Skip to content

Polymorphic cache slot issue in DOM #15670

New issue
New issue
Closed
#15676
Closed
Polymorphic cache slot issue in DOM#15670
#15676
Assignees
nielsdos
Labels
BugExtension: domStatus: Verified
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Aug 31, 2024

Description

The following code:

<?php
$doc = new DOMDocument();
$doc->loadHTML('<p id=x>foo</p>');
$fusion = $doc;
$dom = DOM\XMLDocument::createFromString(<<<XML
<root/>
XML);
$child = $dom->documentElement->appendChild($dom->createElementNS('urn:a', 'child'));
function test($child, $html) {
try {
$child->innerHTML = $html;
} catch (DOMException $e) {
}
}
test($child, '--></root><!--');
test($fusion, '<');

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1935029==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8002 (pc 0x5603e0e78f5e bp 0x7ffef2a06ee0 sp 0x7ffef2a06ca0 T0)
==1935029==The signal is caused by a READ memory access.
    #0 0x5603e0e78f5e in dom_html_fragment_parsing_algorithm /php-src/ext/dom/inner_html_mixin.c:196:52
    #1 0x5603e0e772c9 in dom_element_inner_html_write /php-src/ext/dom/inner_html_mixin.c:347:14
    #2 0x5603e0ee6e1a in dom_write_property /php-src/ext/dom/php_dom.c:438:3
    #3 0x5603e2f49dd6 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CV_HANDLER /php-src/Zend/zend_vm_execute.h:43605:10
    #4 0x5603e2d97b47 in execute_ex /php-src/Zend/zend_vm_execute.h:58221:7
    #5 0x5603e2d99022 in zend_execute /php-src/Zend/zend_vm_execute.h:63873:2
    #6 0x5603e3894fd8 in zend_execute_script /php-src/Zend/zend.c:1913:3
    #7 0x5603e2468126 in php_execute_script_ex /php-src/main/main.c:2576:13
    #8 0x5603e24689c8 in php_execute_script /php-src/main/main.c:2616:9
    #9 0x5603e38a2e23 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #10 0x5603e389e842 in main /php-src/sapi/cli/php_cli.c:1309:18
    #11 0x7f09cbf56d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f09cbf56e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x5603e0603244 in _start (/php-src/sapi/cli/php+0x1c03244) (BuildId: ea1107b56bcacf26d93971c8756ecefcd9c57b47)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/ext/dom/inner_html_mixin.c:196:52

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

Metadata

Metadata

Assignees

Labels

BugExtension: domStatus: Verified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions