsltprocessor_transform_to_xml () #90 0x000000000081e2fa in ?? () #91 0x000000000081f062 in ?? () #92 0x000000000081dd96 in execute () #93 0x00000000007f5ef8 in zend_execute_scripts () #94 0x0000000000799679 in php_execute_script () #95 0x000000000087884a in main () (gdb) ...And this one using "text.xml"... Program received signal SIGABRT, Aborted. [Switching to Thread 47939104691200 (LWP 29670)] 0x00002b99afce1cab in raise () from /lib/libc.so.6 (gdb) bt #0 0x00002b99afce1cab in raise () from /lib/libc.so.6 #1 0x00002b99afce3660 in abort () from /lib/libc.so.6 #2 0x00002b99afd1966b in ?? () from /lib/libc.so.6 #3 0x00002b99afd1ee47 in ?? () from /lib/libc.so.6 #4 0x00002b99afd21122 in ?? () from /lib/libc.so.6 #5 0x00002b99afd2298d in malloc () from /lib/libc.so.6 #6 0x00002b99af9c19ce in xmlBufferCreate () from /usr/lib/libxml2.so.2 #7 0x00002b99af9ca8e6 in xmlAllocOutputBuffer () from /usr/lib/libxml2.so.2 #8 0x00002b99af748626 in xsltSaveResultToString () from /usr/lib/libxslt.so.1 #9 0x0000000000792d68 in zif_xsl_xsltprocessor_transform_to_xml () #10 0x000000000081e2fa in ?? () #11 0x000000000081f062 in ?? () #12 0x000000000081dd96 in execute () #13 0x00000000007f5ef8 in zend_execute_scripts () #14 0x0000000000799679 in php_execute_script () #15 0x000000000087884a in main () (gdb) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41086&edit=1
