Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak in DOMProcessingInstruction/DOMDocument #16152

Open
chibinz opened this issue Oct 1, 2024 · 2 comments
Open

Memory leak in DOMProcessingInstruction/DOMDocument #16152

chibinz opened this issue Oct 1, 2024 · 2 comments
Assignees
@nielsdos
Labels
Bug Extension: dom Status: Verified

Comments

@chibinz
Copy link

chibinz commented Oct 1, 2024

Description

The following code:

<?php


$doc = new DOMDocument (  );
$instr = new DOMProcessingInstruction ( "tr" , "r" );
$frag = new DOMDocumentFragment (  );
$frag2 = new DOMDocumentFragment (  );
$frag2 -> append ( $instr );
$frag -> append ( $frag2 );
$doc -> insertBefore ( $frag );

Resulted in this output:

=================================================================
==111665==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x559c452875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x559c462211ee in __zend_malloc /tmp/php-afl/Zend/zend_alloc.c:3280:14
    #2 0x559c4541c331 in php_libxml_increment_doc_ref /tmp/php-afl/ext/libxml/libxml.c:1360:22
    #3 0x559c45586e9a in zim_DOMDocument___construct /tmp/php-afl/ext/dom/document.c:1282:6
    #4 0x559c4651ccb2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-afl/Zend/zend_vm_execute.h
    #5 0x559c4641e3a0 in execute_ex /tmp/php-afl/Zend/zend_vm_execute.h:58486:7
    #6 0x559c4641f1b7 in zend_execute /tmp/php-afl/Zend/zend_vm_execute.h:64138:2
    #7 0x559c46904384 in zend_execute_script /tmp/php-afl/Zend/zend.c:1928:3
    #8 0x559c45fd3b0e in php_execute_script_ex /tmp/php-afl/main/main.c:2574:13
    #9 0x559c4690df4c in do_cli /tmp/php-afl/sapi/cli/php_cli.c:935:5
    #10 0x559c46909c91 in main /tmp/php-afl/sapi/cli/php_cli.c:1310:18
    #11 0x7fb273e29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

Indirect leak of 176 byte(s) in 1 object(s) allocated from:
    #0 0x559c452875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fb2741f52de in xmlNewDoc (/lib/x86_64-linux-gnu/libxml2.so.2+0x622de) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)

Indirect leak of 120 byte(s) in 1 object(s) allocated from:
    #0 0x559c452875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fb2741f54f5 in xmlNewPI (/lib/x86_64-linux-gnu/libxml2.so.2+0x624f5) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x559c452875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x559c462211ee in __zend_malloc /tmp/php-afl/Zend/zend_alloc.c:3280:14
    #2 0x559c4541bae2 in php_libxml_increment_node_ptr /tmp/php-afl/ext/libxml/libxml.c:1313:19
    #3 0x559c456618e9 in zim_DOMProcessingInstruction___construct /tmp/php-afl/ext/dom/processinginstruction.c:65:2
    #4 0x559c4651ccb2 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /tmp/php-afl/Zend/zend_vm_execute.h
    #5 0x559c4641e3a0 in execute_ex /tmp/php-afl/Zend/zend_vm_execute.h:58486:7
    #6 0x559c4641f1b7 in zend_execute /tmp/php-afl/Zend/zend_vm_execute.h:64138:2
    #7 0x559c46904384 in zend_execute_script /tmp/php-afl/Zend/zend.c:1928:3
    #8 0x559c45fd3b0e in php_execute_script_ex /tmp/php-afl/main/main.c:2574:13
    #9 0x559c4690df4c in do_cli /tmp/php-afl/sapi/cli/php_cli.c:935:5
    #10 0x559c46909c91 in main /tmp/php-afl/sapi/cli/php_cli.c:1310:18
    #11 0x7fb273e29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

Indirect leak of 5 byte(s) in 2 object(s) allocated from:
    #0 0x559c452875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fb2742767f2 in xmlStrdup (/lib/x86_64-linux-gnu/libxml2.so.2+0xe37f2) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x559c452875ee in malloc /opt/llvm-15-build/llvm-15.x/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fb2742766e3 in xmlStrndup (/lib/x86_64-linux-gnu/libxml2.so.2+0xe36e3) (BuildId: aebf8e42966c3ce475ff9d9d51a762831adcbb61)

SUMMARY: AddressSanitizer: 377 byte(s) leaked in 7 allocation(s).

But I expected this output instead:

no leak

PHP Version

PHP 8.4.0-dev

Operating System

No response
@cmb69
Copy link
Member

cmb69 commented Oct 1, 2024

This is somewhat related to #16150; in dom_node_insert_before_legacy() wer'e increasing the document's refcount:

php-src/ext/dom/node.c

Line 824 in 62a1eb9

php_libxml_increment_doc_ref((php_libxml_node_object *)childobj, NULL);

In this case this is too much, since the refcount is later increased in dom_insert_fragment(). In the other case it is not enough.

@cmb69 cmb69 mentioned this issue Oct 1, 2024
Open
@nielsdos
Copy link
Member

nielsdos commented Oct 1, 2024

Annoying, and convoluted code. This issue and the other one should be fixed together probably, but not in the mood to do that today anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: dom Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cmb69 @nielsdos @Girgias @chibinz